Merge pull request #2975 from Infisical/daniel/custom-cors

feat(api): custom cors settings

.github/workflows/check-fe-ts-and-lint.yml

@@ -18,18 +18,18 @@ jobs:
     steps:
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      - name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 20
         uses: actions/setup-node@v3
         with:
-          node-version: "16"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: frontend/package-lock.json
       - name: 📦 Install dependencies
         run: npm install
         working-directory: frontend
       - name: 🏗️ Run Type check
-        run: npm run type:check 
+        run: npm run type:check
         working-directory: frontend
       - name: 🏗️ Run Link check
-        run: npm run lint:fix 
+        run: npm run lint:fix
         working-directory: frontend

.github/workflows/deployment-pipeline.yml

@@ -97,7 +97,7 @@ jobs:
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
           service: infisical-core-gamma-stage
@@ -153,7 +153,7 @@ jobs:
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
           service: infisical-core-platform
@@ -204,7 +204,7 @@ jobs:
             image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
             environment-variables: "LOG_LEVEL=info"
         - name: Deploy to Amazon ECS service
-          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v2
           with:
             task-definition: ${{ steps.render-web-container.outputs.task-definition }}
             service: infisical-core-platform

Dockerfile.fips.standalone-infisical

@@ -8,7 +8,7 @@ FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app
 
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+COPY frontend/package.json frontend/package-lock.json  ./
 
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@@ -23,17 +23,16 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 
 ENV NODE_ENV production
-ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -44,20 +43,10 @@ WORKDIR /app
 
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
 
-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
-VOLUME /app/.next/cache/images
-
-COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
-COPY --from=frontend-builder /app/public ./public
-RUN chown non-root-user:nodejs ./public/data
-
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 
 USER non-root-user
 
-ENV NEXT_TELEMETRY_DISABLED 1
-
 ##
 ## BACKEND
 ##
@@ -137,7 +126,7 @@ RUN apt-get update && apt-get install -y \
     freetds-dev \
     freetds-bin \
     tdsodbc \
-    openssh \
+    openssh-client \
     && rm -rf /var/lib/apt/lists/*
 
 # Configure ODBC in production
@@ -160,14 +149,11 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
-    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
 WORKDIR / 
 
@@ -192,4 +178,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -12,7 +12,7 @@ RUN apk add --no-cache libc6-compat
 
 WORKDIR /app
 
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+COPY frontend/package.json frontend/package-lock.json  ./
 
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@@ -27,17 +27,16 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 
 ENV NODE_ENV production
-ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -49,20 +48,10 @@ WORKDIR /app
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 non-root-user
 
-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
-VOLUME /app/.next/cache/images
-
-COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
-COPY --from=frontend-builder /app/public ./public
-RUN chown non-root-user:nodejs ./public/data
-
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 
 USER non-root-user
 
-ENV NEXT_TELEMETRY_DISABLED 1
-
 ##
 ## BACKEND
 ##
@@ -159,14 +148,11 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
-  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
 
 COPY --from=backend-runner /app /backend
@@ -189,4 +175,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

backend/package-lock.json

@@ -26,6 +26,7 @@
         "@fastify/rate-limit": "^9.0.0",
         "@fastify/request-context": "^5.1.0",
         "@fastify/session": "^10.7.0",
+        "@fastify/static": "^7.0.4",
         "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
         "@google-cloud/kms": "^4.5.0",
@@ -5406,6 +5407,7 @@
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/@fastify/accept-negotiator/-/accept-negotiator-1.1.0.tgz",
       "integrity": "sha512-OIHZrb2ImZ7XG85HXOONLcJWGosv7sIvM2ifAPQVhg9Lv7qdmMBNVaai4QTdyuaqbKM5eO6sLSQOYI7wEQeCJQ==",
+      "license": "MIT",
       "engines": {
         "node": ">=14"
       }
@@ -5545,6 +5547,7 @@
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/@fastify/send/-/send-2.1.0.tgz",
       "integrity": "sha512-yNYiY6sDkexoJR0D8IDy3aRP3+L4wdqCpvx5WP+VtEU58sn7USmKynBzDQex5X42Zzvw2gNzzYgP90UfWShLFA==",
+      "license": "MIT",
       "dependencies": {
         "@lukeed/ms": "^2.0.1",
         "escape-html": "~1.0.3",
@@ -5563,16 +5566,85 @@
       }
     },
     "node_modules/@fastify/static": {
-      "version": "6.12.0",
-      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
-      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-7.0.4.tgz",
+      "integrity": "sha512-p2uKtaf8BMOZWLs6wu+Ihg7bWNBdjNgCwDza4MJtTqg+5ovKmcbgbR9Xs5/smZ1YISfzKOCNYmZV8LaCj+eJ1Q==",
+      "license": "MIT",
       "dependencies": {
         "@fastify/accept-negotiator": "^1.0.0",
         "@fastify/send": "^2.0.0",
         "content-disposition": "^0.5.3",
         "fastify-plugin": "^4.0.0",
-        "glob": "^8.0.1",
-        "p-limit": "^3.1.0"
+        "fastq": "^1.17.0",
+        "glob": "^10.3.4"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/brace-expansion": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/glob": {
+      "version": "10.4.5",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
+      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
+      "license": "ISC",
+      "dependencies": {
+        "foreground-child": "^3.1.0",
+        "jackspeak": "^3.1.2",
+        "minimatch": "^9.0.4",
+        "minipass": "^7.1.2",
+        "package-json-from-dist": "^1.0.0",
+        "path-scurry": "^1.11.1"
+      },
+      "bin": {
+        "glob": "dist/esm/bin.mjs"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/jackspeak": {
+      "version": "3.4.3",
+      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
+      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
+      "license": "BlueOak-1.0.0",
+      "dependencies": {
+        "@isaacs/cliui": "^8.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      },
+      "optionalDependencies": {
+        "@pkgjs/parseargs": "^0.11.0"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/minimatch": {
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/minipass": {
+      "version": "7.1.2",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
+      "license": "ISC",
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
       }
     },
     "node_modules/@fastify/swagger": {
@@ -5599,6 +5671,20 @@
         "yaml": "^2.2.2"
       }
     },
+    "node_modules/@fastify/swagger-ui/node_modules/@fastify/static": {
+      "version": "6.12.0",
+      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
+      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@fastify/accept-negotiator": "^1.0.0",
+        "@fastify/send": "^2.0.0",
+        "content-disposition": "^0.5.3",
+        "fastify-plugin": "^4.0.0",
+        "glob": "^8.0.1",
+        "p-limit": "^3.1.0"
+      }
+    },
     "node_modules/@google-cloud/kms": {
       "version": "4.5.0",
       "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
@@ -6062,9 +6148,10 @@
       "integrity": "sha512-O89xFDLW2gBoZWNXuXpBSM32/KealKCTb3JGtJdtUQc7RjAk8XzrRgyz02cPAwGKwKPxy0ivuC7UP9bmN87egQ=="
     },
     "node_modules/@lukeed/ms": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.1.tgz",
-      "integrity": "sha512-Xs/4RZltsAL7pkvaNStUQt7netTkyxrS0K+RILcVr3TRMS/ToOg4I6uNfhB9SlGsnWBym4U+EaXq0f0cEMNkHA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.2.tgz",
+      "integrity": "sha512-9I2Zn6+NJLfaGoz9jN3lpwDgAYvfGeNYdbAIjJOqzs4Tpc+VU3Jqq4IofSUBKajiDS8k9fZIg18/z13mpk1bsA==",
+      "license": "MIT",
       "engines": {
         "node": ">=8"
       }
@@ -13879,9 +13966,9 @@
       }
     },
     "node_modules/express": {
-      "version": "4.21.1",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
-      "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
+      "version": "4.21.2",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
+      "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==",
       "license": "MIT",
       "dependencies": {
         "accepts": "~1.3.8",
@@ -13903,7 +13990,7 @@
         "methods": "~1.1.2",
         "on-finished": "2.4.1",
         "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.10",
+        "path-to-regexp": "0.1.12",
         "proxy-addr": "~2.0.7",
         "qs": "6.13.0",
         "range-parser": "~1.2.1",
@@ -13918,6 +14005,10 @@
       },
       "engines": {
         "node": ">= 0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
       }
     },
     "node_modules/express-session": {
@@ -17388,15 +17479,16 @@
       }
     },
     "node_modules/nanoid": {
-      "version": "3.3.7",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz",
-      "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==",
+      "version": "3.3.8",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
+      "integrity": "sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==",
       "funding": [
         {
           "type": "github",
           "url": "https://github.com/sponsors/ai"
         }
       ],
+      "license": "MIT",
       "bin": {
         "nanoid": "bin/nanoid.cjs"
       },
@@ -18383,9 +18475,9 @@
       "license": "ISC"
     },
     "node_modules/path-to-regexp": {
-      "version": "0.1.10",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
-      "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==",
+      "version": "0.1.12",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
+      "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==",
       "license": "MIT"
     },
     "node_modules/path-type": {

backend/package.json

@@ -134,6 +134,7 @@
     "@fastify/rate-limit": "^9.0.0",
     "@fastify/request-context": "^5.1.0",
     "@fastify/session": "^10.7.0",
+    "@fastify/static": "^7.0.4",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",

backend/src/@types/knex.d.ts

@@ -218,6 +218,9 @@ import {
   TRateLimit,
   TRateLimitInsert,
   TRateLimitUpdate,
+  TResourceMetadata,
+  TResourceMetadataInsert,
+  TResourceMetadataUpdate,
   TSamlConfigs,
   TSamlConfigsInsert,
   TSamlConfigsUpdate,
@@ -887,6 +890,11 @@ declare module "knex/types/tables" {
       TProjectSplitBackfillIdsInsert,
       TProjectSplitBackfillIdsUpdate
     >;
+    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
+      TResourceMetadata,
+      TResourceMetadataInsert,
+      TResourceMetadataUpdate
+    >;
     [TableName.AppConnection]: KnexOriginal.CompositeTableType<
       TAppConnections,
       TAppConnectionsInsert,

backend/src/db/migrations/20241218165837_resource-metadata.ts

@@ -0,0 +1,40 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
+    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("key").notNullable();
+      tb.string("value", 1020).notNullable();
+      tb.uuid("orgId").notNullable();
+      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      tb.uuid("userId");
+      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      tb.uuid("identityId");
+      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      tb.uuid("secretId");
+      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
+      tb.timestamps(true, true, true);
+    });
+  }
+
+  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
+  if (!hasSecretMetadataField) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
+      t.jsonb("secretMetadata");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
+
+  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
+  if (hasSecretMetadataField) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
+      t.dropColumn("secretMetadata");
+    });
+  }
+}

backend/src/db/schemas/index.ts

@@ -71,6 +71,7 @@ export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
+export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";

backend/src/db/schemas/models.ts

@@ -80,6 +80,7 @@ export enum TableName {
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
   // used by both identity and users
   IdentityMetadata = "identity_metadata",
+  ResourceMetadata = "resource_metadata",
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",

backend/src/db/schemas/resource-metadata.ts

@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ResourceMetadataSchema = z.object({
+  id: z.string().uuid(),
+  key: z.string(),
+  value: z.string(),
+  orgId: z.string().uuid(),
+  userId: z.string().uuid().nullable().optional(),
+  identityId: z.string().uuid().nullable().optional(),
+  secretId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
+export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
+export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-approval-requests-secrets-v2.ts

@@ -24,7 +24,8 @@ export const SecretApprovalRequestsSecretsV2Schema = z.object({
   requestId: z.string().uuid(),
   op: z.string(),
   secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional()
+  secretVersion: z.string().uuid().nullable().optional(),
+  secretMetadata: z.unknown().nullable().optional()
 });
 
 export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;

backend/src/ee/routes/v1/index.ts

@@ -22,6 +22,7 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
+import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
@@ -92,6 +93,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerLdapRouter, { prefix: "/ldap" });
   await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
   await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
+  await server.register(registerSecretRouter, { prefix: "/secrets" });
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });
   await server.register(registerGroupRouter, { prefix: "/groups" });
   await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });

backend/src/ee/routes/v1/saml-router.ts

@@ -84,7 +84,10 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                 samlConfig.audience = `spn:${ssoConfig.issuer}`;
               }
             }
-            if (ssoConfig.authProvider === SamlProviders.GOOGLE_SAML) {
+            if (
+              ssoConfig.authProvider === SamlProviders.GOOGLE_SAML ||
+              ssoConfig.authProvider === SamlProviders.AUTH0_SAML
+            ) {
               samlConfig.wantAssertionsSigned = false;
             }
 
@@ -123,7 +126,10 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               `email: ${email} firstName: ${profile.firstName as string}`
             );
 
-            throw new Error("Invalid saml request. Missing email or first name");
+            throw new BadRequestError({
+              message:
+                "Missing email or first name. Please double check your SAML attribute mapping for the selected provider."
+            });
           }
 
           const userMetadata = Object.keys(profile.attributes || {})

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -12,6 +12,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
   UsersSchema.pick({
@@ -274,6 +275,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 .extend({
                   op: z.string(),
                   tags: tagSchema,
+                  secretMetadata: ResourceMetadataSchema.nullish(),
                   secret: z
                     .object({
                       id: z.string(),
@@ -291,7 +293,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                       secretKey: z.string(),
                       secretValue: z.string().optional(),
                       secretComment: z.string().optional(),
-                      tags: tagSchema
+                      tags: tagSchema,
+                      secretMetadata: ResourceMetadataSchema.nullish()
                     })
                     .optional()
                 })

backend/src/ee/routes/v1/secret-router.ts

@@ -0,0 +1,71 @@
+import z from "zod";
+
+import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
+import { RAW_SECRETS } from "@app/lib/api-docs";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const AccessListEntrySchema = z
+  .object({
+    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
+    id: z.string(),
+    membershipId: z.string(),
+    name: z.string()
+  })
+  .array();
+
+export const registerSecretRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/:secretName/access-list",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get list of users, machine identities, and groups with access to a secret",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        secretName: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.secretName)
+      }),
+      querystring: z.object({
+        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.workspaceId),
+        environment: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(RAW_SECRETS.GET_ACCESS_LIST.secretPath)
+      }),
+      response: {
+        200: z.object({
+          groups: AccessListEntrySchema,
+          identities: AccessListEntrySchema,
+          users: AccessListEntrySchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { secretName } = req.params;
+      const { secretPath, environment, workspaceId: projectId } = req.query;
+
+      return server.services.secret.getSecretAccessList({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        secretPath,
+        environment,
+        projectId,
+        secretName
+      });
+    }
+  });
+};

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -213,7 +213,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/project/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
 
       await triggerSlackNotification({
         projectId: project.id,

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -100,10 +100,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
 
       // Filter by date range
       if (startDate) {
-        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
       }
       if (endDate) {
-        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
       }
 
       // we timeout long running queries to prevent DB resource issues (2 minutes)

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -31,7 +31,7 @@ export type TListProjectAuditLogDTO = {
 
 export type TCreateAuditLogDTO = {
   event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
   orgId?: string;
   projectId?: string;
 } & BaseAuthData;
@@ -229,7 +229,10 @@ export enum EventType {
   GET_APP_CONNECTION = "get-app-connection",
   CREATE_APP_CONNECTION = "create-app-connection",
   UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection"
+  DELETE_APP_CONNECTION = "delete-app-connection",
+  CREATE_SHARED_SECRET = "create-shared-secret",
+  DELETE_SHARED_SECRET = "delete-shared-secret",
+  READ_SHARED_SECRET = "read-shared-secret"
 }
 
 interface UserActorMetadata {
@@ -252,6 +255,8 @@ interface ScimClientActorMetadata {}
 
 interface PlatformActorMetadata {}
 
+interface UnknownUserActorMetadata {}
+
 export interface UserActor {
   type: ActorType.USER;
   metadata: UserActorMetadata;
@@ -267,6 +272,11 @@ export interface PlatformActor {
   metadata: PlatformActorMetadata;
 }
 
+export interface UnknownUserActor {
+  type: ActorType.UNKNOWN_USER;
+  metadata: UnknownUserActorMetadata;
+}
+
 export interface IdentityActor {
   type: ActorType.IDENTITY;
   metadata: IdentityActorMetadata;
@@ -1907,6 +1917,35 @@ interface DeleteAppConnectionEvent {
   };
 }
 
+interface CreateSharedSecretEvent {
+  type: EventType.CREATE_SHARED_SECRET;
+  metadata: {
+    id: string;
+    accessType: string;
+    name?: string;
+    expiresAfterViews?: number;
+    usingPassword: boolean;
+    expiresAt: string;
+  };
+}
+
+interface DeleteSharedSecretEvent {
+  type: EventType.DELETE_SHARED_SECRET;
+  metadata: {
+    id: string;
+    name?: string;
+  };
+}
+
+interface ReadSharedSecretEvent {
+  type: EventType.READ_SHARED_SECRET;
+  metadata: {
+    id: string;
+    name?: string;
+    accessType: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2083,4 +2122,7 @@ export type Event =
   | GetAppConnectionEvent
   | CreateAppConnectionEvent
   | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent;
+  | DeleteAppConnectionEvent
+  | CreateSharedSecretEvent
+  | DeleteSharedSecretEvent
+  | ReadSharedSecretEvent;

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -34,6 +34,8 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
     const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
+    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
+
     const db = knex({
       client: providerInputs.client,
       connection: {
@@ -43,7 +45,16 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
         user: providerInputs.username,
         password: providerInputs.password,
         ssl,
-        pool: { min: 0, max: 1 }
+        pool: { min: 0, max: 1 },
+        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
+        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
+        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
+        options: isMsSQLClient
+          ? {
+              trustServerCertificate: !providerInputs.ca,
+              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
+            }
+          : undefined
       },
       acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
     });

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -1,7 +1,9 @@
+import { KMSServiceException } from "@aws-sdk/client-kms";
+import { STSServiceException } from "@aws-sdk/client-sts";
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -71,7 +73,16 @@ export const externalKmsServiceFactory = ({
     switch (provider.type) {
       case KmsProviders.Aws:
         {
-          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs }).catch((error) => {
+            if (error instanceof STSServiceException || error instanceof KMSServiceException) {
+              throw new InternalServerError({
+                message: error.message ? `AWS error: ${error.message}` : ""
+              });
+            }
+
+            throw error;
+          });
+
           // if missing kms key this generate a new kms key id and returns new provider input
           const newProviderInput = await externalKms.generateInputKmsKey();
           sanitizedProviderInput = JSON.stringify(newProviderInput);

backend/src/ee/services/license/license-fns.ts

@@ -24,6 +24,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   rbac: false,
   customRateLimits: false,
   customAlerts: false,
+  secretAccessInsights: false,
   auditLogs: false,
   auditLogsRetentionDays: 0,
   auditLogStreams: false,

backend/src/ee/services/license/license-service.ts

@@ -246,8 +246,7 @@ export const licenseServiceFactory = ({
   };
 
   const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     const plan = await getPlan(orgId, projectId);
     return plan;
   };

backend/src/ee/services/license/license-types.ts

@@ -48,6 +48,7 @@ export type TFeatureSet = {
   samlSSO: false;
   hsm: false;
   oidcSSO: false;
+  secretAccessInsights: false;
   scim: false;
   ldap: false;
   groups: false;

backend/src/ee/services/permission/permission-dal.ts

@@ -125,6 +125,404 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
+  const getProjectGroupPermissions = async (projectId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.GroupProjectMembership)
+        .join(TableName.Groups, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
+        .join(
+          TableName.GroupProjectMembershipRole,
+          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
+          `${TableName.GroupProjectMembership}.id`
+        )
+        .leftJoin<TProjectRoles>(
+          { groupCustomRoles: TableName.ProjectRoles },
+          `${TableName.GroupProjectMembershipRole}.customRoleId`,
+          `groupCustomRoles.id`
+        )
+        .where(`${TableName.GroupProjectMembership}.projectId`, "=", projectId)
+        .select(
+          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
+          db.ref("id").withSchema(TableName.Groups).as("groupId"),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("slug").withSchema("groupCustomRoles").as("groupProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema("groupCustomRoles").as("groupProjectMembershipRolePermission"),
+          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRole"),
+          db
+            .ref("customRoleId")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleCustomRoleId"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryAccessEndTime")
+        );
+
+      const groupPermissions = sqlNestRelationships({
+        data: docs,
+        key: "groupId",
+        parentMapper: ({ groupId, groupName, membershipId }) => ({
+          groupId,
+          username: groupName,
+          id: membershipId
+        }),
+        childrenMapper: [
+          {
+            key: "groupProjectMembershipRoleId",
+            label: "groupRoles" as const,
+            mapper: ({
+              groupProjectMembershipRoleId,
+              groupProjectMembershipRole,
+              groupProjectMembershipRolePermission,
+              groupProjectMembershipRoleCustomRoleSlug,
+              groupProjectMembershipRoleIsTemporary,
+              groupProjectMembershipRoleTemporaryMode,
+              groupProjectMembershipRoleTemporaryAccessEndTime,
+              groupProjectMembershipRoleTemporaryAccessStartTime,
+              groupProjectMembershipRoleTemporaryRange
+            }) => ({
+              id: groupProjectMembershipRoleId,
+              role: groupProjectMembershipRole,
+              customRoleSlug: groupProjectMembershipRoleCustomRoleSlug,
+              permissions: groupProjectMembershipRolePermission,
+              temporaryRange: groupProjectMembershipRoleTemporaryRange,
+              temporaryMode: groupProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: groupProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: groupProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: groupProjectMembershipRoleIsTemporary
+            })
+          }
+        ]
+      });
+
+      return groupPermissions
+        .map((groupPermission) => {
+          if (!groupPermission) return undefined;
+
+          const activeGroupRoles =
+            groupPermission?.groupRoles?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          return {
+            ...groupPermission,
+            roles: activeGroupRoles
+          };
+        })
+        .filter((item): item is NonNullable<typeof item> => Boolean(item));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetProjectGroupPermissions" });
+    }
+  };
+
+  const getProjectUserPermissions = async (projectId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.Users)
+        .where("isGhost", "=", false)
+        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
+          void queryBuilder.on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]));
+        })
+        .leftJoin(
+          TableName.GroupProjectMembershipRole,
+          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
+          `${TableName.GroupProjectMembership}.id`
+        )
+        .leftJoin<TProjectRoles>(
+          { groupCustomRoles: TableName.ProjectRoles },
+          `${TableName.GroupProjectMembershipRole}.customRoleId`,
+          `groupCustomRoles.id`
+        )
+        .join(TableName.ProjectMembership, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
+        })
+        .leftJoin(
+          TableName.ProjectUserMembershipRole,
+          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
+          `${TableName.ProjectMembership}.id`
+        )
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.ProjectUserMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
+        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
+        })
+        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
+        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
+            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
+        })
+        .select(
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("username").withSchema(TableName.Users).as("username"),
+          // groups specific
+          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
+          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
+          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
+          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
+          db
+            .ref("customRoleId")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleCustomRoleId"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
+          // user specific
+          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
+          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
+          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
+          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
+          db
+            .ref("permissions")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesPermissions"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryRange"),
+          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
+          // general
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
+          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("orgId").withSchema(TableName.Project),
+          db.ref("type").withSchema(TableName.Project).as("projectType"),
+          db.ref("id").withSchema(TableName.Project).as("projectId")
+        );
+
+      const userPermissions = sqlNestRelationships({
+        data: docs,
+        key: "userId",
+        parentMapper: ({
+          orgId,
+          username,
+          orgAuthEnforced,
+          membershipId,
+          groupMembershipId,
+          membershipCreatedAt,
+          groupMembershipCreatedAt,
+          groupMembershipUpdatedAt,
+          membershipUpdatedAt,
+          projectType,
+          userId
+        }) => ({
+          orgId,
+          orgAuthEnforced,
+          userId,
+          projectId,
+          username,
+          projectType,
+          id: membershipId || groupMembershipId,
+          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
+          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
+        }),
+        childrenMapper: [
+          {
+            key: "userGroupProjectMembershipRoleId",
+            label: "userGroupRoles" as const,
+            mapper: ({
+              userGroupProjectMembershipRoleId,
+              userGroupProjectMembershipRole,
+              userGroupProjectMembershipRolePermission,
+              userGroupProjectMembershipRoleCustomRoleSlug,
+              userGroupProjectMembershipRoleIsTemporary,
+              userGroupProjectMembershipRoleTemporaryMode,
+              userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              userGroupProjectMembershipRoleTemporaryRange
+            }) => ({
+              id: userGroupProjectMembershipRoleId,
+              role: userGroupProjectMembershipRole,
+              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
+              permissions: userGroupProjectMembershipRolePermission,
+              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
+              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userGroupProjectMembershipRoleIsTemporary
+            })
+          },
+          {
+            key: "userProjectMembershipRoleId",
+            label: "projectMembershipRoles" as const,
+            mapper: ({
+              userProjectMembershipRoleId,
+              userProjectMembershipRole,
+              userProjectCustomRolePermission,
+              userProjectMembershipRoleIsTemporary,
+              userProjectMembershipRoleTemporaryMode,
+              userProjectMembershipRoleTemporaryRange,
+              userProjectMembershipRoleTemporaryAccessEndTime,
+              userProjectMembershipRoleTemporaryAccessStartTime,
+              userProjectMembershipRoleCustomRoleSlug
+            }) => ({
+              id: userProjectMembershipRoleId,
+              role: userProjectMembershipRole,
+              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
+              permissions: userProjectCustomRolePermission,
+              temporaryRange: userProjectMembershipRoleTemporaryRange,
+              temporaryMode: userProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userProjectMembershipRoleIsTemporary
+            })
+          },
+          {
+            key: "userAdditionalPrivilegesId",
+            label: "additionalPrivileges" as const,
+            mapper: ({
+              userAdditionalPrivilegesId,
+              userAdditionalPrivilegesPermissions,
+              userAdditionalPrivilegesIsTemporary,
+              userAdditionalPrivilegesTemporaryMode,
+              userAdditionalPrivilegesTemporaryRange,
+              userAdditionalPrivilegesTemporaryAccessEndTime,
+              userAdditionalPrivilegesTemporaryAccessStartTime
+            }) => ({
+              id: userAdditionalPrivilegesId,
+              permissions: userAdditionalPrivilegesPermissions,
+              temporaryRange: userAdditionalPrivilegesTemporaryRange,
+              temporaryMode: userAdditionalPrivilegesTemporaryMode,
+              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
+              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
+              isTemporary: userAdditionalPrivilegesIsTemporary
+            })
+          },
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
+          }
+        ]
+      });
+
+      return userPermissions
+        .map((userPermission) => {
+          if (!userPermission) return undefined;
+          if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projectMembershipRoles?.[0]) return undefined;
+
+          // when introducting cron mode change it here
+          const activeRoles =
+            userPermission?.projectMembershipRoles?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          const activeGroupRoles =
+            userPermission?.userGroupRoles?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          const activeAdditionalPrivileges =
+            userPermission?.additionalPrivileges?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          return {
+            ...userPermission,
+            roles: [...activeRoles, ...activeGroupRoles],
+            additionalPrivileges: activeAdditionalPrivileges
+          };
+        })
+        .filter((item): item is NonNullable<typeof item> => Boolean(item));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetProjectUserPermissions" });
+    }
+  };
+
   const getProjectPermission = async (userId: string, projectId: string) => {
     try {
       const subQueryUserGroups = db(TableName.UserGroupMembership).where("userId", userId).select("groupId");
@@ -414,6 +812,163 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
+  const getProjectIdentityPermissions = async (projectId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.IdentityProjectMembership)
+        .join(
+          TableName.IdentityProjectMembershipRole,
+          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
+        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
+        .leftJoin(
+          TableName.IdentityProjectAdditionalPrivilege,
+          `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
+        .join(
+          // Join the Project table to later select orgId
+          TableName.Project,
+          `${TableName.IdentityProjectMembership}.projectId`,
+          `${TableName.Project}.id`
+        )
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
+            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
+        })
+        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
+        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
+        .select(
+          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
+          db.ref("id").withSchema(TableName.Identity).as("identityId"),
+          db.ref("name").withSchema(TableName.Identity).as("identityName"),
+          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
+          db.ref("type").withSchema(TableName.Project).as("projectType"),
+          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles),
+          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
+          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryMode"),
+          db.ref("isTemporary").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryAccessEndTime"),
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
+        );
+
+      const permissions = sqlNestRelationships({
+        data: docs,
+        key: "identityId",
+        parentMapper: ({
+          membershipId,
+          membershipCreatedAt,
+          membershipUpdatedAt,
+          orgId,
+          identityName,
+          projectType,
+          identityId
+        }) => ({
+          id: membershipId,
+          identityId,
+          username: identityName,
+          projectId,
+          createdAt: membershipCreatedAt,
+          updatedAt: membershipUpdatedAt,
+          orgId,
+          projectType,
+          // just a prefilled value
+          orgAuthEnforced: false
+        }),
+        childrenMapper: [
+          {
+            key: "id",
+            label: "roles" as const,
+            mapper: (data) =>
+              IdentityProjectMembershipRoleSchema.extend({
+                permissions: z.unknown(),
+                customRoleSlug: z.string().optional().nullable()
+              }).parse(data)
+          },
+          {
+            key: "identityApId",
+            label: "additionalPrivileges" as const,
+            mapper: ({
+              identityApId,
+              identityApPermissions,
+              identityApIsTemporary,
+              identityApTemporaryMode,
+              identityApTemporaryRange,
+              identityApTemporaryAccessEndTime,
+              identityApTemporaryAccessStartTime
+            }) => ({
+              id: identityApId,
+              permissions: identityApPermissions,
+              temporaryRange: identityApTemporaryRange,
+              temporaryMode: identityApTemporaryMode,
+              temporaryAccessEndTime: identityApTemporaryAccessEndTime,
+              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
+              isTemporary: identityApIsTemporary
+            })
+          },
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
+          }
+        ]
+      });
+
+      return permissions
+        .map((permission) => {
+          if (!permission) {
+            return undefined;
+          }
+
+          // when introducting cron mode change it here
+          const activeRoles = permission?.roles.filter(
+            ({ isTemporary, temporaryAccessEndTime }) =>
+              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+          );
+          const activeAdditionalPrivileges = permission?.additionalPrivileges?.filter(
+            ({ isTemporary, temporaryAccessEndTime }) =>
+              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+          );
+
+          return { ...permission, roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
+        })
+        .filter((item): item is NonNullable<typeof item> => Boolean(item));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetProjectIdentityPermissions" });
+    }
+  };
+
   const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
     try {
       const docs = await db
@@ -568,6 +1123,9 @@ export const permissionDALFactory = (db: TDbClient) => {
     getOrgPermission,
     getOrgIdentityPermission,
     getProjectPermission,
-    getProjectIdentityPermission
+    getProjectIdentityPermission,
+    getProjectUserPermissions,
+    getProjectIdentityPermissions,
+    getProjectGroupPermissions
   };
 };

backend/src/ee/services/permission/permission-service.ts

@@ -405,6 +405,123 @@ export const permissionServiceFactory = ({
         ForbidOnInvalidProjectType: (type: ProjectType) => void;
       };
 
+  const getProjectPermissions = async (projectId: string) => {
+    // fetch user permissions
+    const rawUserProjectPermissions = await permissionDAL.getProjectUserPermissions(projectId);
+    const userPermissions = rawUserProjectPermissions.map((userProjectPermission) => {
+      const rolePermissions =
+        userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+      const additionalPrivileges =
+        userProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
+          role: ProjectMembershipRole.Custom,
+          permissions
+        })) || [];
+
+      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
+      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
+      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+        objectify(
+          userProjectPermission.metadata,
+          (i) => i.key,
+          (i) => i.value
+        )
+      );
+      const interpolateRules = templatedRules(
+        {
+          identity: {
+            id: userProjectPermission.userId,
+            username: userProjectPermission.username,
+            metadata: metadataKeyValuePair
+          }
+        },
+        { data: false }
+      );
+      const permission = createMongoAbility<ProjectPermissionSet>(
+        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
+        {
+          conditionsMatcher
+        }
+      );
+
+      return {
+        permission,
+        id: userProjectPermission.userId,
+        name: userProjectPermission.username,
+        membershipId: userProjectPermission.id
+      };
+    });
+
+    // fetch identity permissions
+    const rawIdentityProjectPermissions = await permissionDAL.getProjectIdentityPermissions(projectId);
+    const identityPermissions = rawIdentityProjectPermissions.map((identityProjectPermission) => {
+      const rolePermissions =
+        identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+      const additionalPrivileges =
+        identityProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
+          role: ProjectMembershipRole.Custom,
+          permissions
+        })) || [];
+
+      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
+      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
+      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+        objectify(
+          identityProjectPermission.metadata,
+          (i) => i.key,
+          (i) => i.value
+        )
+      );
+
+      const interpolateRules = templatedRules(
+        {
+          identity: {
+            id: identityProjectPermission.identityId,
+            username: identityProjectPermission.username,
+            metadata: metadataKeyValuePair
+          }
+        },
+        { data: false }
+      );
+      const permission = createMongoAbility<ProjectPermissionSet>(
+        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
+        {
+          conditionsMatcher
+        }
+      );
+
+      return {
+        permission,
+        id: identityProjectPermission.identityId,
+        name: identityProjectPermission.username,
+        membershipId: identityProjectPermission.id
+      };
+    });
+
+    // fetch group permissions
+    const rawGroupProjectPermissions = await permissionDAL.getProjectGroupPermissions(projectId);
+    const groupPermissions = rawGroupProjectPermissions.map((groupProjectPermission) => {
+      const rolePermissions =
+        groupProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+      const rules = buildProjectPermissionRules(rolePermissions);
+      const permission = createMongoAbility<ProjectPermissionSet>(rules, {
+        conditionsMatcher
+      });
+
+      return {
+        permission,
+        id: groupProjectPermission.groupId,
+        name: groupProjectPermission.username,
+        membershipId: groupProjectPermission.id
+      };
+    });
+
+    return {
+      userPermissions,
+      identityPermissions,
+      groupPermissions
+    };
+  };
+
   const getProjectPermission = async <T extends ActorType>(
     type: T,
     id: string,
@@ -455,6 +572,7 @@ export const permissionServiceFactory = ({
     getOrgPermission,
     getUserProjectPermission,
     getProjectPermission,
+    getProjectPermissions,
     getOrgPermissionByRole,
     getProjectPermissionByRole,
     buildOrgPermission,

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -6,7 +6,8 @@ export enum SamlProviders {
   AZURE_SAML = "azure-saml",
   JUMPCLOUD_SAML = "jumpcloud-saml",
   GOOGLE_SAML = "google-saml",
-  KEYCLOAK_SAML = "keycloak-saml"
+  KEYCLOAK_SAML = "keycloak-saml",
+  AUTH0_SAML = "auth0-saml"
 }
 
 export type TCreateSamlCfgDTO = {

backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts

@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
         firstName: reviewerUser.firstName,
         projectName: project.name,
         organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval?requestId=${secretApprovalRequest.id}`
       },
       template: SmtpTemplates.SecretApprovalRequestNeedsReview
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@@ -256,6 +256,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           `${TableName.SecretVersionV2Tag}.${TableName.SecretTag}Id`,
           db.ref("id").withSchema("secVerTag")
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(selectAllTableCols(TableName.SecretApprovalRequestSecretV2))
         .select({
           secVerTagId: "secVerTag.id",
@@ -279,6 +280,11 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           db.ref("key").withSchema(TableName.SecretVersionV2).as("secVerKey"),
           db.ref("encryptedValue").withSchema(TableName.SecretVersionV2).as("secVerValue"),
           db.ref("encryptedComment").withSchema(TableName.SecretVersionV2).as("secVerComment")
+        )
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
         );
       const formatedDoc = sqlNestRelationships({
         data: doc,
@@ -338,9 +344,19 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
                 })
               }
             ]
+          },
+          {
+            key: "metadataId",
+            label: "oldSecretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });
+
       return formatedDoc?.map(({ secret, secretVersion, ...el }) => ({
         ...el,
         secret: secret?.[0],

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -22,6 +22,8 @@ import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
+import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import {
   decryptSecretWithBot,
@@ -91,6 +93,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
   smtpService: Pick<TSmtpService, "sendMail">;
   userDAL: Pick<TUserDALFactory, "find" | "findOne" | "findById">;
@@ -138,7 +141,8 @@ export const secretApprovalRequestServiceFactory = ({
   secretVersionV2BridgeDAL,
   secretVersionTagV2BridgeDAL,
   licenseService,
-  projectSlackConfigDAL
+  projectSlackConfigDAL,
+  resourceMetadataDAL
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -241,6 +245,7 @@ export const secretApprovalRequestServiceFactory = ({
         secretKey: el.key,
         id: el.id,
         version: el.version,
+        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
         secretValue: el.encryptedValue ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString() : "",
         secretComment: el.encryptedComment
           ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
@@ -269,7 +274,8 @@ export const secretApprovalRequestServiceFactory = ({
               secretComment: el.secretVersion.encryptedComment
                 ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedComment }).toString()
                 : "",
-              tags: el.secretVersion.tags
+              tags: el.secretVersion.tags,
+              secretMetadata: el.oldSecretMetadata as ResourceMetadataDTO
             }
           : undefined
       }));
@@ -543,6 +549,7 @@ export const secretApprovalRequestServiceFactory = ({
           ? await fnSecretV2BridgeBulkInsert({
               tx,
               folderId,
+              orgId: actorOrgId,
               inputSecrets: secretCreationCommits.map((el) => ({
                 tagIds: el?.tags.map(({ id }) => id),
                 version: 1,
@@ -550,6 +557,7 @@ export const secretApprovalRequestServiceFactory = ({
                 encryptedValue: el.encryptedValue,
                 skipMultilineEncoding: el.skipMultilineEncoding,
                 key: el.key,
+                secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                 references: el.encryptedValue
                   ? getAllSecretReferencesV2Bridge(
                       secretManagerDecryptor({
@@ -559,6 +567,7 @@ export const secretApprovalRequestServiceFactory = ({
                   : [],
                 type: SecretType.Shared
               })),
+              resourceMetadataDAL,
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
@@ -568,6 +577,7 @@ export const secretApprovalRequestServiceFactory = ({
         const updatedSecrets = secretUpdationCommits.length
           ? await fnSecretV2BridgeBulkUpdate({
               folderId,
+              orgId: actorOrgId,
               tx,
               inputSecrets: secretUpdationCommits.map((el) => {
                 const encryptedValue =
@@ -592,6 +602,7 @@ export const secretApprovalRequestServiceFactory = ({
                     skipMultilineEncoding: el.skipMultilineEncoding,
                     key: el.key,
                     tags: el?.tags.map(({ id }) => id),
+                    secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                     ...encryptedValue
                   }
                 };
@@ -599,7 +610,8 @@ export const secretApprovalRequestServiceFactory = ({
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
-              secretVersionTagDAL: secretVersionTagV2BridgeDAL
+              secretVersionTagDAL: secretVersionTagV2BridgeDAL,
+              resourceMetadataDAL
             })
           : [];
         const deletedSecret = secretDeletionCommits.length
@@ -824,6 +836,7 @@ export const secretApprovalRequestServiceFactory = ({
     }
     await secretQueueService.syncSecrets({
       projectId,
+      orgId: actorOrgId,
       secretPath: folder.path,
       environmentSlug: folder.environmentSlug,
       actorId,
@@ -852,7 +865,7 @@ export const secretApprovalRequestServiceFactory = ({
           bypassReason,
           secretPath: policy.secretPath,
           environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
+          approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`
         },
         template: SmtpTemplates.AccessSecretRequestBypassed
       });
@@ -1208,6 +1221,7 @@ export const secretApprovalRequestServiceFactory = ({
           ),
           skipMultilineEncoding: createdSecret.skipMultilineEncoding,
           key: createdSecret.secretKey,
+          secretMetadata: createdSecret.secretMetadata,
           type: SecretType.Shared
         }))
       );
@@ -1263,12 +1277,14 @@ export const secretApprovalRequestServiceFactory = ({
             reminderNote,
             secretComment,
             metadata,
-            skipMultilineEncoding
+            skipMultilineEncoding,
+            secretMetadata
           }) => {
             const secretId = updatingSecretsGroupByKey[secretKey][0].id;
             if (tagIds?.length) commitTagIds[secretKey] = tagIds;
             return {
               ...latestSecretVersions[secretId],
+              secretMetadata,
               key: newSecretName || secretKey,
               encryptedComment: setKnexStringValue(
                 secretComment,
@@ -1370,7 +1386,8 @@ export const secretApprovalRequestServiceFactory = ({
             reminderRepeatDays,
             encryptedValue,
             secretId,
-            secretVersion
+            secretVersion,
+            secretMetadata
           }) => ({
             version,
             requestId: doc.id,
@@ -1383,7 +1400,8 @@ export const secretApprovalRequestServiceFactory = ({
             reminderRepeatDays,
             reminderNote,
             encryptedComment,
-            key
+            key,
+            secretMetadata: JSON.stringify(secretMetadata)
           })
         ),
         tx

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -1,5 +1,6 @@
 import { TImmutableDBKeys, TSecretApprovalPolicies, TSecretApprovalRequestsSecrets } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
+import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations } from "@app/services/secret/secret-types";
 
 export enum RequestState {
@@ -34,6 +35,7 @@ export type TApprovalCreateSecretV2Bridge = {
   reminderRepeatDays?: number | null;
   skipMultilineEncoding?: boolean;
   metadata?: Record<string, string>;
+  secretMetadata?: ResourceMetadataDTO;
   tagIds?: string[];
 };
 

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -13,6 +13,8 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
+import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { fnSecretBulkInsert, fnSecretBulkUpdate } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory, uniqueSecretQueueKey } from "@app/services/secret/secret-queue";
@@ -56,6 +58,7 @@ type TSecretReplicationServiceFactoryDep = {
   >;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "find" | "insertMany">;
   secretVersionV2TagBridgeDAL: Pick<TSecretVersionV2TagDALFactory, "find" | "insertMany">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "replicateSecrets">;
   queueService: Pick<TQueueServiceFactory, "start" | "listen" | "queue" | "stopJobById">;
   secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
@@ -121,7 +124,8 @@ export const secretReplicationServiceFactory = ({
   secretVersionV2TagBridgeDAL,
   secretVersionV2BridgeDAL,
   secretV2BridgeDAL,
-  kmsService
+  kmsService,
+  resourceMetadataDAL
 }: TSecretReplicationServiceFactoryDep) => {
   const $getReplicatedSecrets = (
     botKey: string,
@@ -151,8 +155,10 @@ export const secretReplicationServiceFactory = ({
   };
 
   const $getReplicatedSecretsV2 = (
-    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[],
-    importedSecrets: { secrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[] }[]
+    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[],
+    importedSecrets: {
+      secrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[];
+    }[]
   ) => {
     const deDupe = new Set<string>();
     const secrets = [...localSecrets];
@@ -178,6 +184,7 @@ export const secretReplicationServiceFactory = ({
       secretPath,
       environmentSlug,
       projectId,
+      orgId,
       actorId,
       actor,
       pickOnlyImportIds,
@@ -222,6 +229,7 @@ export const secretReplicationServiceFactory = ({
           .map(({ folderId }) =>
             secretQueueService.replicateSecrets({
               projectId,
+              orgId,
               secretPath: foldersGroupedById[folderId][0]?.path as string,
               environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
               actorId,
@@ -267,6 +275,7 @@ export const secretReplicationServiceFactory = ({
           ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
           : undefined
       }));
+
       const sourceSecrets = $getReplicatedSecretsV2(sourceDecryptedLocalSecrets, sourceImportedSecrets);
       const sourceSecretsGroupByKey = groupBy(sourceSecrets, (i) => i.key);
 
@@ -333,13 +342,29 @@ export const secretReplicationServiceFactory = ({
               .map((el) => ({ ...el, operation: SecretOperations.Create })); // rewrite update ops to create
 
             const locallyUpdatedSecrets = sourceSecrets
-              .filter(
-                ({ key, secretKey, secretValue }) =>
+              .filter(({ key, secretKey, secretValue, secretMetadata }) => {
+                const sourceSecretMetadataJson = JSON.stringify(
+                  (secretMetadata ?? []).map((entry) => ({
+                    key: entry.key,
+                    value: entry.value
+                  }))
+                );
+
+                const destinationSecretMetadataJson = JSON.stringify(
+                  (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretMetadata ?? []).map((entry) => ({
+                    key: entry.key,
+                    value: entry.value
+                  }))
+                );
+
+                return (
                   destinationLocalSecretsGroupedByKey[key]?.[0] &&
                   // if key or value changed
                   (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretKey !== secretKey ||
-                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue)
-              )
+                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue ||
+                    sourceSecretMetadataJson !== destinationSecretMetadataJson)
+                );
+              })
               .map((el) => ({ ...el, operation: SecretOperations.Update })); // rewrite update ops to create
 
             const locallyDeletedSecrets = destinationLocalSecrets
@@ -387,6 +412,7 @@ export const secretReplicationServiceFactory = ({
                       op: operation,
                       requestId: approvalRequestDoc.id,
                       metadata: doc.metadata,
+                      secretMetadata: JSON.stringify(doc.secretMetadata),
                       key: doc.key,
                       encryptedValue: doc.encryptedValue,
                       encryptedComment: doc.encryptedComment,
@@ -406,10 +432,12 @@ export const secretReplicationServiceFactory = ({
                 if (locallyCreatedSecrets.length) {
                   await fnSecretV2BridgeBulkInsert({
                     folderId: destinationReplicationFolderId,
+                    orgId,
                     secretVersionDAL: secretVersionV2BridgeDAL,
                     secretDAL: secretV2BridgeDAL,
                     tx,
                     secretTagDAL,
+                    resourceMetadataDAL,
                     secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                     inputSecrets: locallyCreatedSecrets.map((doc) => {
                       return {
@@ -419,6 +447,7 @@ export const secretReplicationServiceFactory = ({
                         encryptedValue: doc.encryptedValue,
                         encryptedComment: doc.encryptedComment,
                         skipMultilineEncoding: doc.skipMultilineEncoding,
+                        secretMetadata: doc.secretMetadata,
                         references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                       };
                     })
@@ -426,10 +455,12 @@ export const secretReplicationServiceFactory = ({
                 }
                 if (locallyUpdatedSecrets.length) {
                   await fnSecretV2BridgeBulkUpdate({
+                    orgId,
                     folderId: destinationReplicationFolderId,
                     secretVersionDAL: secretVersionV2BridgeDAL,
                     secretDAL: secretV2BridgeDAL,
                     tx,
+                    resourceMetadataDAL,
                     secretTagDAL,
                     secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                     inputSecrets: locallyUpdatedSecrets.map((doc) => {
@@ -445,6 +476,7 @@ export const secretReplicationServiceFactory = ({
                           encryptedValue: doc.encryptedValue as Buffer,
                           encryptedComment: doc.encryptedComment,
                           skipMultilineEncoding: doc.skipMultilineEncoding,
+                          secretMetadata: doc.secretMetadata,
                           references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                         }
                       };
@@ -466,6 +498,7 @@ export const secretReplicationServiceFactory = ({
 
               await secretQueueService.syncSecrets({
                 projectId,
+                orgId,
                 secretPath: destinationFolder.path,
                 environmentSlug: destinationFolder.environmentSlug,
                 actorId,
@@ -751,6 +784,7 @@ export const secretReplicationServiceFactory = ({
 
             await secretQueueService.syncSecrets({
               projectId,
+              orgId,
               secretPath: destinationFolder.path,
               environmentSlug: destinationFolder.environmentSlug,
               actorId,

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -180,6 +180,8 @@ export const secretRotationQueueFactory = ({
           provider.template.client === TDbProviderClients.MsSqlServer
             ? ({
                 encrypt: appCfg.ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT,
+                // when ca is provided use that
+                trustServerCertificate: !ca,
                 cryptoCredentialsDetails: ca ? { ca } : {}
               } as Record<string, unknown>)
             : undefined;

backend/src/lib/api-docs/constants.ts

@@ -741,6 +741,12 @@ export const RAW_SECRETS = {
     workspaceId: "The ID of the project where the secret is located.",
     environment: "The slug of the environment where the the secret is located.",
     secretPath: "The folder path where the secret is located."
+  },
+  GET_ACCESS_LIST: {
+    secretName: "The name of the secret to get the access list for.",
+    workspaceId: "The ID of the project where the secret is located.",
+    environment: "The slug of the environment where the the secret is located.",
+    secretPath: "The folder path where the secret is located."
   }
 } as const;
 
@@ -1150,7 +1156,8 @@ export const INTEGRATION = {
       shouldMaskSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Masked'.",
       shouldProtectSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Protected'.",
       shouldEnableDelete: "The flag to enable deletion of secrets.",
-      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy."
+      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy.",
+      metadataSyncMode: "The mode for syncing metadata to external system"
     }
   },
   UPDATE: {

backend/src/lib/config/env.ts

@@ -157,6 +157,8 @@ const envSchema = z
     INFISICAL_CLOUD: zodStrBool.default("false"),
     MAINTENANCE_MODE: zodStrBool.default("false"),
     CAPTCHA_SECRET: zpStr(z.string().optional()),
+    CAPTCHA_SITE_KEY: zpStr(z.string().optional()),
+    INTERCOM_ID: zpStr(z.string().optional()),
 
     // TELEMETRY
     OTEL_TELEMETRY_COLLECTION_ENABLED: zodStrBool.default("false"),
@@ -197,7 +199,29 @@ const envSchema = z
     INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_APP_SLUG: zpStr(z.string().optional()),
-    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional())
+    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional()),
+
+    /* CORS ----------------------------------------------------------------------------- */
+
+    CORS_ALLOWED_ORIGINS: zpStr(
+      z
+        .string()
+        .optional()
+        .transform((val) => {
+          if (!val) return undefined;
+          return JSON.parse(val) as string[];
+        })
+    ),
+
+    CORS_ALLOWED_HEADERS: zpStr(
+      z
+        .string()
+        .optional()
+        .transform((val) => {
+          if (!val) return undefined;
+          return JSON.parse(val) as string[];
+        })
+    )
   })
   // To ensure that basic encryption is always possible.
   .refine(

backend/src/server/app.ts

@@ -27,10 +27,10 @@ import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { addErrorsToResponseSchemas } from "./plugins/add-errors-to-response-schemas";
 import { apiMetrics } from "./plugins/api-metrics";
 import { fastifyErrHandler } from "./plugins/error-handler";
-import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
 import { fastifyIp } from "./plugins/ip";
 import { maintenanceMode } from "./plugins/maintenanceMode";
+import { registerServeUI } from "./plugins/serve-ui";
 import { fastifySwagger } from "./plugins/swagger";
 import { registerRoutes } from "./routes";
 
@@ -87,7 +87,16 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
     await server.register<FastifyCorsOptions>(cors, {
       credentials: true,
-      origin: appCfg.SITE_URL || true
+      ...(appCfg.CORS_ALLOWED_ORIGINS?.length
+        ? {
+            origin: [...appCfg.CORS_ALLOWED_ORIGINS, ...(appCfg.SITE_URL ? [appCfg.SITE_URL] : [])]
+          }
+        : {
+            origin: appCfg.SITE_URL || true
+          }),
+      ...(appCfg.CORS_ALLOWED_HEADERS?.length && {
+        allowedHeaders: appCfg.CORS_ALLOWED_HEADERS
+      })
     });
 
     await server.register(addErrorsToResponseSchemas);
@@ -120,13 +129,10 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
     await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore, hsmModule });
 
-    if (appCfg.isProductionMode) {
-      await server.register(registerExternalNextjs, {
-        standaloneMode: appCfg.STANDALONE_MODE || IS_PACKAGED,
-        dir: path.join(__dirname, IS_PACKAGED ? "../../../" : "../../"),
-        port: appCfg.PORT
-      });
-    }
+    await server.register(registerServeUI, {
+      standaloneMode: appCfg.STANDALONE_MODE || IS_PACKAGED,
+      dir: path.join(__dirname, IS_PACKAGED ? "../../../" : "../../")
+    });
 
     await server.ready();
     server.swagger();

backend/src/server/plugins/audit-log.ts

@@ -32,13 +32,21 @@ export const getUserAgentType = (userAgent: string | undefined) => {
 export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
   server.decorateRequest("auditLogInfo", null);
   server.addHook("onRequest", async (req) => {
-    if (!req.auth) return;
     const userAgent = req.headers["user-agent"] ?? "";
     const payload = {
       ipAddress: req.realIp,
       userAgent,
       userAgentType: getUserAgentType(userAgent)
     } as typeof req.auditLogInfo;
+
+    if (!req.auth) {
+      payload.actor = {
+        type: ActorType.UNKNOWN_USER,
+        metadata: {}
+      };
+      req.auditLogInfo = payload;
+      return;
+    }
     if (req.auth.actor === ActorType.USER) {
       payload.actor = {
         type: ActorType.USER,

backend/src/server/plugins/external-nextjs.ts

@@ -1,76 +0,0 @@
-// this plugins allows to run infisical in standalone mode
-// standalone mode = infisical backend and nextjs frontend in one server
-// this way users don't need to deploy two things
-import path from "node:path";
-
-import { IS_PACKAGED } from "@app/lib/config/env";
-
-// to enabled this u need to set standalone mode to true
-export const registerExternalNextjs = async (
-  server: FastifyZodProvider,
-  {
-    standaloneMode,
-    dir,
-    port
-  }: {
-    standaloneMode?: boolean;
-    dir: string;
-    port: number;
-  }
-) => {
-  if (standaloneMode) {
-    const frontendName = IS_PACKAGED ? "frontend" : "frontend-build";
-    const nextJsBuildPath = path.join(dir, frontendName);
-
-    const { default: conf } = (await import(
-      path.join(dir, `${frontendName}/.next/required-server-files.json`),
-      // @ts-expect-error type
-      {
-        assert: { type: "json" }
-      }
-    )) as { default: { config: string } };
-
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    let NextServer: any;
-
-    if (!IS_PACKAGED) {
-      /* eslint-disable */
-      const { default: nextServer } = (
-        await import(path.join(dir, `${frontendName}/node_modules/next/dist/server/next-server.js`))
-      ).default;
-
-      NextServer = nextServer;
-    } else {
-      /* eslint-disable */
-      const nextServer = await import(path.join(dir, `${frontendName}/node_modules/next/dist/server/next-server.js`));
-
-      NextServer = nextServer.default;
-    }
-
-    const nextApp = new NextServer({
-      dev: false,
-      dir: nextJsBuildPath,
-      port,
-      conf: conf.config,
-      hostname: "local",
-      customServer: false
-    });
-
-    server.route({
-      method: ["GET", "PUT", "PATCH", "POST", "DELETE"],
-      url: "/*",
-      schema: {
-        hide: true
-      },
-      handler: (req, res) =>
-        nextApp
-          .getRequestHandler()(req.raw, res.raw)
-          .then(() => {
-            res.hijack();
-          })
-    });
-    server.addHook("onClose", () => nextApp.close());
-    await nextApp.prepare();
-    /* eslint-enable */
-  }
-};

backend/src/server/plugins/serve-ui.ts

@@ -0,0 +1,64 @@
+import path from "node:path";
+
+import staticServe from "@fastify/static";
+
+import { getConfig, IS_PACKAGED } from "@app/lib/config/env";
+
+// to enabled this u need to set standalone mode to true
+export const registerServeUI = async (
+  server: FastifyZodProvider,
+  {
+    standaloneMode,
+    dir
+  }: {
+    standaloneMode?: boolean;
+    dir: string;
+  }
+) => {
+  // use this only for frontend runtime static non-sensitive configuration in standalone mode
+  // that app needs before loading like posthog dsn key
+  // for most of the other usecase use server config
+  server.route({
+    method: "GET",
+    url: "/runtime-ui-env.js",
+    schema: {
+      hide: true
+    },
+    handler: (_req, res) => {
+      const appCfg = getConfig();
+      void res.type("application/javascript");
+      const config = {
+        CAPTCHA_SITE_KEY: appCfg.CAPTCHA_SITE_KEY,
+        POSTHOG_API_KEY: appCfg.POSTHOG_PROJECT_API_KEY,
+        INTERCOM_ID: appCfg.INTERCOM_ID,
+        TELEMETRY_CAPTURING_ENABLED: appCfg.TELEMETRY_ENABLED
+      };
+      const js = `window.__INFISICAL_RUNTIME_ENV__ = Object.freeze(${JSON.stringify(config)});`;
+      void res.send(js);
+    }
+  });
+
+  if (standaloneMode) {
+    const frontendName = IS_PACKAGED ? "frontend" : "frontend-build";
+    const frontendPath = path.join(dir, frontendName);
+    await server.register(staticServe, {
+      root: frontendPath,
+      wildcard: false
+    });
+
+    server.route({
+      method: "GET",
+      url: "/*",
+      schema: {
+        hide: true
+      },
+      handler: (request, reply) => {
+        if (request.url.startsWith("/api")) {
+          reply.callNotFound();
+          return;
+        }
+        void reply.sendFile("index.html");
+      }
+    });
+  }
+};

backend/src/server/routes/index.ts

@@ -181,6 +181,7 @@ import { projectUserMembershipRoleDALFactory } from "@app/services/project-membe
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
+import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
 import { secretServiceFactory } from "@app/services/secret/secret-service";
@@ -374,6 +375,7 @@ export const registerRoutes = async (
   const externalGroupOrgRoleMappingDAL = externalGroupOrgRoleMappingDALFactory(db);
 
   const projectTemplateDAL = projectTemplateDALFactory(db);
+  const resourceMetadataDAL = resourceMetadataDALFactory(db);
 
   const permissionService = permissionServiceFactory({
     permissionDAL,
@@ -854,7 +856,8 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     projectKeyDAL,
     projectUserMembershipRoleDAL,
-    orgService
+    orgService,
+    resourceMetadataDAL
   });
 
   const projectService = projectServiceFactory({
@@ -980,7 +983,8 @@ export const registerRoutes = async (
     secretApprovalPolicyService,
     secretApprovalRequestSecretDAL,
     kmsService,
-    snapshotService
+    snapshotService,
+    resourceMetadataDAL
   });
 
   const secretApprovalRequestService = secretApprovalRequestServiceFactory({
@@ -1007,7 +1011,8 @@ export const registerRoutes = async (
     projectEnvDAL,
     userDAL,
     licenseService,
-    projectSlackConfigDAL
+    projectSlackConfigDAL,
+    resourceMetadataDAL
   });
 
   const secretService = secretServiceFactory({
@@ -1028,7 +1033,8 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     secretApprovalRequestSecretDAL,
     secretV2BridgeService,
-    secretApprovalRequestService
+    secretApprovalRequestService,
+    licenseService
   });
 
   const secretSharingService = secretSharingServiceFactory({
@@ -1086,8 +1092,10 @@ export const registerRoutes = async (
     kmsService,
     secretV2BridgeDAL,
     secretVersionV2TagBridgeDAL: secretVersionTagV2BridgeDAL,
-    secretVersionV2BridgeDAL
+    secretVersionV2BridgeDAL,
+    resourceMetadataDAL
   });
+
   const secretRotationQueue = secretRotationQueueFactory({
     telemetryService,
     secretRotationDAL,
@@ -1339,7 +1347,8 @@ export const registerRoutes = async (
     folderDAL,
     secretDAL: secretV2BridgeDAL,
     queueService,
-    secretV2BridgeService
+    secretV2BridgeService,
+    resourceMetadataDAL
   });
 
   const migrationService = externalMigrationServiceFactory({

backend/src/server/routes/v1/auth-router.ts

@@ -63,7 +63,8 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          token: z.string()
+          token: z.string(),
+          organizationId: z.string().optional()
         })
       }
     },
@@ -115,7 +116,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
         { expiresIn: appCfg.JWT_AUTH_LIFETIME }
       );
 
-      return { token };
+      return { token, organizationId: decodedToken.organizationId };
     }
   });
 };

backend/src/server/routes/v1/dashboard-router.ts

@@ -17,6 +17,7 @@ import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
@@ -116,6 +117,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -408,6 +410,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -693,6 +696,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -864,6 +868,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,

backend/src/server/routes/v1/integration-router.ts

@@ -131,7 +131,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
         appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
-        isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
+        isActive: z.boolean().optional().describe(INTEGRATION.UPDATE.isActive),
         secretPath: z
           .string()
           .trim()

backend/src/server/routes/v1/secret-sharing-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { SecretSharingSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SecretSharingAccessType } from "@app/lib/types";
 import {
   publicEndpointLimit,
@@ -88,6 +89,21 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         orgId: req.permission?.orgId
       });
 
+      if (sharedSecret.secret?.orgId) {
+        await server.services.auditLog.createAuditLog({
+          orgId: sharedSecret.secret.orgId,
+          ...req.auditLogInfo,
+          event: {
+            type: EventType.READ_SHARED_SECRET,
+            metadata: {
+              id: req.params.id,
+              name: sharedSecret.secret.name || undefined,
+              accessType: sharedSecret.secret.accessType
+            }
+          }
+        });
+      }
+
       return sharedSecret;
     }
   });
@@ -151,6 +167,23 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         actorOrgId: req.permission.orgId,
         ...req.body
       });
+
+      await server.services.auditLog.createAuditLog({
+        orgId: req.permission.orgId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.CREATE_SHARED_SECRET,
+          metadata: {
+            accessType: req.body.accessType,
+            expiresAt: req.body.expiresAt,
+            expiresAfterViews: req.body.expiresAfterViews,
+            name: req.body.name,
+            id: sharedSecret.id,
+            usingPassword: !!req.body.password
+          }
+        }
+      });
+
       return { id: sharedSecret.id };
     }
   });
@@ -181,6 +214,18 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         sharedSecretId
       });
 
+      await server.services.auditLog.createAuditLog({
+        orgId: req.permission.orgId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.DELETE_SHARED_SECRET,
+          metadata: {
+            id: sharedSecretId,
+            name: deletedSharedSecret.name || undefined
+          }
+        }
+      });
+
       return { ...deletedSharedSecret };
     }
   });

backend/src/server/routes/v1/slack-router.ts

@@ -331,12 +331,8 @@ export const registerSlackRouter = async (server: FastifyZodProvider) => {
         failureAsync: async () => {
           return res.redirect(appCfg.SITE_URL as string);
         },
-        successAsync: async (installation) => {
-          const metadata = JSON.parse(installation.metadata || "") as {
-            orgId: string;
-          };
-
-          return res.redirect(`${appCfg.SITE_URL}/org/${metadata.orgId}/settings?selectedTab=workflow-integrations`);
+        successAsync: async () => {
+          return res.redirect(`${appCfg.SITE_URL}/organization/settings?selectedTab=workflow-integrations`);
         }
       });
     }

backend/src/server/routes/v3/secret-router.ts

@@ -18,6 +18,7 @@ import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations, SecretProtectionType } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
@@ -35,6 +36,12 @@ const SecretReferenceNodeTree: z.ZodType<TSecretReferenceNode> = SecretReference
   children: z.lazy(() => SecretReferenceNodeTree.array())
 });
 
+const SecretNameSchema = z
+  .string()
+  .trim()
+  .min(1)
+  .refine((el) => !el.includes(" "), "Secret name cannot contain spaces.");
+
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -50,7 +57,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(SECRETS.ATTACH_TAGS.secretName)
+        secretName: SecretNameSchema.describe(SECRETS.ATTACH_TAGS.secretName)
       }),
       body: z.object({
         projectSlug: z.string().trim().describe(SECRETS.ATTACH_TAGS.projectSlug),
@@ -113,7 +120,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(SECRETS.DETACH_TAGS.secretName)
+        secretName: z.string().describe(SECRETS.DETACH_TAGS.secretName)
       }),
       body: z.object({
         projectSlug: z.string().trim().describe(SECRETS.DETACH_TAGS.projectSlug),
@@ -205,6 +212,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -220,7 +228,12 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
               secretPath: z.string(),
               environment: z.string(),
               folderId: z.string().optional(),
-              secrets: secretRawSchema.omit({ createdAt: true, updatedAt: true }).array()
+              secrets: secretRawSchema
+                .omit({ createdAt: true, updatedAt: true })
+                .extend({
+                  secretMetadata: ResourceMetadataSchema.optional()
+                })
+                .array()
             })
             .array()
             .optional()
@@ -348,7 +361,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             })
               .extend({ name: z.string() })
               .array()
-              .optional()
+              .optional(),
+            secretMetadata: ResourceMetadataSchema.optional()
           })
         })
       }
@@ -434,7 +448,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
+        secretName: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
@@ -450,6 +464,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
           .describe(RAW_SECRETS.CREATE.secretValue),
         secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
+        secretMetadata: ResourceMetadataSchema.optional(),
         tagIds: z.string().array().optional().describe(RAW_SECRETS.CREATE.tagIds),
         skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
         type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type),
@@ -484,6 +499,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretValue: req.body.secretValue,
         skipMultilineEncoding: req.body.skipMultilineEncoding,
         secretComment: req.body.secretComment,
+        secretMetadata: req.body.secretMetadata,
         tagIds: req.body.tagIds,
         secretReminderNote: req.body.secretReminderNote,
         secretReminderRepeatDays: req.body.secretReminderRepeatDays
@@ -539,7 +555,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
+        secretName: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
@@ -558,13 +574,14 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type),
         tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds),
         metadata: z.record(z.string()).optional(),
+        secretMetadata: ResourceMetadataSchema.optional(),
         secretReminderNote: z.string().optional().nullable().describe(RAW_SECRETS.UPDATE.secretReminderNote),
         secretReminderRepeatDays: z
           .number()
           .optional()
           .nullable()
           .describe(RAW_SECRETS.UPDATE.secretReminderRepeatDays),
-        newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+        newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
         secretComment: z.string().optional().describe(RAW_SECRETS.UPDATE.secretComment)
       }),
       response: {
@@ -595,8 +612,10 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretReminderNote: req.body.secretReminderNote,
         metadata: req.body.metadata,
         newSecretName: req.body.newSecretName,
-        secretComment: req.body.secretComment
+        secretComment: req.body.secretComment,
+        secretMetadata: req.body.secretMetadata
       });
+
       if (secretOperation.type === SecretProtectionType.Approval) {
         return { approval: secretOperation.approval };
       }
@@ -647,7 +666,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
+        secretName: z.string().min(1).describe(RAW_SECRETS.DELETE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
@@ -1842,7 +1861,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.CREATE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.CREATE.secretName),
+            secretKey: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName),
             secretValue: z
               .string()
               .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
@@ -1850,6 +1869,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
             skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
             metadata: z.record(z.string()).optional(),
+            secretMetadata: ResourceMetadataSchema.optional(),
             tagIds: z.string().array().optional().describe(RAW_SECRETS.CREATE.tagIds)
           })
           .array()
@@ -1942,16 +1962,17 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.UPDATE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName),
+            secretKey: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName),
             secretValue: z
               .string()
               .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
               .describe(RAW_SECRETS.UPDATE.secretValue),
             secretComment: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.secretComment),
             skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
-            newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+            newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
             tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds),
             secretReminderNote: z.string().optional().nullable().describe(RAW_SECRETS.UPDATE.secretReminderNote),
+            secretMetadata: ResourceMetadataSchema.optional(),
             secretReminderRepeatDays: z
               .number()
               .optional()
@@ -2047,7 +2068,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.DELETE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.DELETE.secretName),
+            secretKey: z.string().describe(RAW_SECRETS.DELETE.secretName),
             type: z.nativeEnum(SecretType).default(SecretType.Shared)
           })
           .array()

backend/src/services/auth/auth-type.ts

@@ -39,7 +39,8 @@ export enum ActorType { // would extend to AWS, Azure, ...
   SERVICE = "service",
   IDENTITY = "identity",
   Machine = "machine",
-  SCIM_CLIENT = "scimClient"
+  SCIM_CLIENT = "scimClient",
+  UNKNOWN_USER = "unknownUser"
 }
 
 // This will be null unless the token-type is JWT

backend/src/services/external-migration/external-migration-fns.ts

@@ -16,6 +16,7 @@ import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectServiceFactory } from "../project/project-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@@ -35,6 +36,8 @@ export type TImportDataIntoInfisicalDTO = {
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create">;
   secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany" | "create">;
 
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
+
   folderDAL: Pick<TSecretFolderDALFactory, "create" | "findBySecretPath" | "findById">;
   projectService: Pick<TProjectServiceFactory, "createProject">;
   projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
@@ -503,6 +506,7 @@ export const importDataIntoInfisicalFn = async ({
   secretTagDAL,
   secretVersionTagDAL,
   folderDAL,
+  resourceMetadataDAL,
   input: { data, actor, actorId, actorOrgId, actorAuthMethod }
 }: TImportDataIntoInfisicalDTO) => {
   // Import data to infisical
@@ -762,6 +766,8 @@ export const importDataIntoInfisicalFn = async ({
               };
             }),
             folderId: selectedFolder.id,
+            orgId: actorOrgId,
+            resourceMetadataDAL,
             secretDAL,
             secretVersionDAL,
             secretTagDAL,

backend/src/services/external-migration/external-migration-queue.ts

@@ -8,6 +8,7 @@ import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectServiceFactory } from "../project/project-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@@ -35,6 +36,8 @@ export type TExternalMigrationQueueFactoryDep = {
   projectService: Pick<TProjectServiceFactory, "createProject">;
   projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
   secretV2BridgeService: Pick<TSecretV2BridgeServiceFactory, "createManySecret">;
+
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TExternalMigrationQueueFactory = ReturnType<typeof externalMigrationQueueFactory>;
@@ -52,7 +55,8 @@ export const externalMigrationQueueFactory = ({
   secretVersionDAL,
   secretTagDAL,
   secretVersionTagDAL,
-  folderDAL
+  folderDAL,
+  resourceMetadataDAL
 }: TExternalMigrationQueueFactoryDep) => {
   const startImport = async (dto: {
     actorEmail: string;
@@ -109,7 +113,8 @@ export const externalMigrationQueueFactory = ({
         kmsService,
         projectService,
         projectEnvService,
-        secretV2BridgeService
+        secretV2BridgeService,
+        resourceMetadataDAL
       });
 
       if (projectsNotImported.length) {

backend/src/services/identity-oidc-auth/identity-oidc-auth-fns.ts

@@ -2,3 +2,11 @@ import picomatch from "picomatch";
 
 export const doesFieldValueMatchOidcPolicy = (fieldValue: string, policyValue: string) =>
   policyValue === fieldValue || picomatch.isMatch(fieldValue, policyValue);
+
+export const doesAudValueMatchOidcPolicy = (fieldValue: string | string[], policyValue: string) => {
+  if (Array.isArray(fieldValue)) {
+    return fieldValue.some((entry) => entry === policyValue || picomatch.isMatch(entry, policyValue));
+  }
+
+  return policyValue === fieldValue || picomatch.isMatch(fieldValue, policyValue);
+};

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -27,7 +27,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TOrgBotDALFactory } from "../org/org-bot-dal";
 import { TIdentityOidcAuthDALFactory } from "./identity-oidc-auth-dal";
-import { doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
+import { doesAudValueMatchOidcPolicy, doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
 import {
   TAttachOidcAuthDTO,
   TGetOidcAuthDTO,
@@ -148,7 +148,7 @@ export const identityOidcAuthServiceFactory = ({
       if (
         !identityOidcAuth.boundAudiences
           .split(", ")
-          .some((policyValue) => doesFieldValueMatchOidcPolicy(tokenData.aud, policyValue))
+          .some((policyValue) => doesAudValueMatchOidcPolicy(tokenData.aud, policyValue))
       ) {
         throw new UnauthorizedError({
           message: "Access denied: OIDC audience not allowed."

backend/src/services/integration-auth/integration-list.ts

@@ -427,3 +427,8 @@ export const getIntegrationOptions = async () => {
 
   return INTEGRATION_OPTIONS;
 };
+
+export enum IntegrationMetadataSyncMode {
+  CUSTOM = "custom",
+  SECRET_METADATA = "secret-metadata"
+}

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -38,6 +38,7 @@ import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/
 
 import { TIntegrationDALFactory } from "../integration/integration-dal";
 import { IntegrationMetadataSchema } from "../integration/integration-schema";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { IntegrationAuthMetadataSchema } from "./integration-auth-schema";
 import {
   CircleCiScope,
@@ -48,6 +49,7 @@ import {
 import {
   IntegrationInitialSyncBehavior,
   IntegrationMappingBehavior,
+  IntegrationMetadataSyncMode,
   Integrations,
   IntegrationUrls
 } from "./integration-list";
@@ -305,10 +307,16 @@ const syncSecretsAzureAppConfig = async ({
     value: string;
   }
 
-  const getCompleteAzureAppConfigValues = async (url: string) => {
+  if (!integration.app || !integration.app.endsWith(".azconfig.io"))
+    throw new BadRequestError({
+      message: "Invalid Azure App Configuration URL provided."
+    });
+
+  const getCompleteAzureAppConfigValues = async (baseURL: string, url: string) => {
     let result: AzureAppConfigKeyValue[] = [];
     while (url) {
       const res = await request.get(url, {
+        baseURL,
         headers: {
           Authorization: `Bearer ${accessToken}`
         },
@@ -319,7 +327,7 @@ const syncSecretsAzureAppConfig = async ({
       });
 
       result = result.concat(res.data.items);
-      url = res.data.nextLink;
+      url = res.data?.["@nextLink"];
     }
 
     return result;
@@ -327,11 +335,13 @@ const syncSecretsAzureAppConfig = async ({
 
   const metadata = IntegrationMetadataSchema.parse(integration.metadata);
 
-  const azureAppConfigValuesUrl = `${integration.app}/kv?api-version=2023-11-01&key=${metadata.secretPrefix}*${
-    metadata.azureLabel ? `&label=${metadata.azureLabel}` : ""
+  const azureAppConfigValuesUrl = `/kv?api-version=2023-11-01&key=${metadata.secretPrefix}*${
+    metadata.azureLabel ? `&label=${metadata.azureLabel}` : "&label=%00"
   }`;
 
-  const azureAppConfigSecrets = (await getCompleteAzureAppConfigValues(azureAppConfigValuesUrl)).reduce(
+  const azureAppConfigSecrets = (
+    await getCompleteAzureAppConfigValues(integration.app, azureAppConfigValuesUrl)
+  ).reduce(
     (accum, entry) => {
       accum[entry.key] = entry.value;
 
@@ -1074,14 +1084,14 @@ const syncSecretsAWSSecretManager = async ({
   projectId
 }: {
   integration: TIntegrations;
-  secrets: Record<string, { value: string; comment?: string }>;
+  secrets: Record<string, { value: string; comment?: string; secretMetadata?: ResourceMetadataDTO }>;
   accessId: string | null;
   accessToken: string;
   awsAssumeRoleArn: string | null;
   projectId?: string;
 }) => {
   const appCfg = getConfig();
-  const metadata = z.record(z.any()).parse(integration.metadata || {});
+  const metadata = IntegrationMetadataSchema.parse(integration.metadata || {});
 
   if (!accessId && !awsAssumeRoleArn) {
     throw new Error("AWS access ID/AWS Assume Role is required");
@@ -1129,8 +1139,25 @@ const syncSecretsAWSSecretManager = async ({
 
   const processAwsSecret = async (
     secretId: string,
-    secretValue: Record<string, string | null | undefined> | string
+    secretValue: Record<string, string | null | undefined> | string,
+    secretMetadata?: ResourceMetadataDTO
   ) => {
+    const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
+    const shouldTag =
+      (secretAWSTag && secretAWSTag.length) ||
+      (metadata.metadataSyncMode === IntegrationMetadataSyncMode.SECRET_METADATA &&
+        metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE);
+    const tagArray =
+      (metadata.metadataSyncMode === IntegrationMetadataSyncMode.SECRET_METADATA ? secretMetadata : secretAWSTag) ?? [];
+
+    const integrationTagObj = tagArray.reduce(
+      (acc, item) => {
+        acc[item.key] = item.value;
+        return acc;
+      },
+      {} as Record<string, string>
+    );
+
     try {
       const awsSecretManagerSecret = await secretsManager.send(
         new GetSecretValueCommand({
@@ -1159,15 +1186,14 @@ const syncSecretsAWSSecretManager = async ({
         } else {
           await secretsManager.send(
             new DeleteSecretCommand({
-              SecretId: secretId
+              SecretId: secretId,
+              ForceDeleteWithoutRecovery: true
             })
           );
         }
       }
 
-      const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
-
-      if (secretAWSTag && secretAWSTag.length) {
+      if (shouldTag) {
         const describedSecret = await secretsManager.send(
           // requires secretsmanager:DescribeSecret policy
           new DescribeSecretCommand({
@@ -1177,14 +1203,6 @@ const syncSecretsAWSSecretManager = async ({
 
         if (!describedSecret.Tags) return;
 
-        const integrationTagObj = secretAWSTag.reduce(
-          (acc, item) => {
-            acc[item.key] = item.value;
-            return acc;
-          },
-          {} as Record<string, string>
-        );
-
         const awsTagObj = (describedSecret.Tags || []).reduce(
           (acc, item) => {
             if (item.Key && item.Value) {
@@ -1216,7 +1234,7 @@ const syncSecretsAWSSecretManager = async ({
           }
         });
 
-        secretAWSTag?.forEach((tag) => {
+        tagArray.forEach((tag) => {
           if (!(tag.key in awsTagObj)) {
             // create tag in AWS secret manager
             tagsToUpdate.push({
@@ -1253,8 +1271,8 @@ const syncSecretsAWSSecretManager = async ({
               Name: secretId,
               SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue),
               ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
-              Tags: metadata.secretAWSTag
-                ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({
+              Tags: shouldTag
+                ? tagArray.map((tag: { key: string; value: string }) => ({
                     Key: tag.key,
                     Value: tag.value
                   }))
@@ -1271,7 +1289,10 @@ const syncSecretsAWSSecretManager = async ({
 
   if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
     for await (const [key, value] of Object.entries(secrets)) {
-      await processAwsSecret(key, value.value);
+      await processAwsSecret(key, value.value, value.secretMetadata).catch((error) => {
+        error.secretKey = key;
+        throw error;
+      });
     }
   } else {
     await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));
@@ -2754,13 +2775,23 @@ const syncSecretsAzureDevops = async ({
  * Sync/push [secrets] to GitLab repo with name [integration.app]
  */
 const syncSecretsGitLab = async ({
+  createManySecretsRawFn,
   integrationAuth,
   integration,
   secrets,
   accessToken
 }: {
+  createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise<Array<{ id: string }>>;
   integrationAuth: TIntegrationAuths;
-  integration: TIntegrations;
+  integration: TIntegrations & {
+    projectId: string;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    secretPath: string;
+  };
   secrets: Record<string, { value: string; comment?: string }>;
   accessToken: string;
 }) => {
@@ -2817,6 +2848,81 @@ const syncSecretsGitLab = async ({
       return isValid;
     });
 
+  if (!integration.lastUsed) {
+    const secretsToAddToInfisical: { [key: string]: GitLabSecret } = {};
+    const secretsToRemoveInGitlab: GitLabSecret[] = [];
+
+    if (!metadata.initialSyncBehavior) {
+      metadata.initialSyncBehavior = IntegrationInitialSyncBehavior.OVERWRITE_TARGET;
+    }
+
+    getSecretsRes.forEach((gitlabSecret) => {
+      // first time using integration
+      // -> apply initial sync behavior
+      switch (metadata.initialSyncBehavior) {
+        // Override all the secrets in GitLab
+        case IntegrationInitialSyncBehavior.OVERWRITE_TARGET: {
+          if (!(gitlabSecret.key in secrets)) {
+            secretsToRemoveInGitlab.push(gitlabSecret);
+          }
+          break;
+        }
+        case IntegrationInitialSyncBehavior.PREFER_SOURCE: {
+          // if the secret is not in infisical, we need to add it to infisical
+          if (!(gitlabSecret.key in secrets)) {
+            secrets[gitlabSecret.key] = {
+              value: gitlabSecret.value
+            };
+            // need to remove prefix and suffix from what we're saving to Infisical
+            const prefix = metadata?.secretPrefix || "";
+            const suffix = metadata?.secretSuffix || "";
+            let processedKey = gitlabSecret.key;
+
+            // Remove prefix if it exists at the start
+            if (prefix && processedKey.startsWith(prefix)) {
+              processedKey = processedKey.slice(prefix.length);
+            }
+
+            // Remove suffix if it exists at the end
+            if (suffix && processedKey.endsWith(suffix)) {
+              processedKey = processedKey.slice(0, -suffix.length);
+            }
+
+            secretsToAddToInfisical[processedKey] = gitlabSecret;
+          }
+          break;
+        }
+        default: {
+          throw new Error(`Invalid initial sync behavior: ${metadata.initialSyncBehavior}`);
+        }
+      }
+    });
+
+    if (Object.keys(secretsToAddToInfisical).length) {
+      await createManySecretsRawFn({
+        projectId: integration.projectId,
+        environment: integration.environment.slug,
+        path: integration.secretPath,
+        secrets: Object.keys(secretsToAddToInfisical).map((key) => ({
+          secretName: key,
+          secretValue: secretsToAddToInfisical[key].value,
+          type: SecretType.Shared
+        }))
+      });
+    }
+
+    for await (const gitlabSecret of secretsToRemoveInGitlab) {
+      await request.delete(
+        `${gitLabApiUrl}/v4/projects/${integration?.appId}/variables/${gitlabSecret.key}?filter[environment_scope]=${integration.targetEnvironment}`,
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`
+          }
+        }
+      );
+    }
+  }
+
   for await (const key of Object.keys(secrets)) {
     const existingSecret = getSecretsRes.find((s) => s.key === key);
     if (!existingSecret) {
@@ -4431,7 +4537,7 @@ export const syncIntegrationSecrets = async ({
     secretPath: string;
   };
   integrationAuth: TIntegrationAuths;
-  secrets: Record<string, { value: string; comment?: string }>;
+  secrets: Record<string, { value: string; comment?: string; secretMetadata?: ResourceMetadataDTO }>;
   accessId: string | null;
   awsAssumeRoleArn: string | null;
   accessToken: string;
@@ -4536,7 +4642,8 @@ export const syncIntegrationSecrets = async ({
         integrationAuth,
         integration,
         secrets,
-        accessToken
+        accessToken,
+        createManySecretsRawFn
       });
       break;
     case Integrations.RENDER:

backend/src/services/integration-auth/integration-team.ts

@@ -1,3 +1,5 @@
+import { AxiosResponse } from "axios";
+
 import { request } from "@app/lib/config/request";
 import { BadRequestError } from "@app/lib/errors";
 
@@ -11,19 +13,27 @@ const getTeamsGitLab = async ({ url, accessToken }: { url: string; accessToken:
   const gitLabApiUrl = url ? `${url}/api` : IntegrationUrls.GITLAB_API_URL;
 
   let teams: Team[] = [];
-  const res = (
-    await request.get<{ name: string; id: string }[]>(`${gitLabApiUrl}/v4/groups`, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Accept-Encoding": "application/json"
+  let page: number = 1;
+  while (page > 0) {
+    // eslint-disable-next-line no-await-in-loop
+    const { data, headers }: AxiosResponse<{ name: string; id: string }[]> = await request.get(
+      `${gitLabApiUrl}/v4/groups?page=${page}`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
       }
-    })
-  ).data;
+    );
 
-  teams = res.map((t) => ({
-    name: t.name,
-    id: t.id.toString()
-  }));
+    page = Number(headers["x-next-page"] ?? "");
+    teams = teams.concat(
+      data.map((t) => ({
+        name: t.name,
+        id: t.id.toString()
+      }))
+    );
+  }
 
   return teams;
 };

backend/src/services/integration/integration-schema.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { INTEGRATION } from "@app/lib/api-docs";
 
-import { IntegrationMappingBehavior } from "../integration-auth/integration-list";
+import { IntegrationMappingBehavior, IntegrationMetadataSyncMode } from "../integration-auth/integration-list";
 
 export const IntegrationMetadataSchema = z.object({
   initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
@@ -50,6 +50,11 @@ export const IntegrationMetadataSchema = z.object({
   shouldMaskSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldMaskSecrets),
   shouldProtectSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldProtectSecrets),
 
+  metadataSyncMode: z
+    .nativeEnum(IntegrationMetadataSyncMode)
+    .optional()
+    .describe(INTEGRATION.CREATE.metadata.metadataSyncMode),
+
   octopusDeployScopeValues: z
     .object({
       // in Octopus Deploy Scope Value Format

backend/src/services/resource-metadata/resource-metadata-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TResourceMetadataDALFactory = ReturnType<typeof resourceMetadataDALFactory>;
+
+export const resourceMetadataDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.ResourceMetadata);
+
+  return orm;
+};

backend/src/services/resource-metadata/resource-metadata-schema.ts

@@ -0,0 +1,10 @@
+import z from "zod";
+
+export const ResourceMetadataSchema = z
+  .object({
+    key: z.string().trim().min(1),
+    value: z.string().trim().default("")
+  })
+  .array();
+
+export type ResourceMetadataDTO = z.infer<typeof ResourceMetadataSchema>;

backend/src/services/secret-import/secret-import-fns.ts

@@ -1,6 +1,7 @@
 import { SecretType, TSecretImports, TSecrets, TSecretsV2 } from "@app/db/schemas";
 import { groupBy, unique } from "@app/lib/fn";
 
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@@ -39,6 +40,7 @@ type TSecretImportSecretsV2 = {
     // But for somereason ts consider ? and undefined explicit as different just ts things
     secretValue: string;
     secretComment: string;
+    secretMetadata?: ResourceMetadataDTO;
   })[];
 };
 

backend/src/services/secret-import/secret-import-service.ts

@@ -160,6 +160,7 @@ export const secretImportServiceFactory = ({
     if (secImport.isReplication && sourceFolder) {
       await secretQueueService.replicateSecrets({
         secretPath: secImport.importPath,
+        orgId: actorOrgId,
         projectId,
         environmentSlug: importEnv.slug,
         pickOnlyImportIds: [secImport.id],
@@ -169,6 +170,7 @@ export const secretImportServiceFactory = ({
     } else {
       await secretQueueService.syncSecrets({
         secretPath,
+        orgId: actorOrgId,
         projectId,
         environmentSlug: environment,
         actorId,
@@ -340,6 +342,7 @@ export const secretImportServiceFactory = ({
 
     await secretQueueService.syncSecrets({
       secretPath,
+      orgId: actorOrgId,
       projectId,
       environmentSlug: environment,
       actor,
@@ -415,6 +418,7 @@ export const secretImportServiceFactory = ({
 
     if (membership && sourceFolder) {
       await secretQueueService.replicateSecrets({
+        orgId: actorOrgId,
         secretPath: secretImportDoc.importPath,
         projectId,
         environmentSlug: secretImportDoc.importEnv.slug,

backend/src/services/secret-sharing/secret-sharing-service.ts

@@ -206,8 +206,13 @@ export const secretSharingServiceFactory = ({
 
     const orgName = sharedSecret.orgId ? (await orgDAL.findOrgById(sharedSecret.orgId))?.name : "";
 
-    if (accessType === SecretSharingAccessType.Organization && orgId !== sharedSecret.orgId)
+    if (accessType === SecretSharingAccessType.Organization && orgId === undefined) {
+      throw new UnauthorizedError();
+    }
+
+    if (accessType === SecretSharingAccessType.Organization && orgId !== sharedSecret.orgId) {
       throw new ForbiddenRequestError();
+    }
 
     // all secrets pass through here, meaning we check if its expired first and then check if it needs verification
     // or can be safely sent to the client.

backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts

@@ -78,6 +78,12 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
           `${TableName.SecretTag}.id`
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+        )
         .select(selectAllTableCols(TableName.SecretV2))
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
         .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
@@ -103,6 +109,15 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
               slug,
               name: slug
             })
+          },
+          {
+            key: "metadataId",
+            label: "secretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });
@@ -221,7 +236,9 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
       const secs = await (tx || db.replicaNode())(TableName.SecretV2)
         .where({ folderId })
         .where((bd) => {
-          void bd.whereNull("userId").orWhere({ userId: userId || null });
+          void bd
+            .whereNull(`${TableName.SecretV2}.userId`)
+            .orWhere({ [`${TableName.SecretV2}.userId` as "userId"]: userId || null });
         })
         .leftJoin(
           TableName.SecretV2JnTag,
@@ -233,10 +250,16 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
           `${TableName.SecretTag}.id`
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(selectAllTableCols(TableName.SecretV2))
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
         .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
         .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+        )
         .orderBy("id", "asc");
 
       const data = sqlNestRelationships({
@@ -253,6 +276,15 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
               slug,
               name: slug
             })
+          },
+          {
+            key: "metadataId",
+            label: "secretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });
@@ -367,7 +399,9 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           }
         })
         .where((bd) => {
-          void bd.whereNull(`${TableName.SecretV2}.userId`).orWhere({ userId: userId || null });
+          void bd
+            .whereNull(`${TableName.SecretV2}.userId`)
+            .orWhere({ [`${TableName.SecretV2}.userId` as "userId"]: userId || null });
         })
         .leftJoin(
           TableName.SecretV2JnTag,
@@ -379,13 +413,23 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
           `${TableName.SecretTag}.id`
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(
           selectAllTableCols(TableName.SecretV2),
-          db.raw(`DENSE_RANK() OVER (ORDER BY "key" ${filters?.orderDirection ?? OrderByDirection.ASC}) as rank`)
+          db.raw(
+            `DENSE_RANK() OVER (ORDER BY "${TableName.SecretV2}".key ${
+              filters?.orderDirection ?? OrderByDirection.ASC
+            }) as rank`
+          )
         )
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
         .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
         .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+        )
         .where((bd) => {
           const slugs = filters?.tagSlugs?.filter(Boolean);
           if (slugs && slugs.length > 0) {
@@ -425,6 +469,15 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
               slug,
               name: slug
             })
+          },
+          {
+            key: "metadataId",
+            label: "secretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });
@@ -545,10 +598,17 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
           `${TableName.SecretTag}.id`
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(selectAllTableCols(TableName.SecretV2))
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
         .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
-        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"));
+        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+        );
+
       const docs = sqlNestRelationships({
         data: rawDocs,
         key: "id",
@@ -563,6 +623,15 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
               slug,
               name: slug
             })
+          },
+          {
+            key: "metadataId",
+            label: "secretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -6,6 +6,7 @@ import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import { TFnSecretBulkDelete, TFnSecretBulkInsert, TFnSecretBulkUpdate } from "./secret-v2-bridge-types";
@@ -54,9 +55,11 @@ export const getAllSecretReferences = (maybeSecretReference: string) => {
 export const fnSecretBulkInsert = async ({
   // TODO: Pick types here
   folderId,
+  orgId,
   inputSecrets,
   secretDAL,
   secretVersionDAL,
+  resourceMetadataDAL,
   secretTagDAL,
   secretVersionTagDAL,
   tx
@@ -91,6 +94,7 @@ export const fnSecretBulkInsert = async ({
     sanitizedInputSecrets.map((el) => ({ ...el, folderId })),
     tx
   );
+
   const newSecretGroupedByKeyName = groupBy(newSecrets, (item) => item.key);
   const newSecretTags = inputSecrets.flatMap(({ tagIds: secretTags = [], key }) =>
     secretTags.map((tag) => ({
@@ -106,6 +110,7 @@ export const fnSecretBulkInsert = async ({
     })),
     tx
   );
+
   await secretDAL.upsertSecretReferences(
     inputSecrets.map(({ references = [], key }) => ({
       secretId: newSecretGroupedByKeyName[key][0].id,
@@ -113,6 +118,22 @@ export const fnSecretBulkInsert = async ({
     })),
     tx
   );
+
+  await resourceMetadataDAL.insertMany(
+    inputSecrets.flatMap(({ key: secretKey, secretMetadata }) => {
+      if (secretMetadata) {
+        return secretMetadata.map(({ key, value }) => ({
+          key,
+          value,
+          secretId: newSecretGroupedByKeyName[secretKey][0].id,
+          orgId
+        }));
+      }
+      return [];
+    }),
+    tx
+  );
+
   if (newSecretTags.length) {
     const secTags = await secretTagDAL.saveTagsToSecretV2(newSecretTags, tx);
     const secVersionsGroupBySecId = groupBy(secretVersions, (i) => i.secretId);
@@ -120,6 +141,7 @@ export const fnSecretBulkInsert = async ({
       [`${TableName.SecretVersionV2}Id` as const]: secVersionsGroupBySecId[secrets_v2Id][0].id,
       [`${TableName.SecretTag}Id` as const]: secret_tagsId
     }));
+
     await secretVersionTagDAL.insertMany(newSecretVersionTags, tx);
   }
 
@@ -130,10 +152,12 @@ export const fnSecretBulkUpdate = async ({
   tx,
   inputSecrets,
   folderId,
+  orgId,
   secretDAL,
   secretVersionDAL,
   secretTagDAL,
-  secretVersionTagDAL
+  secretVersionTagDAL,
+  resourceMetadataDAL
 }: TFnSecretBulkUpdate) => {
   const sanitizedInputSecrets = inputSecrets.map(
     ({
@@ -231,6 +255,34 @@ export const fnSecretBulkUpdate = async ({
     }
   }
 
+  const inputSecretIdsWithMetadata = inputSecrets
+    .filter((sec) => Boolean(sec.data.secretMetadata))
+    .map((sec) => sec.filter.id);
+
+  await resourceMetadataDAL.delete(
+    {
+      $in: {
+        secretId: inputSecretIdsWithMetadata
+      }
+    },
+    tx
+  );
+
+  await resourceMetadataDAL.insertMany(
+    inputSecrets.flatMap(({ filter: { id }, data: { secretMetadata } }) => {
+      if (secretMetadata) {
+        return secretMetadata.map(({ key, value }) => ({
+          key,
+          value,
+          secretId: id,
+          orgId
+        }));
+      }
+      return [];
+    }),
+    tx
+  );
+
   return newSecrets.map((secret) => ({ ...secret, _id: secret.id }));
 };
 
@@ -570,6 +622,7 @@ export const reshapeBridgeSecret = (
       color?: string | null;
       name: string;
     }[];
+    secretMetadata?: ResourceMetadataDTO;
   }
 ) => ({
   secretKey: secret.key,
@@ -588,6 +641,7 @@ export const reshapeBridgeSecret = (
   secretReminderRepeatDays: secret.reminderRepeatDays,
   secretReminderNote: secret.reminderNote,
   metadata: secret.metadata,
+  secretMetadata: secret.secretMetadata,
   createdAt: secret.createdAt,
   updatedAt: secret.updatedAt
 });

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -18,6 +18,7 @@ import { ActorType } from "../auth/auth-type";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
@@ -74,6 +75,7 @@ type TSecretV2BridgeServiceFactoryDep = {
     "insertV2Bridge" | "insertApprovalSecretV2Tags"
   >;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TSecretV2BridgeServiceFactory = ReturnType<typeof secretV2BridgeServiceFactory>;
@@ -95,7 +97,8 @@ export const secretV2BridgeServiceFactory = ({
   secretApprovalPolicyService,
   secretApprovalRequestDAL,
   secretApprovalRequestSecretDAL,
-  kmsService
+  kmsService,
+  resourceMetadataDAL
 }: TSecretV2BridgeServiceFactoryDep) => {
   const $validateSecretReferences = async (
     projectId: string,
@@ -141,7 +144,7 @@ export const secretV2BridgeServiceFactory = ({
               },
               {
                 operator: "eq",
-                field: "key",
+                field: `${TableName.SecretV2}.key` as "key",
                 value: el.secretKey
               }
             ]
@@ -186,6 +189,7 @@ export const secretV2BridgeServiceFactory = ({
     actorAuthMethod,
     projectId,
     secretPath,
+    secretMetadata,
     ...inputSecret
   }: TCreateSecretDTO) => {
     const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
@@ -255,6 +259,7 @@ export const secretV2BridgeServiceFactory = ({
     const secret = await secretDAL.transaction((tx) =>
       fnSecretBulkInsert({
         folderId,
+        orgId: actorOrgId,
         inputSecrets: [
           {
             version: 1,
@@ -272,9 +277,11 @@ export const secretV2BridgeServiceFactory = ({
             key: secretName,
             userId: inputSecret.type === SecretType.Personal ? actorId : null,
             tagIds: inputSecret.tagIds,
-            references: nestedReferences
+            references: nestedReferences,
+            secretMetadata
           }
         ],
+        resourceMetadataDAL,
         secretDAL,
         secretVersionDAL,
         secretTagDAL,
@@ -287,6 +294,7 @@ export const secretV2BridgeServiceFactory = ({
       await snapshotService.performSnapshot(folderId);
       await secretQueueService.syncSecrets({
         secretPath,
+        orgId: actorOrgId,
         actorId,
         actor,
         projectId,
@@ -309,6 +317,7 @@ export const secretV2BridgeServiceFactory = ({
     actorAuthMethod,
     projectId,
     secretPath,
+    secretMetadata,
     ...inputSecret
   }: TUpdateSecretDTO) => {
     const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
@@ -435,6 +444,8 @@ export const secretV2BridgeServiceFactory = ({
     const updatedSecret = await secretDAL.transaction(async (tx) =>
       fnSecretBulkUpdate({
         folderId,
+        orgId: actorOrgId,
+        resourceMetadataDAL,
         inputSecrets: [
           {
             filter: { id: secretId },
@@ -448,6 +459,7 @@ export const secretV2BridgeServiceFactory = ({
               skipMultilineEncoding: inputSecret.skipMultilineEncoding,
               key: inputSecret.newSecretName || secretName,
               tags: inputSecret.tagIds,
+              secretMetadata,
               ...encryptedValue
             }
           }
@@ -475,6 +487,7 @@ export const secretV2BridgeServiceFactory = ({
         actorId,
         actor,
         projectId,
+        orgId: actorOrgId,
         environmentSlug: folder.environment.slug
       });
     }
@@ -562,6 +575,7 @@ export const secretV2BridgeServiceFactory = ({
         actorId,
         actor,
         projectId,
+        orgId: actorOrgId,
         environmentSlug: folder.environment.slug
       });
     }
@@ -961,8 +975,8 @@ export const secretV2BridgeServiceFactory = ({
       ? secretDAL.findOneWithTags({
           folderId,
           type: secretType,
-          key: secretName,
-          userId: secretType === SecretType.Personal ? actorId : null
+          [`${TableName.SecretV2}.key` as "key"]: secretName,
+          [`${TableName.SecretV2}.userId` as "userId"]: secretType === SecretType.Personal ? actorId : null
         })
       : secretVersionDAL
           .findOne({
@@ -1113,7 +1127,7 @@ export const secretV2BridgeServiceFactory = ({
               value: [
                 {
                   operator: "eq",
-                  field: "key",
+                  field: `${TableName.SecretV2}.key` as "key",
                   value: el.secretKey
                 },
                 {
@@ -1185,11 +1199,14 @@ export const secretV2BridgeServiceFactory = ({
             key: el.secretKey,
             tagIds: el.tagIds,
             references,
+            secretMetadata: el.secretMetadata,
             type: SecretType.Shared
           };
         }),
         folderId,
+        orgId: actorOrgId,
         secretDAL,
+        resourceMetadataDAL,
         secretVersionDAL,
         secretTagDAL,
         secretVersionTagDAL,
@@ -1203,6 +1220,7 @@ export const secretV2BridgeServiceFactory = ({
       actorId,
       secretPath,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1254,7 +1272,7 @@ export const secretV2BridgeServiceFactory = ({
               value: [
                 {
                   operator: "eq",
-                  field: "key",
+                  field: `${TableName.SecretV2}.key` as "key",
                   value: el.secretKey
                 },
                 {
@@ -1319,7 +1337,7 @@ export const secretV2BridgeServiceFactory = ({
                 value: [
                   {
                     operator: "eq",
-                    field: "key",
+                    field: `${TableName.SecretV2}.key` as "key",
                     value: el.secretKey
                   },
                   {
@@ -1371,6 +1389,7 @@ export const secretV2BridgeServiceFactory = ({
     const secrets = await secretDAL.transaction(async (tx) =>
       fnSecretBulkUpdate({
         folderId,
+        orgId: actorOrgId,
         tx,
         inputSecrets: inputSecrets.map((el) => {
           const originalSecret = secretsToUpdateInDBGroupedByKey[el.secretKey][0];
@@ -1394,6 +1413,7 @@ export const secretV2BridgeServiceFactory = ({
               skipMultilineEncoding: el.skipMultilineEncoding,
               key: el.newSecretName || el.secretKey,
               tags: el.tagIds,
+              secretMetadata: el.secretMetadata,
               ...encryptedValue
             }
           };
@@ -1401,7 +1421,8 @@ export const secretV2BridgeServiceFactory = ({
         secretDAL,
         secretVersionDAL,
         secretTagDAL,
-        secretVersionTagDAL
+        secretVersionTagDAL,
+        resourceMetadataDAL
       })
     );
     await snapshotService.performSnapshot(folderId);
@@ -1410,6 +1431,7 @@ export const secretV2BridgeServiceFactory = ({
       actorId,
       secretPath,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1461,7 +1483,7 @@ export const secretV2BridgeServiceFactory = ({
               value: [
                 {
                   operator: "eq",
-                  field: "key",
+                  field: `${TableName.SecretV2}.key` as "key",
                   value: el.secretKey
                 },
                 {
@@ -1512,6 +1534,7 @@ export const secretV2BridgeServiceFactory = ({
       actorId,
       secretPath,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1815,10 +1838,12 @@ export const secretV2BridgeServiceFactory = ({
         if (locallyCreatedSecrets.length) {
           await fnSecretBulkInsert({
             folderId: destinationFolder.id,
+            orgId: actorOrgId,
             secretVersionDAL,
             secretDAL,
             tx,
             secretTagDAL,
+            resourceMetadataDAL,
             secretVersionTagDAL,
             inputSecrets: locallyCreatedSecrets.map((doc) => {
               return {
@@ -1830,6 +1855,7 @@ export const secretV2BridgeServiceFactory = ({
                 skipMultilineEncoding: doc.skipMultilineEncoding,
                 reminderNote: doc.reminderNote,
                 reminderRepeatDays: doc.reminderRepeatDays,
+                secretMetadata: doc.secretMetadata,
                 references: doc.value ? getAllSecretReferences(doc.value).nestedReferences : []
               };
             })
@@ -1838,6 +1864,8 @@ export const secretV2BridgeServiceFactory = ({
         if (locallyUpdatedSecrets.length) {
           await fnSecretBulkUpdate({
             folderId: destinationFolder.id,
+            orgId: actorOrgId,
+            resourceMetadataDAL,
             secretVersionDAL,
             secretDAL,
             tx,
@@ -1855,6 +1883,7 @@ export const secretV2BridgeServiceFactory = ({
                   encryptedComment: doc.encryptedComment,
                   skipMultilineEncoding: doc.skipMultilineEncoding,
                   reminderNote: doc.reminderNote,
+                  secretMetadata: doc.secretMetadata,
                   reminderRepeatDays: doc.reminderRepeatDays,
                   ...(doc.encryptedValue
                     ? {
@@ -1938,6 +1967,7 @@ export const secretV2BridgeServiceFactory = ({
       await snapshotService.performSnapshot(destinationFolder.id);
       await secretQueueService.syncSecrets({
         projectId,
+        orgId: actorOrgId,
         secretPath: destinationFolder.path,
         environmentSlug: destinationFolder.environment.slug,
         actorId,
@@ -1949,6 +1979,7 @@ export const secretV2BridgeServiceFactory = ({
       await snapshotService.performSnapshot(sourceFolder.id);
       await secretQueueService.syncSecrets({
         projectId,
+        orgId: actorOrgId,
         secretPath: sourceFolder.path,
         environmentSlug: sourceFolder.environment.slug,
         actorId,

backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts

@@ -7,6 +7,8 @@ import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import { TSecretVersionV2DALFactory } from "./secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "./secret-version-tag-dal";
@@ -58,6 +60,7 @@ export type TCreateSecretDTO = TProjectPermission & {
   skipMultilineEncoding?: boolean;
   secretReminderRepeatDays?: number | null;
   secretReminderNote?: string | null;
+  secretMetadata?: ResourceMetadataDTO;
 };
 
 export type TUpdateSecretDTO = TProjectPermission & {
@@ -75,6 +78,7 @@ export type TUpdateSecretDTO = TProjectPermission & {
   metadata?: {
     source?: string;
   };
+  secretMetadata?: ResourceMetadataDTO;
 };
 
 export type TDeleteSecretDTO = TProjectPermission & {
@@ -94,6 +98,7 @@ export type TCreateManySecretDTO = Omit<TProjectPermission, "projectId"> & {
     secretComment?: string;
     skipMultilineEncoding?: boolean;
     tagIds?: string[];
+    secretMetadata?: ResourceMetadataDTO;
     metadata?: {
       source?: string;
     };
@@ -113,6 +118,7 @@ export type TUpdateManySecretDTO = Omit<TProjectPermission, "projectId"> & {
     tagIds?: string[];
     secretReminderRepeatDays?: number | null;
     secretReminderNote?: string | null;
+    secretMetadata?: ResourceMetadataDTO;
   }[];
 };
 
@@ -136,8 +142,16 @@ export type TSecretReference = { environment: string; secretPath: string; secret
 
 export type TFnSecretBulkInsert = {
   folderId: string;
+  orgId: string;
   tx?: Knex;
-  inputSecrets: Array<Omit<TSecretsV2Insert, "folderId"> & { tagIds?: string[]; references: TSecretReference[] }>;
+  inputSecrets: Array<
+    Omit<TSecretsV2Insert, "folderId"> & {
+      tagIds?: string[];
+      references: TSecretReference[];
+      secretMetadata?: ResourceMetadataDTO;
+    }
+  >;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
   secretDAL: Pick<TSecretV2BridgeDALFactory, "insertMany" | "upsertSecretReferences">;
   secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2">;
@@ -156,10 +170,12 @@ type TRequireReferenceIfValue =
 
 export type TFnSecretBulkUpdate = {
   folderId: string;
+  orgId: string;
   inputSecrets: {
     filter: Partial<TSecretsV2>;
-    data: TRequireReferenceIfValue & { tags?: string[] };
+    data: TRequireReferenceIfValue & { tags?: string[]; secretMetadata?: ResourceMetadataDTO };
   }[];
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretDAL: Pick<TSecretV2BridgeDALFactory, "bulkUpdate" | "upsertSecretReferences">;
   secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "deleteTagsToSecretV2">;

backend/src/services/secret/secret-fns.ts

@@ -749,7 +749,8 @@ export const createManySecretsRawFnFactory = ({
   secretVersionV2BridgeDAL,
   secretV2BridgeDAL,
   secretVersionTagV2BridgeDAL,
-  kmsService
+  kmsService,
+  resourceMetadataDAL
 }: TCreateManySecretsRawFnFactory) => {
   const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
   const createManySecretsRawFn = async ({
@@ -760,7 +761,7 @@ export const createManySecretsRawFnFactory = ({
     userId
   }: TCreateManySecretsRawFn) => {
     const { botKey, shouldUseSecretV2Bridge } = await getBotKeyFn(projectId);
-
+    const project = await projectDAL.findById(projectId);
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
       throw new NotFoundError({
@@ -814,7 +815,9 @@ export const createManySecretsRawFnFactory = ({
             tagIds: el.tags
           })),
           folderId,
+          orgId: project.orgId,
           secretDAL: secretV2BridgeDAL,
+          resourceMetadataDAL,
           secretVersionDAL: secretVersionV2BridgeDAL,
           secretTagDAL,
           secretVersionTagDAL: secretVersionTagV2BridgeDAL,
@@ -909,6 +912,7 @@ export const updateManySecretsRawFnFactory = ({
   secretVersionTagV2BridgeDAL,
   secretVersionV2BridgeDAL,
   secretV2BridgeDAL,
+  resourceMetadataDAL,
   kmsService
 }: TUpdateManySecretsRawFnFactory) => {
   const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
@@ -920,6 +924,7 @@ export const updateManySecretsRawFnFactory = ({
     userId
   }: TUpdateManySecretsRawFn): Promise<Array<{ id: string }>> => {
     const { botKey, shouldUseSecretV2Bridge } = await getBotKeyFn(projectId);
+    const project = await projectDAL.findById(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
@@ -988,11 +993,13 @@ export const updateManySecretsRawFnFactory = ({
       const updatedSecrets = await secretDAL.transaction(async (tx) =>
         fnSecretV2BridgeBulkUpdate({
           folderId,
+          orgId: project.orgId,
           tx,
           inputSecrets: inputSecrets.map((el) => ({
             filter: { id: secretsToUpdateInDBGroupedByKey[el.key][0].id, type: SecretType.Shared },
             data: el
           })),
+          resourceMetadataDAL,
           secretDAL: secretV2BridgeDAL,
           secretVersionDAL: secretVersionV2BridgeDAL,
           secretTagDAL,

backend/src/services/secret/secret-queue.ts

@@ -47,6 +47,8 @@ import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
 import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
@@ -104,6 +106,7 @@ type TSecretQueueFactoryDep = {
   auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
   orgService: Pick<TOrgServiceFactory, "addGhostUser">;
   projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TGetSecrets = {
@@ -120,7 +123,12 @@ export const uniqueSecretQueueKey = (environment: string, secretPath: string) =>
 
 type TIntegrationSecret = Record<
   string,
-  { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
+  {
+    value: string;
+    comment?: string;
+    skipMultilineEncoding?: boolean | null | undefined;
+    secretMetadata?: ResourceMetadataDTO;
+  }
 >;
 
 // TODO(akhilmhdh): split this into multiple queue
@@ -157,7 +165,8 @@ export const secretQueueFactory = ({
   auditLogService,
   orgService,
   projectUserMembershipRoleDAL,
-  projectKeyDAL
+  projectKeyDAL,
+  resourceMetadataDAL
 }: TSecretQueueFactoryDep) => {
   const integrationMeter = opentelemetry.metrics.getMeter("Integrations");
   const errorHistogram = integrationMeter.createHistogram("integration_secret_sync_errors", {
@@ -306,7 +315,8 @@ export const secretQueueFactory = ({
     kmsService,
     secretVersionV2BridgeDAL,
     secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL
+    secretVersionTagV2BridgeDAL,
+    resourceMetadataDAL
   });
 
   const updateManySecretsRawFn = updateManySecretsRawFnFactory({
@@ -321,7 +331,8 @@ export const secretQueueFactory = ({
     kmsService,
     secretVersionV2BridgeDAL,
     secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL
+    secretVersionTagV2BridgeDAL,
+    resourceMetadataDAL
   });
 
   /**
@@ -372,6 +383,7 @@ export const secretQueueFactory = ({
         }
 
         content[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
+        content[secretKey].secretMetadata = secret.secretMetadata;
       })
     );
 
@@ -397,7 +409,8 @@ export const secretQueueFactory = ({
           content[importedSecret.key] = {
             skipMultilineEncoding: importedSecret.skipMultilineEncoding,
             comment: importedSecret.secretComment,
-            value: importedSecret.secretValue || ""
+            value: importedSecret.secretValue || "",
+            secretMetadata: importedSecret.secretMetadata
           };
         }
       }
@@ -597,6 +610,7 @@ export const secretQueueFactory = ({
       _depth: depth,
       secretPath,
       projectId,
+      orgId,
       environmentSlug: environment,
       excludeReplication,
       actorId,
@@ -625,6 +639,7 @@ export const secretQueueFactory = ({
         _deDupeReplicationQueue: deDupeReplicationQueue,
         _depth: depth,
         projectId,
+        orgId,
         secretPath,
         actorId,
         actor,
@@ -681,6 +696,7 @@ export const secretQueueFactory = ({
       if (!folder) {
         throw new Error("Secret path not found");
       }
+      const project = await projectDAL.findById(projectId);
 
       // find all imports made with the given environment and secret path
       const linkSourceDto = {
@@ -715,6 +731,7 @@ export const secretQueueFactory = ({
             .map(({ folderId }) =>
               syncSecrets({
                 projectId,
+                orgId: project.orgId,
                 secretPath: foldersGroupedById[folderId][0]?.path as string,
                 environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
                 _deDupeQueue: deDupeQueue,
@@ -767,6 +784,7 @@ export const secretQueueFactory = ({
             .map((folderId) =>
               syncSecrets({
                 projectId,
+                orgId: project.orgId,
                 secretPath: referencedFoldersGroupedById[folderId][0]?.path as string,
                 environmentSlug: referencedFoldersGroupedById[folderId][0]?.environmentSlug as string,
                 _deDupeQueue: deDupeQueue,
@@ -953,6 +971,8 @@ export const secretQueueFactory = ({
               });
             }
 
+            const { secretKey } = (err as { secretKey: string }) || {};
+
             const message =
               // eslint-disable-next-line no-nested-ternary
               (err instanceof AxiosError
@@ -961,6 +981,8 @@ export const secretQueueFactory = ({
                   : err?.message
                 : (err as Error)?.message) || "Unknown error occurred.";
 
+            const errorLog = `${secretKey ? `[Secret Key: ${secretKey}] ` : ""}${message}`;
+
             await auditLogService.createAuditLog({
               projectId,
               actor: await $generateActor(actorId, isManual),
@@ -971,7 +993,7 @@ export const secretQueueFactory = ({
                   isSynced: false,
                   lastSyncJobId: job?.id ?? "",
                   lastUsed: new Date(),
-                  syncMessage: message
+                  syncMessage: errorLog
                 }
               }
             });
@@ -983,13 +1005,13 @@ export const secretQueueFactory = ({
 
             await integrationDAL.updateById(integration.id, {
               lastSyncJobId: job.id,
-              syncMessage: message,
+              syncMessage: errorLog,
               isSynced: false
             });
 
             integrationsFailedToSync.push({
               integrationId: integration.id,
-              syncMessage: message
+              syncMessage: errorLog
             });
           }
         }

backend/src/services/secret/secret-service.ts

@@ -11,6 +11,7 @@ import {
   SecretsSchema,
   SecretType
 } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@@ -69,6 +70,7 @@ import {
   TDeleteSecretRawDTO,
   TGetASecretDTO,
   TGetASecretRawDTO,
+  TGetSecretAccessListDTO,
   TGetSecretsDTO,
   TGetSecretsRawDTO,
   TGetSecretVersionsDTO,
@@ -94,7 +96,7 @@ type TSecretServiceFactoryDep = {
   >;
   secretV2BridgeService: TSecretV2BridgeServiceFactory;
   secretBlindIndexDAL: TSecretBlindIndexDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissions">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretQueueService: Pick<
     TSecretQueueFactory,
@@ -113,6 +115,7 @@ type TSecretServiceFactoryDep = {
     TSecretApprovalRequestSecretDALFactory,
     "insertMany" | "insertApprovalSecretTags"
   >;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
 
 export type TSecretServiceFactory = ReturnType<typeof secretServiceFactory>;
@@ -134,7 +137,8 @@ export const secretServiceFactory = ({
   secretApprovalRequestDAL,
   secretApprovalRequestSecretDAL,
   secretV2BridgeService,
-  secretApprovalRequestService
+  secretApprovalRequestService,
+  licenseService
 }: TSecretServiceFactoryDep) => {
   const getSecretReference = async (projectId: string) => {
     // if bot key missing means e2e still exist
@@ -288,6 +292,7 @@ export const secretServiceFactory = ({
         actorId,
         actor,
         projectId,
+        orgId: actorOrgId,
         environmentSlug: folder.environment.slug
       });
     }
@@ -429,6 +434,7 @@ export const secretServiceFactory = ({
       await snapshotService.performSnapshot(folderId);
       await secretQueueService.syncSecrets({
         secretPath: path,
+        orgId: actorOrgId,
         actorId,
         actor,
         projectId,
@@ -526,6 +532,7 @@ export const secretServiceFactory = ({
         actorId,
         actor,
         projectId,
+        orgId: actorOrgId,
         environmentSlug: folder.environment.slug
       });
     }
@@ -820,6 +827,7 @@ export const secretServiceFactory = ({
       actorId,
       secretPath: path,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -928,6 +936,7 @@ export const secretServiceFactory = ({
       actorId,
       secretPath: path,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1014,6 +1023,7 @@ export const secretServiceFactory = ({
       actorId,
       secretPath: path,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1147,6 +1157,71 @@ export const secretServiceFactory = ({
     return secretV2BridgeService.getSecretReferenceTree(dto);
   };
 
+  const getSecretAccessList = async (dto: TGetSecretAccessListDTO) => {
+    const { environment, secretPath, secretName, projectId } = dto;
+    const plan = await licenseService.getPlan(dto.actorOrgId);
+    if (!plan.secretAccessInsights) {
+      throw new BadRequestError({
+        message: "Failed to fetch secret access list due to plan restriction. Upgrade your plan."
+      });
+    }
+
+    const secret = await secretV2BridgeService.getSecretByName({
+      actor: dto.actor,
+      actorId: dto.actorId,
+      actorOrgId: dto.actorOrgId,
+      actorAuthMethod: dto.actorAuthMethod,
+      projectId,
+      secretName,
+      path: secretPath,
+      environment,
+      type: "shared"
+    });
+
+    const { userPermissions, identityPermissions, groupPermissions } = await permissionService.getProjectPermissions(
+      dto.projectId
+    );
+
+    const attachAllowedActions = (
+      entityPermission:
+        | (typeof userPermissions)[number]
+        | (typeof identityPermissions)[number]
+        | (typeof groupPermissions)[number]
+    ) => {
+      const allowedActions = [
+        ProjectPermissionActions.Read,
+        ProjectPermissionActions.Delete,
+        ProjectPermissionActions.Create,
+        ProjectPermissionActions.Edit
+      ].filter((action) =>
+        entityPermission.permission.can(
+          action,
+          subject(ProjectPermissionSub.Secrets, {
+            environment,
+            secretPath,
+            secretName,
+            secretTags: secret?.tags?.map((el) => el.slug)
+          })
+        )
+      );
+
+      return {
+        ...entityPermission,
+        allowedActions
+      };
+    };
+
+    const usersWithAccess = userPermissions.map(attachAllowedActions).filter((user) => user.allowedActions.length > 0);
+    const identitiesWithAccess = identityPermissions
+      .map(attachAllowedActions)
+      .filter((identity) => identity.allowedActions.length > 0);
+    const groupsWithAccess = groupPermissions
+      .map(attachAllowedActions)
+      .filter((group) => group.allowedActions.length > 0);
+
+    return { users: usersWithAccess, identities: identitiesWithAccess, groups: groupsWithAccess };
+  };
+
   const getSecretsRaw = async ({
     projectId,
     path,
@@ -1385,7 +1460,8 @@ export const secretServiceFactory = ({
     skipMultilineEncoding,
     tagIds,
     secretReminderNote,
-    secretReminderRepeatDays
+    secretReminderRepeatDays,
+    secretMetadata
   }: TCreateSecretRawDTO) => {
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     const policy =
@@ -1412,7 +1488,8 @@ export const secretServiceFactory = ({
                 secretValue,
                 tagIds,
                 reminderNote: secretReminderNote,
-                reminderRepeatDays: secretReminderRepeatDays
+                reminderRepeatDays: secretReminderRepeatDays,
+                secretMetadata
               }
             ]
           }
@@ -1435,7 +1512,8 @@ export const secretServiceFactory = ({
         tagIds,
         secretReminderNote,
         skipMultilineEncoding,
-        secretReminderRepeatDays
+        secretReminderRepeatDays,
+        secretMetadata
       });
       return { secret, type: SecretProtectionType.Direct as const };
     }
@@ -1525,7 +1603,8 @@ export const secretServiceFactory = ({
     secretReminderRepeatDays,
     metadata,
     secretComment,
-    newSecretName
+    newSecretName,
+    secretMetadata
   }: TUpdateSecretRawDTO) => {
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     const policy =
@@ -1553,7 +1632,8 @@ export const secretServiceFactory = ({
                 secretValue,
                 tagIds,
                 reminderNote: secretReminderNote,
-                reminderRepeatDays: secretReminderRepeatDays
+                reminderRepeatDays: secretReminderRepeatDays,
+                secretMetadata
               }
             ]
           }
@@ -1577,7 +1657,8 @@ export const secretServiceFactory = ({
         secretName,
         newSecretName,
         metadata,
-        secretValue
+        secretValue,
+        secretMetadata
       });
       return { type: SecretProtectionType.Direct as const, secret };
     }
@@ -1793,7 +1874,8 @@ export const secretServiceFactory = ({
               secretComment: el.secretComment,
               metadata: el.metadata,
               skipMultilineEncoding: el.skipMultilineEncoding,
-              secretKey: el.secretKey
+              secretKey: el.secretKey,
+              secretMetadata: el.secretMetadata
             }))
           }
         });
@@ -1919,7 +2001,8 @@ export const secretServiceFactory = ({
               secretValue: el.secretValue,
               secretComment: el.secretComment,
               skipMultilineEncoding: el.skipMultilineEncoding,
-              secretKey: el.secretKey
+              secretKey: el.secretKey,
+              secretMetadata: el.secretMetadata
             }))
           }
         });
@@ -2262,6 +2345,7 @@ export const secretServiceFactory = ({
     await secretQueueService.syncSecrets({
       secretPath,
       projectId: project.id,
+      orgId: project.orgId,
       environmentSlug: environment,
       excludeReplication: true
     });
@@ -2370,6 +2454,7 @@ export const secretServiceFactory = ({
     await secretQueueService.syncSecrets({
       secretPath,
       projectId: project.id,
+      orgId: project.orgId,
       environmentSlug: environment,
       excludeReplication: true
     });
@@ -2828,6 +2913,7 @@ export const secretServiceFactory = ({
       await snapshotService.performSnapshot(destinationFolder.id);
       await secretQueueService.syncSecrets({
         projectId: project.id,
+        orgId: project.orgId,
         secretPath: destinationFolder.path,
         environmentSlug: destinationFolder.environment.slug,
         actorId,
@@ -2839,6 +2925,7 @@ export const secretServiceFactory = ({
       await snapshotService.performSnapshot(sourceFolder.id);
       await secretQueueService.syncSecrets({
         projectId: project.id,
+        orgId: project.orgId,
         secretPath: sourceFolder.path,
         environmentSlug: sourceFolder.environment.slug,
         actorId,
@@ -2928,6 +3015,7 @@ export const secretServiceFactory = ({
     getSecretsCountMultiEnv,
     getSecretsRawMultiEnv,
     getSecretReferenceTree,
-    getSecretsRawByFolderMappings
+    getSecretsRawByFolderMappings,
+    getSecretAccessList
   };
 };

backend/src/services/secret/secret-types.ts

@@ -14,6 +14,8 @@ import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 
 import { ActorType } from "../auth/auth-type";
 import { TKmsServiceFactory } from "../kms/kms-service";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
@@ -188,6 +190,12 @@ export type TGetSecretsRawDTO = {
   keys?: string[];
 } & TProjectPermission;
 
+export type TGetSecretAccessListDTO = {
+  environment: string;
+  secretPath: string;
+  secretName: string;
+} & TProjectPermission;
+
 export type TGetASecretRawDTO = {
   secretName: string;
   path: string;
@@ -211,6 +219,7 @@ export type TCreateSecretRawDTO = TProjectPermission & {
   skipMultilineEncoding?: boolean;
   secretReminderRepeatDays?: number | null;
   secretReminderNote?: string | null;
+  secretMetadata?: ResourceMetadataDTO;
 };
 
 export type TUpdateSecretRawDTO = TProjectPermission & {
@@ -228,6 +237,7 @@ export type TUpdateSecretRawDTO = TProjectPermission & {
   metadata?: {
     source?: string;
   };
+  secretMetadata?: ResourceMetadataDTO;
 };
 
 export type TDeleteSecretRawDTO = TProjectPermission & {
@@ -248,6 +258,7 @@ export type TCreateManySecretRawDTO = Omit<TProjectPermission, "projectId"> & {
     secretComment?: string;
     skipMultilineEncoding?: boolean;
     tagIds?: string[];
+    secretMetadata?: ResourceMetadataDTO;
     metadata?: {
       source?: string;
     };
@@ -266,6 +277,7 @@ export type TUpdateManySecretRawDTO = Omit<TProjectPermission, "projectId"> & {
     secretComment?: string;
     skipMultilineEncoding?: boolean;
     tagIds?: string[];
+    secretMetadata?: ResourceMetadataDTO;
     secretReminderRepeatDays?: number | null;
     secretReminderNote?: string | null;
   }[];
@@ -293,7 +305,13 @@ export type TSecretReference = { environment: string; secretPath: string };
 export type TFnSecretBulkInsert = {
   folderId: string;
   tx?: Knex;
-  inputSecrets: Array<Omit<TSecretsInsert, "folderId"> & { tags?: string[]; references?: TSecretReference[] }>;
+  inputSecrets: Array<
+    Omit<TSecretsInsert, "folderId"> & {
+      tags?: string[];
+      references?: TSecretReference[];
+      secretMetadata?: ResourceMetadataDTO;
+    }
+  >;
   secretDAL: Pick<TSecretDALFactory, "insertMany" | "upsertSecretReferences">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecret">;
@@ -389,6 +407,7 @@ export type TCreateManySecretsRawFnFactory = {
   >;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
 };
 
 export type TCreateManySecretsRawFn = {
@@ -425,6 +444,7 @@ export type TUpdateManySecretsRawFnFactory = {
   >;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TUpdateManySecretsRawFn = {
@@ -460,6 +480,7 @@ export type TSyncSecretsDTO<T extends boolean = false> = {
   _depth?: number;
   secretPath: string;
   projectId: string;
+  orgId: string;
   environmentSlug: string;
   // cases for just doing sync integration and webhook
   excludeReplication?: T;

backend/src/services/slack/slack-fns.ts

@@ -51,7 +51,7 @@ const buildSlackPayload = (notification: TSlackNotification) => {
 *Environment*: ${payload.environment}
 *Secret path*: ${payload.secretPath || "/"}
 
-View the complete details <${appCfg.SITE_URL}/project/${payload.projectId}/approval?requestId=${
+View the complete details <${appCfg.SITE_URL}/secret-manager/${payload.projectId}/approval?requestId=${
         payload.requestId
       }|here>.`;
 

cli/packages/cmd/run.go

@@ -419,22 +419,23 @@ func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInt
 
 	for {
 		<-recheckSecretsChannel
-		watchMutex.Lock()
+		func() {
+			watchMutex.Lock()
+			defer watchMutex.Unlock()
 
-		newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
-		if err != nil {
-			log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
-			continue
-		}
+			newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
+			if err != nil {
+				log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
+				return
+			}
 
-		if newEnvironmentVariables.ETag != currentETag {
-			runCommandWithWatcher(newEnvironmentVariables)
-		} else {
-			log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
-		}
-
-		watchMutex.Unlock()
+			if newEnvironmentVariables.ETag != currentETag {
+				runCommandWithWatcher(newEnvironmentVariables)
+			} else {
+				log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
+			}
 
+		}()
 	}
 }
 

company/documentation/engineering/oncall-summery-template.mdx

@@ -0,0 +1,22 @@
+---
+title: "On call summary template"
+sidebarTitle: "Summary template"
+---
+
+```plain
+Date: MM/DD/YY-MM/DD/YY
+
+Notable incidents:
+-  [<open/resolved>] <details of the incident including who was impacted. what you did to mitigate/patch the issue>
+    - Action items:
+        - <what can we do to prevent this from happening in the future?> 
+
+Notable support:
+- [Customer company name] <details of the support inquiry>
+    - Action items:
+        - <what actions should be taken/has been taken to resolve this>
+        - <what can we do to prevent this from happening in the future?> 
+
+Comments:
+<Any comments you have from your on call shift. Were there any pain points you experienced, etc?>
+```

company/documentation/engineering/oncall.mdx

@@ -0,0 +1,78 @@
+---
+title: "On call rotation"
+sidebarTitle: "On call rotation"
+description: "Learn about call rotation at Infisical"
+---
+
+Infisical is mission-critical software, which means minimizing service disruptions is a top priority. 
+To make sure we can react to any issues that come up, we have an on-call rotation that helps us to provide responsive, 24x7x365 support to our customers. 
+Being part of the on-call rotation is an opportunity to deepen the understanding of our infrastructure, deployment pipelines, and customer-facing systems. 
+Having this broader understanding of our system not only helps us design better software but also enhances the overall stability of our platform. 
+
+### On-Call Overview
+
+**Rotation Details**
+
+Each engineer will be on call once a week, from **Thursday to Thursday**, including weekends. 
+During this time, the on-call engineer is expected to be available at all times to respond to service disruption alerts.
+
+While being on call, you are responsible for acting as the first line of defense for critical incidents and answering customer support inquiries. 
+During your working hours, you must respond to all support tickets or involve relevant team members with sufficient context. 
+Outside of working hours, you are expected to be available for any high-severity pager alerts and critical support inquiries by customers.
+
+### Responsibilities While On Call
+
+During your working hours, prioritize the following in this order:
+
+1. **Responding to Alerts:**
+    - Monitor and respond promptly to all PagerDuty alerts.
+    - Investigate incidents, determine root causes, and mitigate issues.
+    - Refer to runbooks or any relevant documentation to resolve alarms quickly.
+2. **Customer Support:**
+    - Actively monitor all support inquiries in [**Pylon**](https://app.usepylon.com/issues) and respond to incoming tickets.
+    - Debug and resolve customer issues. If you encounter a problem outside your expertise, collaborate with the relevant teammates to resolve it. This is an opportunity to learn and build context for future incidents.
+3. **Sprint work:**
+    - Since the current on-call workload does not require all of your working hours, you are expected to work on the sprint items assigned to you. 
+      If the on-call workload increases significantly, inform Maidul to make adjustments.
+4. **Continuous Improvement:**
+    - Take note of recurring patterns, inefficiencies, and opportunities where we can automate to reduce on-call burdens in the future.
+
+<Warning>
+    Outside of working hours, you are expected to be available and respond to any high-severity pager alerts and critical support inquiries by customers.
+</Warning>
+
+### Before You Get On Call
+
+- **Set Up PagerDuty:** Ensure you have the PagerDuty mobile app installed, configured, and notifications enabled for Infisical services.
+- **Access Required Tools:** Verify access to internal network, runbooks on Notion, [https://grafana.infisical.com](https://grafana.infisical.com/), access to aws accounts and any other access you may require.
+- **AWS Permissions:** You will be granted sufficient AWS permissions before the start of your on-call shift in case you need to access production accounts.
+
+### At the End of Your Shift
+
+- Post an on-call summary in the Slack channel `#on-call-summaries` at the end of your shift using the following [template](/documentation/engineering/oncall-summery-template). Include notable findings, support inquires and incidents you encountered. 
+  This will helps the rest of the team stay in the loop and open discussions on how to prevent similar issues in the future.
+- Do a **handoff meeting/slack huddle** with the next engineer on call to summarize any outstanding work, unresolved issues, or any incidents that require follow-up. Ensure the next on-call engineer is fully briefed so they can pick up where you left off. **Include Maidul in this hand off call.**
+
+### When to escalate an incident
+
+If you are paged for incident that you cannot resolve after attempting to debug and mitigate the issue, you should not hesitate to escalate and page others in. 
+It’s better to get help sooner rather than later to minimize the impact on customers. 
+
+- **Paging relevant teammate:** If you’ve tried resolving an issue on your own and need additional help, page another engineer who might be relevant through PagerDuty.
+- **Escalating to Maidul:** You can page Maidul at any time if you think it would be helpful.
+
+### How to be successful on you rotations
+
+- Be on top of all changes that get merged into main. This will help you be aware of any changes that might cause issues.
+- When responding to support inquiries, double check your replies and make sure they are well written and typo-free. Always acknowledge inquiries quickly to make customers feel valued, and suggest a meeting or huddle if you need more clarity on their issues.
+- When customers raise support inquiries, always consider what could have been done to make the inquiry self-serve. Could adding a tooltip next to the relevant feature provide clarity? Maybe the documentation could be more detailed or better organized?
+- Document all of your notable support/findings/incidents/feature requests during on call so that it is easy to create your on call summary at the end of your on call shift.
+
+### Resources
+
+- [Pylon for support tickets](https://app.usepylon.com/issues)
+- [AWS Portal](https://infisical.awsapps.com/start/)
+- [View metrics on Grafana](https://grafana.infisical.com/)
+- [Metabase](https://analytics.internal.infisical.com/)
+- [Run books](https://www.notion.so/Runbooks-19e534883d6b4621b8c712194edbb687?pvs=21)
+- [On call summary template](/documentation/engineering/oncall-summery-template)

company/handbook/onboarding.mdx

@@ -19,7 +19,7 @@ Every new joiner has an onboarding buddy who should ideally be in the the same t
 1. Join the weekly all-hands meeting. It typically happens on Monday's at 8:30am PT.
 2. Ship something together on day one – even if tiny! It feels great to hit the ground running, with a development environment all ready to go.
 3. Check out the [Areas of Responsibility (AoR) Table](https://docs.google.com/spreadsheets/d/1RnXlGFg83Sgu0dh7ycuydsSobmFfI3A0XkGw7vrVxEI/edit?usp=sharing). This is helpful to know who you can ask about particular areas of Infisical. Feel free to add yourself to the areas you'd be most interesting to dive into.
-4. Read the [Infisical Strategy Doc](https://docs.google.com/document/d/1RaJd3RoS2QpWLFHlgfHaXnHqCCwRt6mCGZkbJ75J_D0/edit?usp=sharing).
+4. Read the [Infisical Strategy Doc](https://docs.google.com/document/d/1uV9IaahYwbZ5OuzDTFdQMSa1P0mpMOnetGB-xqf4G40).
 5. Update your LinkedIn profile with one of [Infisical's official banners](https://drive.google.com/drive/u/0/folders/1oSNWjbpRl9oNYwxM_98IqzKs9fAskrb2) (if you want to). You can also coordinate your social posts in the #marketing Slack channel, so that we can boost it from Infisical's official social media accounts.
 6. Over the first few weeks, feel free to schedule 1:1s with folks on the team to get to know them a bit better.
 7. Change your Slack username in the users channel to `[NAME] (Infisical)`.

company/mint.json

@@ -62,7 +62,13 @@
         "handbook/time-off",
         "handbook/hiring",
         "handbook/meetings",
-        "handbook/talking-to-customers"
+        "handbook/talking-to-customers",
+        {
+          "group": "Engineering",
+          "pages": [
+            "documentation/engineering/oncall"
+          ]
+        }
       ]
     }
   ],

docker-compose.dev.yml

@@ -144,9 +144,6 @@ services:
       - ./frontend/src:/app/src/ # mounted whole src to avoid missing reload on new files
       - ./frontend/public:/app/public
     env_file: .env
-    environment:
-      - NEXT_PUBLIC_ENV=development
-      - INFISICAL_TELEMETRY_ENABLED=false
 
   pgadmin:
     image: dpage/pgadmin4

docs/changelog/overview.mdx

@@ -4,6 +4,27 @@ title: "Changelog"
 
 The changelog below reflects new product developments and updates on a monthly basis.
 
+## December 2024
+- Added [GCP KMS](https://infisical.com/docs/documentation/platform/kms/overview) integration support.
+- Added support for [K8s CSI integration](https://infisical.com/docs/integrations/platforms/kubernetes-csi) and ability to point K8s operator to specific secret versions.
+- Fixed [Java SDK](https://github.com/Infisical/java-sdk) compatibility issues with Alpine Linux.
+- Fixed SCIM group role assignment issues.
+- Added Group View Page for improved team management.
+- Added instance URL to email verification for Infisical accounts.
+- Added ability to copy full path of nested folders.
+- Added custom templating support for K8s operator, allowing flexible secret key mapping and additional fields
+- Optimized secrets versions table performance.
+
+## November 2024
+- Improved EnvKey migration functionality with support for Blocks, Inheritance, and Branches.
+- Added [Hardware Security Module (HSM) Encryption](https://infisical.com/docs/documentation/platform/kms/hsm-integration) support.
+- Updated permissions handling in [Infisical Terraform Provider](https://registry.terraform.io/providers/Infisical/infisical/latest/docs) to use lists instead of sets.
+- Enhanced [SCIM](https://infisical.com/docs/documentation/platform/scim/overview) implementation to remove SAML dependency.
+- Enhanced [OIDC Authentication](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general) implementation and added Default Org Slug support.
+- Added support for multiple authentication methods per identity.
+- Added AWS Parameter Store integration sync improvements.
+- Added new screen and API for managing additional privileges.
+- Added Dynamic Secrets support for SQL Server.
 
 ## October 2024
 - Significantly improved performance of audit log operations in UI. 

docs/documentation/platform/dynamic-secrets/overview.mdx

@@ -4,6 +4,13 @@ sidebarTitle: "Overview"
 description: "Learn how to generate secrets dynamically on-demand."
 ---
 
+<Info>
+    Note that Dynamic Secrets is a paid feature.
+
+    If you're using Infisical Cloud, then it is available under the **Enterprise Tier** 
+    If you're self-hosting Infisical, then you should contact sales@infisical.com to purchase an enterprise license to use it.
+</Info>
+
 ## Introduction
 
 Contrary to static key-value secrets, which require manual input of data into the secure Infisical storage, **dynamic secrets are generated on-demand upon access**. 

docs/documentation/platform/pr-workflows.mdx

@@ -3,6 +3,13 @@ title: "Approval Workflows"
 description: "Learn how to enable a set of policies to manage changes to sensitive secrets and environments."
 ---
 
+<Info>
+    Approval Workflows is a paid feature.
+   
+    If you're using Infisical Cloud, then it is available under the **Pro Tier** and **Enterprise Tire**. 
+    If you're self-hosting Infisical, then you should contact sales@infisical.com to purchase an enterprise license to use it.
+</Info>
+
 ## Problem at hand
 
 Updating secrets in high-stakes environments (e.g., production) can have a number of problematic issues: 
@@ -40,4 +47,4 @@ When a user submits a change to an enviropnment that is under a particular polic
 
 Approvers are notified by email and/or Slack as soon as the request is initiated. In the Infisical Dashboard, they will be able to `approve` and `merge` (or `deny`) a request for a change in a particular environment. After that, depending on the workflows setup, the change will be automatically propagated to the right applications (e.g., using [Infisical Kubernetes Operator](https://infisical.com/docs/integrations/platforms/kubernetes)).
 
-![secrets update pull request](../../images/platform/pr-workflows/secret-update-pr.png)
+![secrets update pull request](../../images/platform/pr-workflows/secret-update-pr.png)

docs/documentation/platform/scim/azure.mdx

@@ -15,7 +15,7 @@ Prerequisites:
 
 <Steps>
     <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
         press the **Enable SCIM provisioning** toggle to allow Azure to provision/deprovision users for your organization.
         
         ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)

docs/documentation/platform/scim/jumpcloud.mdx

@@ -15,7 +15,7 @@ Prerequisites:
 
 <Steps>
     <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
         press the **Enable SCIM provisioning** toggle to allow JumpCloud to provision/deprovision users and user groups for your organization.
         
         ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)

docs/documentation/platform/scim/okta.mdx

@@ -15,7 +15,7 @@ Prerequisites:
 
 <Steps>
     <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
         press the **Enable SCIM provisioning** toggle to allow Okta to provision/deprovision users and user groups for your organization.
         
         ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)

docs/documentation/platform/sso/auth0-saml.mdx

@@ -0,0 +1,93 @@
+---
+title: "Auth0 SAML"
+description: "Learn how to configure Auth0 SAML for Infisical SSO."
+---
+
+<Info>
+  Auth0 SAML SSO feature is a paid feature. If you're using Infisical Cloud,
+  then it is available under the **Pro Tier**. If you're self-hosting Infisical,
+  then you should contact sales@infisical.com to purchase an enterprise license
+  to use it.
+</Info>
+
+<Steps>
+   <Step title="Prepare the SAML SSO configuration in Infisical">
+        In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Auth0, then click **Connect** again.
+
+        Next, note the **Application Callback URL** and **Audience** to use when configuring the Auth0 SAML application.
+
+        ![Auth0 SAML initial configuration](../../../images/sso/auth0-saml/init-config.png)
+
+   </Step>
+   <Step title="Create a SAML application in Auth0">
+        2.1. In your Auth0 account, head to Applications and create an application.
+        
+        ![Auth0 SAML app creation](../../../images/sso/auth0-saml/create-application.png)
+        
+        Select **Regular Web Application** and press **Create**.
+        
+        ![Auth0 SAML app creation](../../../images/sso/auth0-saml/create-application-2.png)
+        
+        2.2. In the Application head to Settings > Application URIs and add the **Application Callback URL** from step 1 into the **Allowed Callback URLs** field.
+        
+        ![Auth0 SAML allowed callback URLs](../../../images/sso/auth0-saml/auth0-config.png)
+        
+        2.3. In the Application head to Addons > SAML2 Web App and copy the **Issuer**, **Identity Provider Login URL**, and **Identity Provider Certificate** from the **Usage** tab.
+        
+        ![Auth0 SAML config](../../../images/sso/auth0-saml/auth0-config-2.png)
+        
+        2.4. Back in Infisical, set **Issuer**, **Identity Provider Login URL**, and **Certificate** to the corresponding items from step 2.3.
+        
+        ![Auth0 SAML Infisical config](../../../images/sso/auth0-saml/infisical-config.png)
+        
+        2.5. Back in Auth0, in the **Settings** tab, set the **Application Callback URL** to the **Application Callback URL** from step 1
+        and update the **Settings** field with the JSON under the picture below (replacing `<audience-from-infisical>` with the **Audience** from step 1).
+        
+        ![Auth0 SAML config](../../../images/sso/auth0-saml/auth0-config-3.png)
+        
+        ```json
+        {
+        "audience": "<audience-from-infisical>",
+        "mappings": {
+            "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email",
+            "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstName",
+            "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastName"
+        },
+        "signatureAlgorithm": "rsa-sha256",
+        "digestAlgorithm": "sha256",
+        "signResponse": true
+        }
+        ```
+
+        Click **Save**.
+    </Step>
+    <Step title="Enable SAML SSO in Infisical">
+        Enabling SAML SSO allows members in your organization to log into Infisical via Auth0.
+
+        ![Auth0 SAML enable](../../../images/sso/auth0-saml/enable-saml.png)
+    </Step>
+    <Step title="Enforce SAML SSO in Infisical">
+        Enforcing SAML SSO ensures that members in your organization can only access Infisical
+        by logging into the organization via Auth0.
+
+        To enforce SAML SSO, you're required to test out the SAML connection by successfully authenticating at least one Auth0 user with Infisical;
+        Once you've completed this requirement, you can toggle the **Enforce SAML SSO** button to enforce SAML SSO.
+    </Step>
+
+</Steps>
+
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite SAML login.
+</Tip>
+
+<Note>
+    If you're configuring SAML SSO on a self-hosted instance of Infisical, make
+    sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
+    work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+    can be a random 32-byte base64 string generated with `openssl rand -base64
+    32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
+</Note>

docs/documentation/platform/sso/azure.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Microsoft Entra ID for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Azure / Entra, then click **Connect** again.
 
       Next, copy the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** to use when configuring the Azure SAML application.
 

docs/documentation/platform/sso/google-saml.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Google SAML for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+        In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Google, then click **Connect** again.
 
         Next, note the **ACS URL** and **SP Entity ID** to use when configuring the Google SAML application.
 

docs/documentation/platform/sso/jumpcloud.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure JumpCloud SAML for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select JumpCloud, then click **Connect** again.
 
       Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.
 

docs/documentation/platform/sso/keycloak-saml.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Keycloak SAML for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Manage**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Keycloak, then click **Connect** again.
       
       ![Keycloak SAML organization security section](../../../images/sso/keycloak/org-security-section.png)
       

docs/documentation/platform/sso/okta.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Okta SAML 2.0 for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Okta, then click **Connect** again.
       
       Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
       ![Okta SAML initial configuration](../../../images/sso/okta/init-config.png)

docs/documentation/platform/sso/overview.mdx

@@ -28,6 +28,7 @@ Infisical supports these and many other identity providers:
 - [JumpCloud SAML](/documentation/platform/sso/jumpcloud)
 - [Keycloak SAML](/documentation/platform/sso/keycloak-saml)
 - [Google SAML](/documentation/platform/sso/google-saml)
+- [Auth0 SAML](/documentation/platform/sso/auth0-saml)
 - [Keycloak OIDC](/documentation/platform/sso/keycloak-oidc)
 - [Auth0 OIDC](/documentation/platform/sso/auth0-oidc)
 - [General OIDC](/documentation/platform/sso/general-oidc)

docs/integrations/cloud/aws-secret-manager.mdx

@@ -17,6 +17,7 @@ Prerequisites:
 If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.
 
 The following steps are for instances not deployed on AWS
+
 <Steps>
     <Step title="Create an IAM User">
       Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console.
@@ -40,9 +41,10 @@ The following steps are for instances not deployed on AWS
 <Step title="Obtain the IAM User Credentials">
   Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.
 
-  ![Access Key Step 1](../../images/integrations/aws/integrations-aws-access-key-1.png)
-  ![Access Key Step 2](../../images/integrations/aws/integrations-aws-access-key-2.png)
-  ![Access Key Step 3](../../images/integrations/aws/integrations-aws-access-key-3.png)
+![Access Key Step 1](../../images/integrations/aws/integrations-aws-access-key-1.png)
+![Access Key Step 2](../../images/integrations/aws/integrations-aws-access-key-2.png)
+![Access Key Step 3](../../images/integrations/aws/integrations-aws-access-key-3.png)
+
 </Step>
 <Step title="Set Up Integration Keys">
   1. Set the access key as **CLIENT_ID_AWS_INTEGRATION**.
@@ -59,6 +61,7 @@ The following steps are for instances not deployed on AWS
     2. Select **AWS Account** as the **Trusted Entity Type**.
     3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
     4. Optionally, enable **Require external ID** and enter your **project ID** to further enhance security.
+
   </Step>
 
   <Step title="Add Required Permissions for the IAM Role">
@@ -89,11 +92,13 @@ The following steps are for instances not deployed on AWS
       ]
     }
     ```
+
   </Step>
 
-  <Step title="Copy the AWS IAM Role ARN">
-    ![Copy IAM Role ARN](../../images/integrations/aws/integration-aws-iam-assume-arn.png)
-  </Step>
+<Step title="Copy the AWS IAM Role ARN">
+  ![Copy IAM Role
+  ARN](../../images/integrations/aws/integration-aws-iam-assume-arn.png)
+</Step>
 
   <Step title="Authorize Infisical for AWS Secrets Manager">
     1. Navigate to your project's integrations tab in Infisical.
@@ -104,6 +109,7 @@ The following steps are for instances not deployed on AWS
        ![Select Assume Role](../../images/integrations/aws/integration-aws-iam-assume-select.png)
 
     4. Provide the **AWS IAM Role ARN** obtained from the previous step.
+
   </Step>  <Step title="Start integration">
     Select how you want to integration to work by specifying a number of parameters:
 
@@ -127,6 +133,12 @@ The following steps are for instances not deployed on AWS
 
     Optionally, you can add tags or specify the encryption key of all the secrets created via this integration:
 
+    <ParamField path="Tag Sync Mode" type="string" optional>
+      The sync mode for AWS tags. The supported options are `Secret Metadata` and `Custom`. If `Secret Metadata` is selected,
+      the metadata of the Infisical secrets are used as tags in AWS. If custom is selected, then the key/value of the **Secret Tag** field is used. `Secret Metadata` mode
+      is only supported for one-to-one integrations.
+     </ParamField>
+
     <ParamField path="Secret Tag" type="string" optional>
       The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API.
     </ParamField>