test

test upload
2025-08-22 10:12:15 +00:00 · 2025-04-08 17:08:56 -04:00 · 2025-04-08 16:58:35 -04:00
881 changed files with 3864 additions and 25938 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,102 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main", "development" ]
+  pull_request:
+    branches: [ "main", "development" ]
+  schedule:
+    - cron: '33 7 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: go
+          build-mode: autobuild
+        - language: javascript-typescript
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@@ -12,75 +12,75 @@ permissions:
  contents: write

 jobs:
-  cli-integration-tests:
-    name: Run tests before deployment
-    uses: ./.github/workflows/run-cli-tests.yml
-    secrets:
-      CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-      CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-      CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-      CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-      CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-      CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-      CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-      CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+  # cli-integration-tests:
+  #   name: Run tests before deployment
+  #   uses: ./.github/workflows/run-cli-tests.yml
+  #   secrets:
+  #     CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+  #     CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+  #     CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+  #     CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+  #     CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+  #     CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+  #     CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+  #     CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}

-  npm-release:
-    runs-on: ubuntu-latest
-    env:
-      working-directory: ./npm
-    needs:
-      - cli-integration-tests
-      - goreleaser
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
+  # npm-release:
+  #   runs-on: ubuntu-latest
+  #   env:
+  #     working-directory: ./npm
+  #   needs:
+  #     - cli-integration-tests
+  #     - goreleaser
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #       with:
+  #         fetch-depth: 0

-      - name: Extract version
-        run: |
-          VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
-          echo "Version extracted: $VERSION"
-          echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+  #     - name: Extract version
+  #       run: |
+  #         VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+  #         echo "Version extracted: $VERSION"
+  #         echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV

-      - name: Print version
-        run: echo ${{ env.CLI_VERSION }}
+  #     - name: Print version
+  #       run: echo ${{ env.CLI_VERSION }}

-      - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
-        with:
-          node-version: 20
-          cache: "npm"
-          cache-dependency-path: ./npm/package-lock.json
-      - name: Install dependencies
-        working-directory: ${{ env.working-directory }}
-        run: npm install --ignore-scripts
+  #     - name: Setup Node
+  #       uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+  #       with:
+  #         node-version: 20
+  #         cache: "npm"
+  #         cache-dependency-path: ./npm/package-lock.json
+  #     - name: Install dependencies
+  #       working-directory: ${{ env.working-directory }}
+  #       run: npm install --ignore-scripts

-      - name: Set NPM version
-        working-directory: ${{ env.working-directory }}
-        run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+  #     - name: Set NPM version
+  #       working-directory: ${{ env.working-directory }}
+  #       run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version

-      - name: Setup NPM
-        working-directory: ${{ env.working-directory }}
-        run: |
-          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+  #     - name: Setup NPM
+  #       working-directory: ${{ env.working-directory }}
+  #       run: |
+  #         echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+  #         echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc

-          echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  #         echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+  #         echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+  #       env:
+  #         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

-      - name: Pack NPM
-        working-directory: ${{ env.working-directory }}
-        run: npm pack
+  #     - name: Pack NPM
+  #       working-directory: ${{ env.working-directory }}
+  #       run: npm pack

-      - name: Publish NPM
-        working-directory: ${{ env.working-directory }}
-        run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  #     - name: Publish NPM
+  #       working-directory: ${{ env.working-directory }}
+  #       run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+  #       env:
+  #         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  #         NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

  goreleaser:
    runs-on: ubuntu-latest
@@ -133,7 +133,7 @@ jobs:
      - name: Install deb-s3
        run: gem install deb-s3
      - name: Configure GPG Key
-        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import
+        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --passphrase "$GPG_SIGNING_KEY_PASSPHRASE" --import
        env:
          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
@@ -145,9 +145,3 @@ jobs:
          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-      - name: Invalidate Cloudfront cache
-        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -16,23 +16,23 @@ monorepo:
  dir: cli

 builds:
-  - id: darwin-build
-    binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
-    flags:
-      - -trimpath
-    env:
-      - CGO_ENABLED=1
-      - CC=/home/runner/work/osxcross/target/bin/o64-clang
-      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
-    goos:
-      - darwin
-    ignore:
-      - goos: darwin
-        goarch: "386"
-    dir: ./cli
+#   - id: darwin-build
+#     binary: infisical
+#     ldflags:
+#       - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+#       - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+#     flags:
+#       - -trimpath
+#     env:
+#       - CGO_ENABLED=1
+#       - CC=/home/runner/work/osxcross/target/bin/o64-clang
+#       - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
+#     goos:
+#       - darwin
+#     ignore:
+#       - goos: darwin
+#         goarch: "386"
+#     dir: ./cli

  - id: all-other-builds
    env:
@@ -44,11 +44,11 @@ builds:
    flags:
      - -trimpath
    goos:
-      - freebsd
+      # - freebsd
      - linux
-      - netbsd
-      - openbsd
-      - windows
+      # - netbsd
+      # - openbsd
+      # - windows
    goarch:
      - "386"
      - amd64
@@ -75,8 +75,10 @@ archives:
      - ../completions/*

 release:
-  replace_existing_draft: true
-  mode: "replace"
+  # replace_existing_draft: true
+  # mode: "replace"
+  disable: true
+  skip_upload: true

 checksum:
  name_template: "checksums.txt"
@@ -91,39 +93,39 @@ snapshot:
 #     dir: "{{ dir .ArtifactPath }}"
 #     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/

-brews:
-  - name: infisical
-    tap:
-      owner: Infisical
-      name: homebrew-get-cli
-    commit_author:
-      name: "Infisical"
-      email: ai@infisical.com
-    folder: Formula
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
-  - name: "infisical@{{.Version}}"
-    tap:
-      owner: Infisical
-      name: homebrew-get-cli
-    commit_author:
-      name: "Infisical"
-      email: ai@infisical.com
-    folder: Formula
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
+# brews:
+#   - name: infisical
+#     tap:
+#       owner: Infisical
+#       name: homebrew-get-cli
+#     commit_author:
+#       name: "Infisical"
+#       email: ai@infisical.com
+#     folder: Formula
+#     homepage: "https://infisical.com"
+#     description: "The official Infisical CLI"
+#     install: |-
+#       bin.install "infisical"
+#       bash_completion.install "completions/infisical.bash" => "infisical"
+#       zsh_completion.install "completions/infisical.zsh" => "_infisical"
+#       fish_completion.install "completions/infisical.fish"
+#       man1.install "manpages/infisical.1.gz"
+#   - name: "infisical@{{.Version}}"
+#     tap:
+#       owner: Infisical
+#       name: homebrew-get-cli
+#     commit_author:
+#       name: "Infisical"
+#       email: ai@infisical.com
+#     folder: Formula
+#     homepage: "https://infisical.com"
+#     description: "The official Infisical CLI"
+#     install: |-
+#       bin.install "infisical"
+#       bash_completion.install "completions/infisical.bash" => "infisical"
+#       zsh_completion.install "completions/infisical.zsh" => "_infisical"
+#       fish_completion.install "completions/infisical.fish"
+#       man1.install "manpages/infisical.1.gz"

 nfpms:
  - id: infisical
@@ -136,10 +138,10 @@ nfpms:
    description: The offical Infisical CLI
    license: MIT
    formats:
-      - rpm
+      # - rpm
      - deb
-      - apk
-      - archlinux
+      # - apk
+      # - archlinux
    bindir: /usr/bin
    contents:
      - src: ./completions/infisical.bash
@@ -151,91 +153,73 @@ nfpms:
      - src: ./manpages/infisical.1.gz
        dst: /usr/share/man/man1/infisical.1.gz

-scoop:
-  bucket:
-    owner: Infisical
-    name: scoop-infisical
-  commit_author:
-    name: "Infisical"
-    email: ai@infisical.com
-  homepage: "https://infisical.com"
-  description: "The official Infisical CLI"
-  license: MIT
+# scoop:
+#   bucket:
+#     owner: Infisical
+#     name: scoop-infisical
+#   commit_author:
+#     name: "Infisical"
+#     email: ai@infisical.com
+#   homepage: "https://infisical.com"
+#   description: "The official Infisical CLI"
+#   license: MIT

-winget:
-  - name: infisical
-    publisher: infisical
-    license: MIT
-    homepage: https://infisical.com
-    short_description: "The official Infisical CLI"
-    repository:
-      owner: infisical
-      name: winget-pkgs
-      branch: "infisical-{{.Version}}"
-      pull_request:
-        enabled: true
-        draft: false
-        base:
-          owner: microsoft
-          name: winget-pkgs
-          branch: master
+# aurs:
+#   - name: infisical-bin
+#     homepage: "https://infisical.com"
+#     description: "The official Infisical CLI"
+#     maintainers:
+#       - Infisical, Inc <support@infisical.com>
+#     license: MIT
+#     private_key: "{{ .Env.AUR_KEY }}"
+#     git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
+#     package: |-
+#       # bin
+#       install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
+#       # license
+#       install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
+#       # completions
+#       mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
+#       mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
+#       mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
+#       install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
+#       install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
+#       install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
+#       # man pages
+#       install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"

-aurs:
-  - name: infisical-bin
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    maintainers:
-      - Infisical, Inc <support@infisical.com>
-    license: MIT
-    private_key: "{{ .Env.AUR_KEY }}"
-    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
-    package: |-
-      # bin
-      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
-      # license
-      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
-      # completions
-      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
-      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
-      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
-      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
-      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
-      # man pages
-      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
+# dockers:
+#   - dockerfile: docker/alpine
+#     goos: linux
+#     goarch: amd64
+#     use: buildx
+#     ids:
+#       - all-other-builds
+#     image_templates:
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+#       - "infisical/cli:latest-amd64"
+#     build_flag_templates:
+#       - "--pull"
+#       - "--platform=linux/amd64"
+#   - dockerfile: docker/alpine
+#     goos: linux
+#     goarch: amd64
+#     use: buildx
+#     ids:
+#       - all-other-builds
+#     image_templates:
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+#       - "infisical/cli:latest-arm64"
+#     build_flag_templates:
+#       - "--pull"
+#       - "--platform=linux/arm64"

-dockers:
-  - dockerfile: docker/alpine
-    goos: linux
-    goarch: amd64
-    use: buildx
-    ids:
-      - all-other-builds
-    image_templates:
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
-      - "infisical/cli:latest-amd64"
-    build_flag_templates:
-      - "--pull"
-      - "--platform=linux/amd64"
-  - dockerfile: docker/alpine
-    goos: linux
-    goarch: amd64
-    use: buildx
-    ids:
-      - all-other-builds
-    image_templates:
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
-      - "infisical/cli:latest-arm64"
-    build_flag_templates:
-      - "--pull"
-      - "--platform=linux/arm64"
-
-docker_manifests:
-  - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
-    image_templates:
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
-  - name_template: "infisical/cli:latest"
-    image_templates:
-      - "infisical/cli:latest-amd64"
-      - "infisical/cli:latest-arm64"
+# docker_manifests:
+#   - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+#     image_templates:
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+#   - name_template: "infisical/cli:latest"
+#     image_templates:
+#       - "infisical/cli:latest-amd64"
+#       - "infisical/cli:latest-arm64"
--- a/.infisicalignore
+++ b/.infisicalignore
@@ -14,13 +14,3 @@ docs/self-hosting/guides/automated-bootstrapping.mdx:jwt:74
 frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx:generic-api-key:72
 k8-operator/config/samples/crd/pushsecret/source-secret-with-templating.yaml:private-key:11
 k8-operator/config/samples/crd/pushsecret/push-secret-with-template.yaml:private-key:52
-backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts:generic-api-key:125
-frontend/src/components/permissions/AccessTree/nodes/RoleNode.tsx:generic-api-key:67
-frontend/src/components/secret-rotations-v2/RotateSecretRotationV2Modal.tsx:generic-api-key:14
-frontend/src/components/secret-rotations-v2/SecretRotationV2StatusBadge.tsx:generic-api-key:11
-frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/ViewSecretRotationV2GeneratedCredentials.tsx:generic-api-key:23
-frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:28
-frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:65
-frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretRotationListView/SecretRotationItem.tsx:generic-api-key:26
-docs/documentation/platform/kms/overview.mdx:generic-api-key:281
-docs/documentation/platform/kms/overview.mdx:generic-api-key:344
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Dashboard](https://infisical.com/docs/documentation/platform/project)**: Manage secrets across projects and environments (e.g. development, production, etc.) through a user-friendly interface.
 - **[Native Integrations](https://infisical.com/docs/integrations/overview)**: Sync secrets to platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and use tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more.
 - **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)**: Keep track of every secret and project state; roll back when needed.
- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres-credentials), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
+- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
 - **[Dynamic Secrets](https://infisical.com/docs/documentation/platform/dynamic-secrets/overview)**: Generate ephemeral secrets on-demand for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/postgresql), [MySQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/mysql), [RabbitMQ](https://infisical.com/docs/documentation/platform/dynamic-secrets/rabbit-mq), and more.
 - **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)**: Prevent secrets from leaking to git.
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -8,8 +8,7 @@ RUN apt-get update && apt-get install -y \
    python3 \
    make \
    g++ \
-    openssh-client \
-    openssl 
+    openssh-client

 # Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apt-get install -y \
--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@@ -19,7 +19,6 @@ RUN apt-get update && apt-get install -y \
    make \
    g++ \
    openssh-client \
-    openssl \
    curl \
    pkg-config

--- a/backend/e2e-test/mocks/keystore.ts
+++ b/backend/e2e-test/mocks/keystore.ts
@@ -9,7 +9,6 @@ export const mockKeyStore = (): TKeyStoreFactory => {
      store[key] = value;
      return "OK";
    },
-    setExpiry: async () => 0,
    setItemWithExpiry: async (key, value) => {
      store[key] = value;
      return "OK";
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -104,7 +104,6 @@
        "pkijs": "^3.2.4",
        "posthog-node": "^3.6.2",
        "probot": "^13.3.8",
-        "re2": "^1.21.4",
        "safe-regex": "^2.1.1",
        "scim-patch": "^0.8.3",
        "scim2-parse-filter": "^0.2.10",
@@ -133,7 +132,7 @@
        "@types/jsrp": "^0.2.6",
        "@types/libsodium-wrappers": "^0.7.13",
        "@types/lodash.isequal": "^4.5.8",
-        "@types/node": "^20.17.30",
+        "@types/node": "^20.9.5",
        "@types/nodemailer": "^6.4.14",
        "@types/passport-github": "^1.1.12",
        "@types/passport-google-oauth20": "^2.0.14",
@@ -6861,79 +6860,6 @@
        "node": ">= 8"
      }
    },
-    "node_modules/@npmcli/agent": {
-      "version": "2.2.2",
-      "resolved": "https://registry.npmjs.org/@npmcli/agent/-/agent-2.2.2.tgz",
-      "integrity": "sha512-OrcNPXdpSl9UX7qPVRWbmWMCSXrcDa2M9DvrbOTj7ao1S4PlqVFYv9/yLKMkrJKZ/V5A/kDBC690or307i26Og==",
-      "license": "ISC",
-      "dependencies": {
-        "agent-base": "^7.1.0",
-        "http-proxy-agent": "^7.0.0",
-        "https-proxy-agent": "^7.0.1",
-        "lru-cache": "^10.0.1",
-        "socks-proxy-agent": "^8.0.3"
-      },
-      "engines": {
-        "node": "^16.14.0 || >=18.0.0"
-      }
-    },
-    "node_modules/@npmcli/agent/node_modules/agent-base": {
-      "version": "7.1.3",
-      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.3.tgz",
-      "integrity": "sha512-jRR5wdylq8CkOe6hei19GGZnxM6rBGwFl3Bg0YItGDimvjGtAvdZk4Pu6Cl4u4Igsws4a1fd1Vq3ezrhn4KmFw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 14"
-      }
-    },
-    "node_modules/@npmcli/agent/node_modules/debug": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
-      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@npmcli/agent/node_modules/https-proxy-agent": {
-      "version": "7.0.6",
-      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz",
-      "integrity": "sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==",
-      "license": "MIT",
-      "dependencies": {
-        "agent-base": "^7.1.2",
-        "debug": "4"
-      },
-      "engines": {
-        "node": ">= 14"
-      }
-    },
-    "node_modules/@npmcli/agent/node_modules/lru-cache": {
-      "version": "10.4.3",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
-      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
-      "license": "ISC"
-    },
-    "node_modules/@npmcli/fs": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/@npmcli/fs/-/fs-3.1.1.tgz",
-      "integrity": "sha512-q9CRWjpHCMIh5sVyefoD1cA7PkvILqCZsnSOEUUivORLjxCO/Irmue2DprETiNgEqktDBZaM1Bi+jrarx1XdCg==",
-      "license": "ISC",
-      "dependencies": {
-        "semver": "^7.3.5"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
    "node_modules/@octokit/auth-app": {
      "version": "7.1.1",
      "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-7.1.1.tgz",
@@ -9827,12 +9753,11 @@
      "license": "MIT"
    },
    "node_modules/@types/node": {
-      "version": "20.17.30",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.17.30.tgz",
-      "integrity": "sha512-7zf4YyHA+jvBNfVrk2Gtvs6x7E8V+YDW05bNfG2XkWDJfYRXrTiP/DsB2zSYTaHX0bGIujTBQdMVAhb+j7mwpg==",
-      "license": "MIT",
+      "version": "20.9.5",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.9.5.tgz",
+      "integrity": "sha512-Uq2xbNq0chGg+/WQEU0LJTSs/1nKxz6u1iemLcGomkSnKokbW1fbLqc3HOqCf2JP7KjlL4QkS7oZZTrOQHQYgQ==",
      "dependencies": {
-        "undici-types": "~6.19.2"
+        "undici-types": "~5.26.4"
      }
    },
    "node_modules/@types/node-fetch": {
@@ -11937,115 +11862,6 @@
        "node": ">=8"
      }
    },
-    "node_modules/cacache": {
-      "version": "18.0.4",
-      "resolved": "https://registry.npmjs.org/cacache/-/cacache-18.0.4.tgz",
-      "integrity": "sha512-B+L5iIa9mgcjLbliir2th36yEwPftrzteHYujzsx3dFP/31GCHcIeS8f5MGd80odLOjaOvSpU3EEAmRQptkxLQ==",
-      "license": "ISC",
-      "dependencies": {
-        "@npmcli/fs": "^3.1.0",
-        "fs-minipass": "^3.0.0",
-        "glob": "^10.2.2",
-        "lru-cache": "^10.0.1",
-        "minipass": "^7.0.3",
-        "minipass-collect": "^2.0.1",
-        "minipass-flush": "^1.0.5",
-        "minipass-pipeline": "^1.2.4",
-        "p-map": "^4.0.0",
-        "ssri": "^10.0.0",
-        "tar": "^6.1.11",
-        "unique-filename": "^3.0.0"
-      },
-      "engines": {
-        "node": "^16.14.0 || >=18.0.0"
-      }
-    },
-    "node_modules/cacache/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/cacache/node_modules/fs-minipass": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-3.0.3.tgz",
-      "integrity": "sha512-XUBA9XClHbnJWSfBzjkm6RvPsyg3sryZt06BEQoXcF7EK/xpGaQYJgQKDJSUH5SGZ76Y7pFx1QBnXz09rU5Fbw==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^7.0.3"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/cacache/node_modules/glob": {
-      "version": "10.4.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
-      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
-      "license": "ISC",
-      "dependencies": {
-        "foreground-child": "^3.1.0",
-        "jackspeak": "^3.1.2",
-        "minimatch": "^9.0.4",
-        "minipass": "^7.1.2",
-        "package-json-from-dist": "^1.0.0",
-        "path-scurry": "^1.11.1"
-      },
-      "bin": {
-        "glob": "dist/esm/bin.mjs"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/cacache/node_modules/jackspeak": {
-      "version": "3.4.3",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
-      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "@isaacs/cliui": "^8.0.2"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      },
-      "optionalDependencies": {
-        "@pkgjs/parseargs": "^0.11.0"
-      }
-    },
-    "node_modules/cacache/node_modules/lru-cache": {
-      "version": "10.4.3",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
-      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
-      "license": "ISC"
-    },
-    "node_modules/cacache/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/cacache/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
    "node_modules/call-bind": {
      "version": "1.0.7",
      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.7.tgz",
@@ -13025,16 +12841,6 @@
        "node": ">= 0.8"
      }
    },
-    "node_modules/encoding": {
-      "version": "0.1.13",
-      "resolved": "https://registry.npmjs.org/encoding/-/encoding-0.1.13.tgz",
-      "integrity": "sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==",
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "iconv-lite": "^0.6.2"
-      }
-    },
    "node_modules/end-of-stream": {
      "version": "1.4.4",
      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz",
@@ -13067,21 +12873,6 @@
        "url": "https://github.com/fb55/entities?sponsor=1"
      }
    },
-    "node_modules/env-paths": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/env-paths/-/env-paths-2.2.1.tgz",
-      "integrity": "sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=6"
-      }
-    },
-    "node_modules/err-code": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/err-code/-/err-code-2.0.3.tgz",
-      "integrity": "sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==",
-      "license": "MIT"
-    },
    "node_modules/error-ex": {
      "version": "1.3.2",
      "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz",
@@ -13852,12 +13643,6 @@
        "node": ">=0.10.0"
      }
    },
-    "node_modules/exponential-backoff": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/exponential-backoff/-/exponential-backoff-3.1.2.tgz",
-      "integrity": "sha512-8QxYTVXUkuy7fIIoitQkPwGonB8F3Zj8eEO8Sqg9Zv/bkI7RJAzowee4gr81Hak/dUTpA2Z7VfQgoijjPNlUZA==",
-      "license": "Apache-2.0"
-    },
    "node_modules/express": {
      "version": "4.21.2",
      "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
@@ -15435,12 +15220,6 @@
      ],
      "license": "MIT"
    },
-    "node_modules/http-cache-semantics": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz",
-      "integrity": "sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==",
-      "license": "BSD-2-Clause"
-    },
    "node_modules/http-errors": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz",
@@ -15623,6 +15402,7 @@
      "version": "0.1.4",
      "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz",
      "integrity": "sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==",
+      "dev": true,
      "engines": {
        "node": ">=0.8.19"
      }
@@ -15655,16 +15435,6 @@
      "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==",
      "dev": true
    },
-    "node_modules/install-artifact-from-github": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/install-artifact-from-github/-/install-artifact-from-github-1.3.5.tgz",
-      "integrity": "sha512-gZHC7f/cJgXz7MXlHFBxPVMsvIbev1OQN1uKQYKVJDydGNm9oYf9JstbU4Atnh/eSvk41WtEovoRm+8IF686xg==",
-      "license": "BSD-3-Clause",
-      "bin": {
-        "install-from-cache": "bin/install-from-cache.js",
-        "save-to-github-cache": "bin/save-to-github-cache.js"
-      }
-    },
    "node_modules/internal-slot": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/internal-slot/-/internal-slot-1.0.6.tgz",
@@ -15747,19 +15517,6 @@
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
    },
-    "node_modules/ip-address": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-9.0.5.tgz",
-      "integrity": "sha512-zHtQzGojZXTwZTHQqra+ETKd4Sn3vgi7uBmlPoXVWZqYvuKmtI0l/VZTjqGmJY9x88GGOaZ9+G9ES8hC4T4X8g==",
-      "license": "MIT",
-      "dependencies": {
-        "jsbn": "1.1.0",
-        "sprintf-js": "^1.1.3"
-      },
-      "engines": {
-        "node": ">= 12"
-      }
-    },
    "node_modules/ip-num": {
      "version": "1.5.1",
      "resolved": "https://registry.npmjs.org/ip-num/-/ip-num-1.5.1.tgz",
@@ -15959,12 +15716,6 @@
        "url": "https://github.com/sponsors/sindresorhus"
      }
    },
-    "node_modules/is-lambda": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/is-lambda/-/is-lambda-1.0.1.tgz",
-      "integrity": "sha512-z7CMFGNrENq5iFB9Bqo64Xk6Y9sg+epq1myIcdHaGnbMTYOxvzsEtdYqQUylB7LxfkvgrrjP32T6Ywciio9UIQ==",
-      "license": "MIT"
-    },
    "node_modules/is-negative-zero": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/is-negative-zero/-/is-negative-zero-2.0.2.tgz",
@@ -17108,38 +16859,6 @@
      "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
      "dev": true
    },
-    "node_modules/make-fetch-happen": {
-      "version": "13.0.1",
-      "resolved": "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-13.0.1.tgz",
-      "integrity": "sha512-cKTUFc/rbKUd/9meOvgrpJ2WrNzymt6jfRDdwg5UCnVzv9dTpEj9JS5m3wtziXVCjluIXyL8pcaukYqezIzZQA==",
-      "license": "ISC",
-      "dependencies": {
-        "@npmcli/agent": "^2.0.0",
-        "cacache": "^18.0.0",
-        "http-cache-semantics": "^4.1.1",
-        "is-lambda": "^1.0.1",
-        "minipass": "^7.0.2",
-        "minipass-fetch": "^3.0.0",
-        "minipass-flush": "^1.0.5",
-        "minipass-pipeline": "^1.2.4",
-        "negotiator": "^0.6.3",
-        "proc-log": "^4.2.0",
-        "promise-retry": "^2.0.1",
-        "ssri": "^10.0.0"
-      },
-      "engines": {
-        "node": "^16.14.0 || >=18.0.0"
-      }
-    },
-    "node_modules/make-fetch-happen/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
    "node_modules/math-intrinsics": {
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
@@ -17313,125 +17032,6 @@
        "node": ">=8"
      }
    },
-    "node_modules/minipass-collect": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/minipass-collect/-/minipass-collect-2.0.1.tgz",
-      "integrity": "sha512-D7V8PO9oaz7PWGLbCACuI1qEOsq7UKfLotx/C0Aet43fCUB/wfQ7DYeq2oR/svFJGYDHPr38SHATeaj/ZoKHKw==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^7.0.3"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
-    "node_modules/minipass-collect/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
-    "node_modules/minipass-fetch": {
-      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/minipass-fetch/-/minipass-fetch-3.0.5.tgz",
-      "integrity": "sha512-2N8elDQAtSnFV0Dk7gt15KHsS0Fyz6CbYZ360h0WTYV1Ty46li3rAXVOQj1THMNLdmrD9Vt5pBPtWtVkpwGBqg==",
-      "license": "MIT",
-      "dependencies": {
-        "minipass": "^7.0.3",
-        "minipass-sized": "^1.0.3",
-        "minizlib": "^2.1.2"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      },
-      "optionalDependencies": {
-        "encoding": "^0.1.13"
-      }
-    },
-    "node_modules/minipass-fetch/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
-    "node_modules/minipass-flush": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/minipass-flush/-/minipass-flush-1.0.5.tgz",
-      "integrity": "sha512-JmQSYYpPUqX5Jyn1mXaRwOda1uQ8HP5KAT/oDSLCzt1BYRhQU0/hDtsB1ufZfEEzMZ9aAVmsBw8+FWsIXlClWw==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^3.0.0"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/minipass-flush/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minipass-pipeline": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/minipass-pipeline/-/minipass-pipeline-1.2.4.tgz",
-      "integrity": "sha512-xuIq7cIOt09RPRJ19gdi4b+RiNvDFYe5JH+ggNvBqGqpQXcru3PcRmOZuHBKWK1Txf9+cQ+HMVN4d6z46LZP7A==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minipass-pipeline/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minipass-sized": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/minipass-sized/-/minipass-sized-1.0.3.tgz",
-      "integrity": "sha512-MbkQQ2CTiBMlA2Dm/5cY+9SWFEN8pzzOXi6rlM5Xxq0Yqbda5ZQy9sU75a673FE9ZK0Zsbr6Y5iP6u9nktfg2g==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minipass-sized/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
    "node_modules/minizlib": {
      "version": "2.1.2",
      "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-2.1.2.tgz",
@@ -17753,12 +17353,6 @@
        "node": ">=12"
      }
    },
-    "node_modules/nan": {
-      "version": "2.22.2",
-      "resolved": "https://registry.npmjs.org/nan/-/nan-2.22.2.tgz",
-      "integrity": "sha512-DANghxFkS1plDdRsX0X9pm0Z6SJNN6gBdtXfanwoZ8hooC5gosGFSBGRYHUVPz1asKA/kMRqDRdHrluZ61SpBQ==",
-      "license": "MIT"
-    },
    "node_modules/nanoid": {
      "version": "3.3.8",
      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
@@ -17849,30 +17443,6 @@
        }
      }
    },
-    "node_modules/node-gyp": {
-      "version": "10.3.1",
-      "resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-10.3.1.tgz",
-      "integrity": "sha512-Pp3nFHBThHzVtNY7U6JfPjvT/DTE8+o/4xKsLQtBoU+j2HLsGlhcfzflAoUreaJbNmYnX+LlLi0qjV8kpyO6xQ==",
-      "license": "MIT",
-      "dependencies": {
-        "env-paths": "^2.2.0",
-        "exponential-backoff": "^3.1.1",
-        "glob": "^10.3.10",
-        "graceful-fs": "^4.2.6",
-        "make-fetch-happen": "^13.0.0",
-        "nopt": "^7.0.0",
-        "proc-log": "^4.1.0",
-        "semver": "^7.3.5",
-        "tar": "^6.2.1",
-        "which": "^4.0.0"
-      },
-      "bin": {
-        "node-gyp": "bin/node-gyp.js"
-      },
-      "engines": {
-        "node": "^16.14.0 || >=18.0.0"
-      }
-    },
    "node_modules/node-gyp-build": {
      "version": "3.9.0",
      "resolved": "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-3.9.0.tgz",
@@ -17894,122 +17464,6 @@
        "node-gyp-build-optional-packages-test": "build-test.js"
      }
    },
-    "node_modules/node-gyp/node_modules/abbrev": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-2.0.0.tgz",
-      "integrity": "sha512-6/mh1E2u2YgEsCHdY0Yx5oW+61gZU+1vXaoiHHrpKeuRNNgFvS+/jrwHiQhB5apAf5oB7UB7E19ol2R2LKH8hQ==",
-      "license": "ISC",
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/node-gyp/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/node-gyp/node_modules/glob": {
-      "version": "10.4.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
-      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
-      "license": "ISC",
-      "dependencies": {
-        "foreground-child": "^3.1.0",
-        "jackspeak": "^3.1.2",
-        "minimatch": "^9.0.4",
-        "minipass": "^7.1.2",
-        "package-json-from-dist": "^1.0.0",
-        "path-scurry": "^1.11.1"
-      },
-      "bin": {
-        "glob": "dist/esm/bin.mjs"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/node-gyp/node_modules/isexe": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/isexe/-/isexe-3.1.1.tgz",
-      "integrity": "sha512-LpB/54B+/2J5hqQ7imZHfdU31OlgQqx7ZicVlkm9kzg9/w8GKLEcFfJl/t7DCEDueOyBAD6zCCwTO6Fzs0NoEQ==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16"
-      }
-    },
-    "node_modules/node-gyp/node_modules/jackspeak": {
-      "version": "3.4.3",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
-      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "@isaacs/cliui": "^8.0.2"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      },
-      "optionalDependencies": {
-        "@pkgjs/parseargs": "^0.11.0"
-      }
-    },
-    "node_modules/node-gyp/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/node-gyp/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
-    "node_modules/node-gyp/node_modules/nopt": {
-      "version": "7.2.1",
-      "resolved": "https://registry.npmjs.org/nopt/-/nopt-7.2.1.tgz",
-      "integrity": "sha512-taM24ViiimT/XntxbPyJQzCG+p4EKOpgD3mxFwW38mGjVUrfERQOeY4EDHjdnptttfHuHQXFx+lTP08Q+mLa/w==",
-      "license": "ISC",
-      "dependencies": {
-        "abbrev": "^2.0.0"
-      },
-      "bin": {
-        "nopt": "bin/nopt.js"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/node-gyp/node_modules/which": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/which/-/which-4.0.0.tgz",
-      "integrity": "sha512-GlaYyEb07DPxYCKhKzplCWBJtvxZcZMrL+4UkrTSJHHPyZU4mYYTv3qaOe77H7EODLSSopAUFAc6W8U4yqvscg==",
-      "license": "ISC",
-      "dependencies": {
-        "isexe": "^3.1.1"
-      },
-      "bin": {
-        "node-which": "bin/which.js"
-      },
-      "engines": {
-        "node": "^16.13.0 || >=18.0.0"
-      }
-    },
    "node_modules/node-releases": {
      "version": "2.0.14",
      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.14.tgz",
@@ -18670,21 +18124,6 @@
        "url": "https://github.com/sponsors/sindresorhus"
      }
    },
-    "node_modules/p-map": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/p-map/-/p-map-4.0.0.tgz",
-      "integrity": "sha512-/bjOqmgETBYB5BoEeGVea8dmvHb2m9GLy1E9W43yeyfP6QQCZGFNa+XRceJEuDB6zqr+gKpIAmlLebMpykw/MQ==",
-      "license": "MIT",
-      "dependencies": {
-        "aggregate-error": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=10"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
    "node_modules/p-queue": {
      "version": "6.6.2",
      "resolved": "https://registry.npmjs.org/p-queue/-/p-queue-6.6.2.tgz",
@@ -19762,15 +19201,6 @@
        "real-require": "^0.2.0"
      }
    },
-    "node_modules/proc-log": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/proc-log/-/proc-log-4.2.0.tgz",
-      "integrity": "sha512-g8+OnU/L2v+wyiVK+D5fA34J7EH8jZ8DDlvwhRCMxmMj7UCBvxiO1mGeN+36JXIKF4zevU4kRBd8lVgG9vLelA==",
-      "license": "ISC",
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
    "node_modules/process": {
      "version": "0.11.10",
      "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz",
@@ -19799,28 +19229,6 @@
        "node": ">=0.4.0"
      }
    },
-    "node_modules/promise-retry": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/promise-retry/-/promise-retry-2.0.1.tgz",
-      "integrity": "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==",
-      "license": "MIT",
-      "dependencies": {
-        "err-code": "^2.0.2",
-        "retry": "^0.12.0"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/promise-retry/node_modules/retry": {
-      "version": "0.12.0",
-      "resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz",
-      "integrity": "sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 4"
-      }
-    },
    "node_modules/prompt-sync": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/prompt-sync/-/prompt-sync-4.2.0.tgz",
@@ -20092,18 +19500,6 @@
        "node": ">=0.10.0"
      }
    },
-    "node_modules/re2": {
-      "version": "1.21.4",
-      "resolved": "https://registry.npmjs.org/re2/-/re2-1.21.4.tgz",
-      "integrity": "sha512-MVIfXWJmsP28mRsSt8HeL750ifb8H5+oF2UDIxGaiJCr8fkMqhLZ7kcX9ADRk2dC8qeGKedB7UVYRfBVpEiLfA==",
-      "hasInstallScript": true,
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "install-artifact-from-github": "^1.3.5",
-        "nan": "^2.20.0",
-        "node-gyp": "^10.2.0"
-      }
-    },
    "node_modules/react-is": {
      "version": "18.2.0",
      "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.2.0.tgz",
@@ -20685,6 +20081,11 @@
        "undici-types": "~6.19.2"
      }
    },
+    "node_modules/scim-patch/node_modules/undici-types": {
+      "version": "6.19.8",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz",
+      "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw=="
+    },
    "node_modules/scim2-parse-filter": {
      "version": "0.2.10",
      "resolved": "https://registry.npmjs.org/scim2-parse-filter/-/scim2-parse-filter-0.2.10.tgz",
@@ -21025,16 +20426,6 @@
        "node": ">=8"
      }
    },
-    "node_modules/smart-buffer": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz",
-      "integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 6.0.0",
-        "npm": ">= 3.0.0"
-      }
-    },
    "node_modules/smee-client": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/smee-client/-/smee-client-2.0.0.tgz",
@@ -21238,60 +20629,6 @@
        "uuid": "dist/bin/uuid"
      }
    },
-    "node_modules/socks": {
-      "version": "2.8.4",
-      "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.4.tgz",
-      "integrity": "sha512-D3YaD0aRxR3mEcqnidIs7ReYJFVzWdd6fXJYUM8ixcQcJRGTka/b3saV0KflYhyVJXKhb947GndU35SxYNResQ==",
-      "license": "MIT",
-      "dependencies": {
-        "ip-address": "^9.0.5",
-        "smart-buffer": "^4.2.0"
-      },
-      "engines": {
-        "node": ">= 10.0.0",
-        "npm": ">= 3.0.0"
-      }
-    },
-    "node_modules/socks-proxy-agent": {
-      "version": "8.0.5",
-      "resolved": "https://registry.npmjs.org/socks-proxy-agent/-/socks-proxy-agent-8.0.5.tgz",
-      "integrity": "sha512-HehCEsotFqbPW9sJ8WVYB6UbmIMv7kUUORIF2Nncq4VQvBfNBLibW9YZR5dlYCSUhwcD628pRllm7n+E+YTzJw==",
-      "license": "MIT",
-      "dependencies": {
-        "agent-base": "^7.1.2",
-        "debug": "^4.3.4",
-        "socks": "^2.8.3"
-      },
-      "engines": {
-        "node": ">= 14"
-      }
-    },
-    "node_modules/socks-proxy-agent/node_modules/agent-base": {
-      "version": "7.1.3",
-      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.3.tgz",
-      "integrity": "sha512-jRR5wdylq8CkOe6hei19GGZnxM6rBGwFl3Bg0YItGDimvjGtAvdZk4Pu6Cl4u4Igsws4a1fd1Vq3ezrhn4KmFw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 14"
-      }
-    },
-    "node_modules/socks-proxy-agent/node_modules/debug": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
-      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
    "node_modules/sonic-boom": {
      "version": "3.7.0",
      "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-3.7.0.tgz",
@@ -21347,27 +20684,6 @@
        "node": ">= 0.6"
      }
    },
-    "node_modules/ssri": {
-      "version": "10.0.6",
-      "resolved": "https://registry.npmjs.org/ssri/-/ssri-10.0.6.tgz",
-      "integrity": "sha512-MGrFH9Z4NP9Iyhqn16sDtBpRRNJ0Y2hNa6D65h736fVSaPCHr4DM4sWUNvVaSuC+0OBGhwsrydQwmgfg5LncqQ==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^7.0.3"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/ssri/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
    "node_modules/stack-trace": {
      "version": "0.0.10",
      "resolved": "https://registry.npmjs.org/stack-trace/-/stack-trace-0.0.10.tgz",
@@ -23126,9 +22442,9 @@
      }
    },
    "node_modules/undici-types": {
-      "version": "6.19.8",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz",
-      "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw=="
+      "version": "5.26.5",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
+      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
    },
    "node_modules/unicode-canonical-property-names-ecmascript": {
      "version": "2.0.0",
@@ -23170,30 +22486,6 @@
        "node": ">=4"
      }
    },
-    "node_modules/unique-filename": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/unique-filename/-/unique-filename-3.0.0.tgz",
-      "integrity": "sha512-afXhuC55wkAmZ0P18QsVE6kp8JaxrEokN2HGIoIVv2ijHQd419H0+6EigAFcIzXeMIkcIkNBpB3L/DXB3cTS/g==",
-      "license": "ISC",
-      "dependencies": {
-        "unique-slug": "^4.0.0"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/unique-slug": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/unique-slug/-/unique-slug-4.0.0.tgz",
-      "integrity": "sha512-WrcA6AyEfqDX5bWige/4NQfPZMtASNVxdmWR76WESYQVAACSgWcR6e9i0mofqqBxYFtL4oAxPIptY73/0YE1DQ==",
-      "license": "ISC",
-      "dependencies": {
-        "imurmurhash": "^0.1.4"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
    "node_modules/universal-github-app-jwt": {
      "version": "2.2.0",
      "resolved": "https://registry.npmjs.org/universal-github-app-jwt/-/universal-github-app-jwt-2.2.0.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@@ -89,7 +89,7 @@
    "@types/jsrp": "^0.2.6",
    "@types/libsodium-wrappers": "^0.7.13",
    "@types/lodash.isequal": "^4.5.8",
-    "@types/node": "^20.17.30",
+    "@types/node": "^20.9.5",
    "@types/nodemailer": "^6.4.14",
    "@types/passport-github": "^1.1.12",
    "@types/passport-google-oauth20": "^2.0.14",
@@ -221,7 +221,6 @@
    "pkijs": "^3.2.4",
    "posthog-node": "^3.6.2",
    "probot": "^13.3.8",
-    "re2": "^1.21.4",
    "safe-regex": "^2.1.1",
    "scim-patch": "^0.8.3",
    "scim2-parse-filter": "^0.2.10",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -38,7 +38,6 @@ import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
 import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
-import { TSshHostServiceFactory } from "@app/ee/services/ssh-host/ssh-host-service";
 import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
@@ -136,7 +135,7 @@ declare module "fastify" {
    rateLimits: RateLimitConfiguration;
    // passport data
    passportUser: {
-      isUserCompleted: boolean;
+      isUserCompleted: string;
      providerAuthToken: string;
    };
    kmipUser: {
@@ -207,7 +206,6 @@ declare module "fastify" {
      certificateTemplate: TCertificateTemplateServiceFactory;
      sshCertificateAuthority: TSshCertificateAuthorityServiceFactory;
      sshCertificateTemplate: TSshCertificateTemplateServiceFactory;
-      sshHost: TSshHostServiceFactory;
      certificateAuthority: TCertificateAuthorityServiceFactory;
      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
      certificateEst: TCertificateEstServiceFactory;
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -232,9 +232,6 @@ import {
  TProjectSplitBackfillIds,
  TProjectSplitBackfillIdsInsert,
  TProjectSplitBackfillIdsUpdate,
-  TProjectSshConfigs,
-  TProjectSshConfigsInsert,
-  TProjectSshConfigsUpdate,
  TProjectsUpdate,
  TProjectTemplates,
  TProjectTemplatesInsert,
@@ -383,15 +380,6 @@ import {
  TSshCertificateTemplates,
  TSshCertificateTemplatesInsert,
  TSshCertificateTemplatesUpdate,
-  TSshHostLoginUserMappings,
-  TSshHostLoginUserMappingsInsert,
-  TSshHostLoginUserMappingsUpdate,
-  TSshHostLoginUsers,
-  TSshHostLoginUsersInsert,
-  TSshHostLoginUsersUpdate,
-  TSshHosts,
-  TSshHostsInsert,
-  TSshHostsUpdate,
  TSuperAdmin,
  TSuperAdminInsert,
  TSuperAdminUpdate,
@@ -437,7 +425,6 @@ declare module "knex/types/tables" {
  interface Tables {
    [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
    [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
-    [TableName.SshHost]: KnexOriginal.CompositeTableType<TSshHosts, TSshHostsInsert, TSshHostsUpdate>;
    [TableName.SshCertificateAuthority]: KnexOriginal.CompositeTableType<
      TSshCertificateAuthorities,
      TSshCertificateAuthoritiesInsert,
@@ -463,16 +450,6 @@ declare module "knex/types/tables" {
      TSshCertificateBodiesInsert,
      TSshCertificateBodiesUpdate
    >;
-    [TableName.SshHostLoginUser]: KnexOriginal.CompositeTableType<
-      TSshHostLoginUsers,
-      TSshHostLoginUsersInsert,
-      TSshHostLoginUsersUpdate
-    >;
-    [TableName.SshHostLoginUserMapping]: KnexOriginal.CompositeTableType<
-      TSshHostLoginUserMappings,
-      TSshHostLoginUserMappingsInsert,
-      TSshHostLoginUserMappingsUpdate
-    >;
    [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
      TCertificateAuthorities,
      TCertificateAuthoritiesInsert,
@@ -577,11 +554,6 @@ declare module "knex/types/tables" {
    [TableName.SuperAdmin]: KnexOriginal.CompositeTableType<TSuperAdmin, TSuperAdminInsert, TSuperAdminUpdate>;
    [TableName.ApiKey]: KnexOriginal.CompositeTableType<TApiKeys, TApiKeysInsert, TApiKeysUpdate>;
    [TableName.Project]: KnexOriginal.CompositeTableType<TProjects, TProjectsInsert, TProjectsUpdate>;
-    [TableName.ProjectSshConfig]: KnexOriginal.CompositeTableType<
-      TProjectSshConfigs,
-      TProjectSshConfigsInsert,
-      TProjectSshConfigsUpdate
-    >;
    [TableName.ProjectMembership]: KnexOriginal.CompositeTableType<
      TProjectMemberships,
      TProjectMembershipsInsert,
--- a/backend/src/db/migrations/20250402000941_add-type-to-kms-keys.ts
+++ b/backend/src/db/migrations/20250402000941_add-type-to-kms-keys.ts
@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { KmsKeyUsage } from "@app/services/kms/kms-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
-
-  if (!hasKeyUsageColumn) {
-    await knex.schema.alterTable(TableName.KmsKey, (t) => {
-      t.string("keyUsage").notNullable().defaultTo(KmsKeyUsage.ENCRYPT_DECRYPT);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
-
-  if (hasKeyUsageColumn) {
-    await knex.schema.alterTable(TableName.KmsKey, (t) => {
-      t.dropColumn("keyUsage");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250404022310_ssh-ca-key-source.ts
+++ b/backend/src/db/migrations/20250404022310_ssh-ca-key-source.ts
@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SshCertificateAuthority, "keySource"))) {
-    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
-      t.string("keySource");
-    });
-
-    // Backfilling the keySource to internal
-    await knex(TableName.SshCertificateAuthority).update({ keySource: "internal" });
-
-    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
-      t.string("keySource").notNullable().alter();
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SshCertificate, "sshCaId")) {
-    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
-      t.uuid("sshCaId").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SshCertificateAuthority, "keySource")) {
-    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
-      t.dropColumn("keySource");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250405185753_ssh-mgmt-v2.ts
+++ b/backend/src/db/migrations/20250405185753_ssh-mgmt-v2.ts
@@ -1,93 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SshHost))) {
-    await knex.schema.createTable(TableName.SshHost, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("hostname").notNullable();
-      t.string("userCertTtl").notNullable();
-      t.string("hostCertTtl").notNullable();
-      t.uuid("userSshCaId").notNullable();
-      t.foreign("userSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.uuid("hostSshCaId").notNullable();
-      t.foreign("hostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.unique(["projectId", "hostname"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SshHost);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshHostLoginUser))) {
-    await knex.schema.createTable(TableName.SshHostLoginUser, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshHostId").notNullable();
-      t.foreign("sshHostId").references("id").inTable(TableName.SshHost).onDelete("CASCADE");
-      t.string("loginUser").notNullable(); // e.g. ubuntu, root, ec2-user, ...
-      t.unique(["sshHostId", "loginUser"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SshHostLoginUser);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshHostLoginUserMapping))) {
-    await knex.schema.createTable(TableName.SshHostLoginUserMapping, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshHostLoginUserId").notNullable();
-      t.foreign("sshHostLoginUserId").references("id").inTable(TableName.SshHostLoginUser).onDelete("CASCADE");
-      t.uuid("userId").nullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.unique(["sshHostLoginUserId", "userId"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SshHostLoginUserMapping);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ProjectSshConfig))) {
-    // new table to store configuration for projects of type SSH (i.e. Infisical SSH)
-    await knex.schema.createTable(TableName.ProjectSshConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("defaultUserSshCaId");
-      t.foreign("defaultUserSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.uuid("defaultHostSshCaId");
-      t.foreign("defaultHostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-    });
-    await createOnUpdateTrigger(knex, TableName.ProjectSshConfig);
-  }
-
-  const hasColumn = await knex.schema.hasColumn(TableName.SshCertificate, "sshHostId");
-  if (!hasColumn) {
-    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
-      t.uuid("sshHostId").nullable();
-      t.foreign("sshHostId").references("id").inTable(TableName.SshHost).onDelete("SET NULL");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ProjectSshConfig);
-  await dropOnUpdateTrigger(knex, TableName.ProjectSshConfig);
-
-  await knex.schema.dropTableIfExists(TableName.SshHostLoginUserMapping);
-  await dropOnUpdateTrigger(knex, TableName.SshHostLoginUserMapping);
-
-  await knex.schema.dropTableIfExists(TableName.SshHostLoginUser);
-  await dropOnUpdateTrigger(knex, TableName.SshHostLoginUser);
-
-  const hasColumn = await knex.schema.hasColumn(TableName.SshCertificate, "sshHostId");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
-      t.dropColumn("sshHostId");
-    });
-  }
-
-  await knex.schema.dropTableIfExists(TableName.SshHost);
-  await dropOnUpdateTrigger(knex, TableName.SshHost);
-}
--- a/backend/src/db/migrations/20250409161555_add-dynamic-secret-to-resource-metadata.ts
+++ b/backend/src/db/migrations/20250409161555_add-dynamic-secret-to-resource-metadata.ts
@@ -1,20 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId"))) {
-    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
-      tb.uuid("dynamicSecretId");
-      tb.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId")) {
-    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
-      tb.dropColumn("dynamicSecretId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250410203010_add-comment-to-access-request.ts
+++ b/backend/src/db/migrations/20250410203010_add-comment-to-access-request.ts
@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "note");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.string("note").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "note");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.dropColumn("note");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250414203701_add-notification-flag-service-token.ts
+++ b/backend/src/db/migrations/20250414203701_add-notification-flag-service-token.ts
@@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
-      t.boolean("expiryNotificationSent").defaultTo(false);
-    });
-
-    // Update only tokens where expiresAt is before current time
-    await knex(TableName.ServiceToken)
-      .whereRaw(`${TableName.ServiceToken}."expiresAt" < NOW()`)
-      .whereNotNull("expiresAt")
-      .update({ expiryNotificationSent: true });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
-      t.dropColumn("expiryNotificationSent");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250414234624_add-project-delete-protection.ts
+++ b/backend/src/db/migrations/20250414234624_add-project-delete-protection.ts
@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.boolean("hasDeleteProtection").defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("hasDeleteProtection");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250415010421_increase-certificate-altnames-character-limit.ts
+++ b/backend/src/db/migrations/20250415010421_increase-certificate-altnames-character-limit.ts
@@ -1,15 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.Certificate, (t) => {
-    t.string("altNames", 4096).alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.Certificate, (t) => {
-    t.string("altNames").alter(); // Defaults to varchar(255)
-  });
-}
--- a/backend/src/db/migrations/20250415020304_increase-kmip-certificate-altnames-character-limit.ts
+++ b/backend/src/db/migrations/20250415020304_increase-kmip-certificate-altnames-character-limit.ts
@@ -1,15 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
-    t.string("altNames", 4096).alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
-    t.string("altNames").alter(); // Defaults to varchar(255)
-  });
-}
--- a/backend/src/db/migrations/20250416113437_add-oidc-jwt-signature-algorithm.ts
+++ b/backend/src/db/migrations/20250416113437_add-oidc-jwt-signature-algorithm.ts
@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm"))) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      t.string("jwtSignatureAlgorithm").defaultTo(OIDCJWTSignatureAlgorithm.RS256).notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm")) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      t.dropColumn("jwtSignatureAlgorithm");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250416145120_add-enable-bypass-org-auth-flag.ts
+++ b/backend/src/db/migrations/20250416145120_add-enable-bypass-org-auth-flag.ts
@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled"))) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.boolean("bypassOrgAuthEnabled").defaultTo(false).notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled")) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.dropColumn("bypassOrgAuthEnabled");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250421165221_fix-identites-and-user-deletion-secret-version-reference.ts
+++ b/backend/src/db/migrations/20250421165221_fix-identites-and-user-deletion-secret-version-reference.ts
@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.dropForeign(["userActorId"]);
-    table.dropForeign(["identityActorId"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.foreign("userActorId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-
-    table.foreign("identityActorId").references("id").inTable(TableName.Identity).onDelete("SET NULL");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.dropForeign(["userActorId"]);
-    table.dropForeign(["identityActorId"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.foreign("userActorId").references("id").inTable(TableName.Users);
-
-    table.foreign("identityActorId").references("id").inTable(TableName.Identity);
-  });
-}
--- a/backend/src/db/migrations/20250425163216_ssh-nullable-ca-defaults.ts
+++ b/backend/src/db/migrations/20250425163216_ssh-nullable-ca-defaults.ts
@@ -1,47 +0,0 @@
-import { Knex } from "knex";
-
-import { ProjectType, TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasDefaultUserCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultUserSshCaId");
-  const hasDefaultHostCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultHostSshCaId");
-
-  if (hasDefaultUserCaCol && hasDefaultHostCaCol) {
-    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
-      t.dropForeign(["defaultUserSshCaId"]);
-      t.dropForeign(["defaultHostSshCaId"]);
-    });
-    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
-      // allow nullable (does not wipe existing values)
-      t.uuid("defaultUserSshCaId").nullable().alter();
-      t.uuid("defaultHostSshCaId").nullable().alter();
-      // re-add with SET NULL behavior (previously CASCADE)
-      t.foreign("defaultUserSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
-      t.foreign("defaultHostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
-    });
-  }
-
-  // (dangtony98): backfill by adding null defaults CAs for all existing Infisical SSH projects
-  // that do not have an associated ProjectSshConfig record introduced in Infisical SSH V2.
-
-  const allProjects = await knex(TableName.Project).where("type", ProjectType.SSH).select("id");
-
-  const projectsWithConfig = await knex(TableName.ProjectSshConfig).select("projectId");
-  const projectIdsWithConfig = new Set(projectsWithConfig.map((config) => config.projectId));
-
-  const projectsNeedingConfig = allProjects.filter((project) => !projectIdsWithConfig.has(project.id));
-
-  if (projectsNeedingConfig.length > 0) {
-    const configsToInsert = projectsNeedingConfig.map((project) => ({
-      projectId: project.id,
-      defaultUserSshCaId: null,
-      defaultHostSshCaId: null,
-      createdAt: new Date(),
-      updatedAt: new Date()
-    }));
-
-    await knex.batchInsert(TableName.ProjectSshConfig, configsToInsert);
-  }
-}
-
-export async function down(): Promise<void> {}
--- a/backend/src/db/schemas/access-approval-requests.ts
+++ b/backend/src/db/schemas/access-approval-requests.ts
@@ -17,8 +17,7 @@ export const AccessApprovalRequestsSchema = z.object({
  permissions: z.unknown(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  requestedByUserId: z.string().uuid(),
-  note: z.string().nullable().optional()
+  requestedByUserId: z.string().uuid()
 });

 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@@ -75,7 +75,6 @@ export * from "./project-memberships";
 export * from "./project-roles";
 export * from "./project-slack-configs";
 export * from "./project-split-backfill-ids";
-export * from "./project-ssh-configs";
 export * from "./project-templates";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
@@ -126,9 +125,6 @@ export * from "./ssh-certificate-authority-secrets";
 export * from "./ssh-certificate-bodies";
 export * from "./ssh-certificate-templates";
 export * from "./ssh-certificates";
-export * from "./ssh-host-login-user-mappings";
-export * from "./ssh-host-login-users";
-export * from "./ssh-hosts";
 export * from "./super-admin";
 export * from "./totp-configs";
 export * from "./trusted-ips";
--- a/backend/src/db/schemas/kms-keys.ts
+++ b/backend/src/db/schemas/kms-keys.ts
@@ -16,8 +16,7 @@ export const KmsKeysSchema = z.object({
  name: z.string(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  projectId: z.string().nullable().optional(),
-  keyUsage: z.string().default("encrypt-decrypt")
+  projectId: z.string().nullable().optional()
 });

 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -2,9 +2,6 @@ import { z } from "zod";

 export enum TableName {
  Users = "users",
-  SshHost = "ssh_hosts",
-  SshHostLoginUser = "ssh_host_login_users",
-  SshHostLoginUserMapping = "ssh_host_login_user_mappings",
  SshCertificateAuthority = "ssh_certificate_authorities",
  SshCertificateAuthoritySecret = "ssh_certificate_authority_secrets",
  SshCertificateTemplate = "ssh_certificate_templates",
@@ -41,7 +38,6 @@ export enum TableName {
  SuperAdmin = "super_admin",
  RateLimit = "rate_limit",
  ApiKey = "api_keys",
-  ProjectSshConfig = "project_ssh_configs",
  Project = "projects",
  ProjectBot = "project_bots",
  Environment = "project_environments",
--- a/backend/src/db/schemas/oidc-configs.ts
+++ b/backend/src/db/schemas/oidc-configs.ts
@@ -30,10 +30,9 @@ export const OidcConfigsSchema = z.object({
  updatedAt: z.date(),
  orgId: z.string().uuid(),
  lastUsed: z.date().nullable().optional(),
-  encryptedOidcClientId: zodBuffer,
-  encryptedOidcClientSecret: zodBuffer,
  manageGroupMemberships: z.boolean().default(false),
-  jwtSignatureAlgorithm: z.string().default("RS256")
+  encryptedOidcClientId: zodBuffer,
+  encryptedOidcClientSecret: zodBuffer
 });

 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@@ -26,8 +26,7 @@ export const OrganizationsSchema = z.object({
  allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional(),
  shouldUseNewPrivilegeSystem: z.boolean().default(true),
  privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
-  privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
-  bypassOrgAuthEnabled: z.boolean().default(false)
+  privilegeUpgradeInitiatedAt: z.date().nullable().optional()
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/project-ssh-configs.ts
+++ b/backend/src/db/schemas/project-ssh-configs.ts
@@ -1,21 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ProjectSshConfigsSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  projectId: z.string(),
-  defaultUserSshCaId: z.string().uuid().nullable().optional(),
-  defaultHostSshCaId: z.string().uuid().nullable().optional()
-});
-
-export type TProjectSshConfigs = z.infer<typeof ProjectSshConfigsSchema>;
-export type TProjectSshConfigsInsert = Omit<z.input<typeof ProjectSshConfigsSchema>, TImmutableDBKeys>;
-export type TProjectSshConfigsUpdate = Partial<Omit<z.input<typeof ProjectSshConfigsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@@ -26,8 +26,7 @@ export const ProjectsSchema = z.object({
  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
  description: z.string().nullable().optional(),
  type: z.string(),
-  enforceCapitalization: z.boolean().default(false),
-  hasDeleteProtection: z.boolean().default(true).nullable().optional()
+  enforceCapitalization: z.boolean().default(false)
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/resource-metadata.ts
+++ b/backend/src/db/schemas/resource-metadata.ts
@@ -16,8 +16,7 @@ export const ResourceMetadataSchema = z.object({
  identityId: z.string().uuid().nullable().optional(),
  secretId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date(),
-  dynamicSecretId: z.string().uuid().nullable().optional()
+  updatedAt: z.date()
 });

 export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
--- a/backend/src/db/schemas/service-tokens.ts
+++ b/backend/src/db/schemas/service-tokens.ts
@@ -21,8 +21,7 @@ export const ServiceTokensSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  createdBy: z.string(),
-  projectId: z.string(),
-  expiryNotificationSent: z.boolean().default(false).nullable().optional()
+  projectId: z.string()
 });

 export type TServiceTokens = z.infer<typeof ServiceTokensSchema>;
--- a/backend/src/db/schemas/ssh-certificate-authorities.ts
+++ b/backend/src/db/schemas/ssh-certificate-authorities.ts
@@ -14,8 +14,7 @@ export const SshCertificateAuthoritiesSchema = z.object({
  projectId: z.string(),
  status: z.string(),
  friendlyName: z.string(),
-  keyAlgorithm: z.string(),
-  keySource: z.string()
+  keyAlgorithm: z.string()
 });

 export type TSshCertificateAuthorities = z.infer<typeof SshCertificateAuthoritiesSchema>;
--- a/backend/src/db/schemas/ssh-certificates.ts
+++ b/backend/src/db/schemas/ssh-certificates.ts
@@ -11,15 +11,14 @@ export const SshCertificatesSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  sshCaId: z.string().uuid().nullable().optional(),
+  sshCaId: z.string().uuid(),
  sshCertificateTemplateId: z.string().uuid().nullable().optional(),
  serialNumber: z.string(),
  certType: z.string(),
  principals: z.string().array(),
  keyId: z.string(),
  notBefore: z.date(),
-  notAfter: z.date(),
-  sshHostId: z.string().uuid().nullable().optional()
+  notAfter: z.date()
 });

 export type TSshCertificates = z.infer<typeof SshCertificatesSchema>;
--- a/backend/src/db/schemas/ssh-host-login-user-mappings.ts
+++ b/backend/src/db/schemas/ssh-host-login-user-mappings.ts
@@ -1,22 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SshHostLoginUserMappingsSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  sshHostLoginUserId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional()
-});
-
-export type TSshHostLoginUserMappings = z.infer<typeof SshHostLoginUserMappingsSchema>;
-export type TSshHostLoginUserMappingsInsert = Omit<z.input<typeof SshHostLoginUserMappingsSchema>, TImmutableDBKeys>;
-export type TSshHostLoginUserMappingsUpdate = Partial<
-  Omit<z.input<typeof SshHostLoginUserMappingsSchema>, TImmutableDBKeys>
->;
--- a/backend/src/db/schemas/ssh-host-login-users.ts
+++ b/backend/src/db/schemas/ssh-host-login-users.ts
@@ -1,20 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SshHostLoginUsersSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  sshHostId: z.string().uuid(),
-  loginUser: z.string()
-});
-
-export type TSshHostLoginUsers = z.infer<typeof SshHostLoginUsersSchema>;
-export type TSshHostLoginUsersInsert = Omit<z.input<typeof SshHostLoginUsersSchema>, TImmutableDBKeys>;
-export type TSshHostLoginUsersUpdate = Partial<Omit<z.input<typeof SshHostLoginUsersSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/ssh-hosts.ts
+++ b/backend/src/db/schemas/ssh-hosts.ts
@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SshHostsSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  projectId: z.string(),
-  hostname: z.string(),
-  userCertTtl: z.string(),
-  hostCertTtl: z.string(),
-  userSshCaId: z.string().uuid(),
-  hostSshCaId: z.string().uuid()
-});
-
-export type TSshHosts = z.infer<typeof SshHostsSchema>;
-export type TSshHostsInsert = Omit<z.input<typeof SshHostsSchema>, TImmutableDBKeys>;
-export type TSshHostsUpdate = Partial<Omit<z.input<typeof SshHostsSchema>, TImmutableDBKeys>>;
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@@ -22,8 +22,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
      body: z.object({
        permissions: z.any().array(),
        isTemporary: z.boolean(),
-        temporaryRange: z.string().optional(),
-        note: z.string().max(255).optional()
+        temporaryRange: z.string().optional()
      }),
      querystring: z.object({
        projectSlug: z.string().trim()
@@ -44,8 +43,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
        actorOrgId: req.permission.orgId,
        projectSlug: req.query.projectSlug,
        temporaryRange: req.body.temporaryRange,
-        isTemporary: req.body.isTemporary,
-        note: req.body.note
+        isTemporary: req.body.isTemporary
      });
      return { approval: request };
    }
--- a/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
-import { ApiDocsTags, DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
+import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
@@ -18,8 +18,6 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      body: z.object({
        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
@@ -67,8 +65,6 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
      }),
@@ -111,8 +107,6 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
      }),
@@ -166,8 +160,6 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
      }),
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/providers/models";
-import { ApiDocsTags, DYNAMIC_SECRETS } from "@app/lib/api-docs";
+import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
@@ -11,7 +11,6 @@ import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";

 export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -21,8 +20,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      body: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
        provider: DynamicSecretProviderSchema.describe(DYNAMIC_SECRETS.CREATE.provider),
@@ -51,8 +48,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
          .nullable(),
        path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
        environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
-        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name),
-        metadata: ResourceMetadataSchema.optional()
+        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name)
      }),
      response: {
        200: z.object({
@@ -113,8 +109,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
      }),
@@ -149,8 +143,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
            })
            .nullable(),
-          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional(),
-          metadata: ResourceMetadataSchema.optional()
+          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional()
        })
      }),
      response: {
@@ -183,8 +176,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
      }),
@@ -221,8 +212,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
      }),
@@ -249,7 +238,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
        name: req.params.name,
        ...req.query
      });
-
      return { dynamicSecret: dynamicSecretCfg };
    }
  });
@@ -261,8 +249,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      querystring: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.LIST.path),
@@ -294,20 +280,18 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
-        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.name)
+        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
      }),
      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.projectSlug),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.projectSlug),
        path: z
          .string()
          .trim()
          .default("/")
          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.environmentSlug)
+          .describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.environmentSlug)
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { GroupsSchema, OrgMembershipRole, UsersSchema } from "@app/db/schemas";
 import { EFilterReturnedUsers } from "@app/ee/services/group/group-types";
-import { ApiDocsTags, GROUPS } from "@app/lib/api-docs";
+import { GROUPS } from "@app/lib/api-docs";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -13,8 +13,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
      body: z.object({
        name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
        slug: slugSchema({ min: 5, max: 36 }).optional().describe(GROUPS.CREATE.slug),
@@ -42,8 +40,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
      }),
@@ -69,8 +65,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
      response: {
        200: GroupsSchema.array()
      }
@@ -93,8 +87,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "PATCH",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.UPDATE.id)
      }),
@@ -128,8 +120,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "DELETE",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.DELETE.id)
      }),
@@ -155,8 +145,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    url: "/:id/users",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.LIST_USERS.id)
      }),
@@ -206,8 +194,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    url: "/:id/users/:username",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.ADD_USER.id),
        username: z.string().trim().describe(GROUPS.ADD_USER.username)
@@ -241,8 +227,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    url: "/:id/users/:username",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.DELETE_USER.id),
        username: z.string().trim().describe(GROUPS.DELETE_USER.username)
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@@ -3,7 +3,7 @@ import { z } from "zod";

 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
-import { ApiDocsTags, IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
+import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -25,8 +25,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Create a permanent or a non expiry specific privilege for identity.",
      security: [
        {
@@ -87,8 +85,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Create a temporary or a expiring specific privilege for identity.",
      security: [
        {
@@ -161,8 +157,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Update a specific privilege of an identity.",
      security: [
        {
@@ -246,8 +240,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Delete a specific privilege of an identity.",
      security: [
        {
@@ -287,8 +279,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Retrieve details of a specific privilege by privilege slug.",
      security: [
        {
@@ -329,8 +319,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "List of a specific privilege of an identity in a project.",
      security: [
        {
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@@ -32,7 +32,6 @@ import { registerSnapshotRouter } from "./snapshot-router";
 import { registerSshCaRouter } from "./ssh-certificate-authority-router";
 import { registerSshCertRouter } from "./ssh-certificate-router";
 import { registerSshCertificateTemplateRouter } from "./ssh-certificate-template-router";
-import { registerSshHostRouter } from "./ssh-host-router";
 import { registerTrustedIpRouter } from "./trusted-ip-router";
 import { registerUserAdditionalPrivilegeRouter } from "./user-additional-privilege-router";

@@ -83,7 +82,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
      await sshRouter.register(registerSshCaRouter, { prefix: "/ca" });
      await sshRouter.register(registerSshCertRouter, { prefix: "/certificates" });
      await sshRouter.register(registerSshCertificateTemplateRouter, { prefix: "/certificate-templates" });
-      await sshRouter.register(registerSshHostRouter, { prefix: "/hosts" });
    },
    { prefix: "/ssh" }
  );
--- a/backend/src/ee/routes/v1/kmip-spec-router.ts
+++ b/backend/src/ee/routes/v1/kmip-spec-router.ts
@@ -2,7 +2,7 @@ import z from "zod";

 import { KmsKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -74,7 +74,7 @@ export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
    schema: {
      description: "KMIP endpoint for creating managed objects",
      body: z.object({
-        algorithm: z.nativeEnum(SymmetricKeyAlgorithm)
+        algorithm: z.nativeEnum(SymmetricEncryption)
      }),
      response: {
        200: KmsKeysSchema
@@ -433,7 +433,7 @@ export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
      body: z.object({
        key: z.string(),
        name: z.string(),
-        algorithm: z.nativeEnum(SymmetricKeyAlgorithm)
+        algorithm: z.nativeEnum(SymmetricEncryption)
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/routes/v1/oidc-router.ts
+++ b/backend/src/ee/routes/v1/oidc-router.ts
@@ -12,7 +12,7 @@ import RedisStore from "connect-redis";
 import { z } from "zod";

 import { OidcConfigsSchema } from "@app/db/schemas";
-import { OIDCConfigurationType, OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
+import { OIDCConfigurationType } from "@app/ee/services/oidc/oidc-config-types";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -30,8 +30,7 @@ const SanitizedOidcConfigSchema = OidcConfigsSchema.pick({
  orgId: true,
  isActive: true,
  allowedEmailDomains: true,
-  manageGroupMemberships: true,
-  jwtSignatureAlgorithm: true
+  manageGroupMemberships: true
 });

 export const registerOidcRouter = async (server: FastifyZodProvider) => {
@@ -137,12 +136,11 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
    url: "/login/error",
    method: "GET",
    handler: async (req, res) => {
-      const failureMessage = req.session.get<any>("messages");
      await req.session.destroy();

      return res.status(500).send({
        error: "Authentication error",
-        details: failureMessage ?? req.query
+        details: req.query
      });
    }
  });
@@ -171,8 +169,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          isActive: true,
          orgId: true,
          allowedEmailDomains: true,
-          manageGroupMemberships: true,
-          jwtSignatureAlgorithm: true
+          manageGroupMemberships: true
        }).extend({
          clientId: z.string(),
          clientSecret: z.string()
@@ -227,8 +224,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          clientId: z.string().trim(),
          clientSecret: z.string().trim(),
          isActive: z.boolean(),
-          manageGroupMemberships: z.boolean().optional(),
-          jwtSignatureAlgorithm: z.nativeEnum(OIDCJWTSignatureAlgorithm).optional()
+          manageGroupMemberships: z.boolean().optional()
        })
        .partial()
        .merge(z.object({ orgSlug: z.string() })),
@@ -295,11 +291,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          clientSecret: z.string().trim(),
          isActive: z.boolean(),
          orgSlug: z.string().trim(),
-          manageGroupMemberships: z.boolean().optional().default(false),
-          jwtSignatureAlgorithm: z
-            .nativeEnum(OIDCJWTSignatureAlgorithm)
-            .optional()
-            .default(OIDCJWTSignatureAlgorithm.RS256)
+          manageGroupMemberships: z.boolean().optional().default(false)
        })
        .superRefine((data, ctx) => {
          if (data.configurationType === OIDCConfigurationType.CUSTOM) {
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import { ApiDocsTags, AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
+import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -17,8 +17,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Projects],
      description: "Return project secret snapshots ids",
      security: [
        {
--- a/backend/src/ee/routes/v1/project-template-router.ts
+++ b/backend/src/ee/routes/v1/project-template-router.ts
@@ -5,7 +5,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
-import { ApiDocsTags, ProjectTemplates } from "@app/lib/api-docs";
+import { ProjectTemplates } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -101,8 +101,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
      description: "List project templates for the current organization.",
      response: {
        200: z.object({
@@ -139,8 +137,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
      description: "Get a project template by ID.",
      params: z.object({
        templateId: z.string().uuid()
@@ -180,8 +176,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
      description: "Create a project template.",
      body: z.object({
        name: slugSchema({ field: "name" })
@@ -225,8 +219,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
      description: "Update a project template.",
      params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.UPDATE.templateId) }),
      body: z.object({
@@ -277,8 +269,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
      description: "Delete a project template.",
      params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),

--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@@ -223,18 +223,12 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
        samlConfigId: z.string().trim()
      })
    },
-    preValidation: passport.authenticate(
-      "saml",
-      {
-        session: false
-      },
-      async (req, res, err, user) => {
-        if (err) {
-          throw new BadRequestError({ message: `Saml authentication failed. ${err?.message}`, error: err });
-        }
-        req.passportUser = user as { isUserCompleted: boolean; providerAuthToken: string };
-      }
-    ) as any, // this is due to zod type difference
+    preValidation: passport.authenticate("saml", {
+      session: false,
+      failureFlash: true,
+      failureRedirect: "/login/provider/error"
+      // this is due to zod type difference
+    }) as any,
    handler: (req, res) => {
      if (req.passportUser.isUserCompleted) {
        return res.redirect(
--- a/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
@@ -23,8 +23,7 @@ export const registerSecretRotationProviderRouter = async (server: FastifyZodPro
              title: z.string(),
              image: z.string().optional(),
              description: z.string().optional(),
-              template: z.any(),
-              isDeprecated: z.boolean().optional()
+              template: z.any()
            })
            .array()
        })
--- a/backend/src/ee/routes/v1/secret-rotation-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { SecretRotationOutputsSchema, SecretRotationsSchema } from "@app/db/schemas";
+import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -40,16 +41,10 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const secretRotation = await server.services.secretRotation.createRotation({
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        projectId: req.body.workspaceId
+    handler: async () => {
+      throw new BadRequestError({
+        message: `This version of Secret Rotations has been deprecated. Please see docs for new version.`
      });
-      return { secretRotation };
    }
  });

--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { SecretSnapshotsSchema } from "@app/db/schemas";
-import { ApiDocsTags, PROJECTS } from "@app/lib/api-docs";
+import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
@@ -65,8 +65,6 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Projects],
      description: "Roll back project secrets to those captured in a secret snapshot version.",
      security: [
        {
--- a/backend/src/ee/routes/v1/ssh-certificate-authority-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-authority-router.ts
@@ -1,15 +1,14 @@
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { normalizeSshPrivateKey } from "@app/ee/services/ssh/ssh-certificate-authority-fns";
 import { sanitizedSshCa } from "@app/ee/services/ssh/ssh-certificate-authority-schema";
-import { SshCaKeySource, SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
-import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
+import { SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
-import { ApiDocsTags, SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";

 export const registerSshCaRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -20,37 +19,15 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Create SSH CA",
-      body: z
-        .object({
-          projectId: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.projectId),
-          friendlyName: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
-          keyAlgorithm: z
-            .nativeEnum(SshCertKeyAlgorithm)
-            .default(SshCertKeyAlgorithm.ED25519)
-            .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keyAlgorithm),
-          publicKey: z.string().trim().optional().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.publicKey),
-          privateKey: z
-            .string()
-            .trim()
-            .optional()
-            .transform((val) => (val ? normalizeSshPrivateKey(val) : undefined))
-            .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.privateKey),
-          keySource: z
-            .nativeEnum(SshCaKeySource)
-            .default(SshCaKeySource.INTERNAL)
-            .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keySource)
-        })
-        .refine((data) => data.keySource === SshCaKeySource.INTERNAL || (!!data.publicKey && !!data.privateKey), {
-          message: "publicKey and privateKey are required when keySource is external",
-          path: ["publicKey"]
-        })
-        .refine((data) => data.keySource === SshCaKeySource.EXTERNAL || !!data.keyAlgorithm, {
-          message: "keyAlgorithm is required when keySource is internal",
-          path: ["keyAlgorithm"]
-        }),
+      body: z.object({
+        projectId: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.projectId),
+        friendlyName: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
+        keyAlgorithm: z
+          .nativeEnum(CertKeyAlgorithm)
+          .default(CertKeyAlgorithm.RSA_2048)
+          .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keyAlgorithm)
+      }),
      response: {
        200: z.object({
          ca: sanitizedSshCa.extend({
@@ -94,8 +71,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Get SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET.sshCaId)
@@ -142,8 +117,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Get public key of SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_PUBLIC_KEY.sshCaId)
@@ -169,8 +142,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Update SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.sshCaId)
@@ -224,8 +195,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Delete SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.DELETE.sshCaId)
@@ -271,8 +240,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Get list of certificate templates for the SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_CERTIFICATE_TEMPLATES.sshCaId)
--- a/backend/src/ee/routes/v1/ssh-certificate-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-router.ts
@@ -2,13 +2,13 @@ import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
-import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
-import { ApiDocsTags, SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

 export const registerSshCertRouter = async (server: FastifyZodProvider) => {
@@ -20,8 +20,6 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificates],
      description: "Sign SSH public key",
      body: z.object({
        certificateTemplateId: z
@@ -102,8 +100,6 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificates],
      description: "Issue SSH credentials (certificate + key)",
      body: z.object({
        certificateTemplateId: z
@@ -112,8 +108,8 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
          .min(1)
          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.certificateTemplateId),
        keyAlgorithm: z
-          .nativeEnum(SshCertKeyAlgorithm)
-          .default(SshCertKeyAlgorithm.ED25519)
+          .nativeEnum(CertKeyAlgorithm)
+          .default(CertKeyAlgorithm.RSA_2048)
          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm),
        certType: z
          .nativeEnum(SshCertType)
@@ -137,7 +133,7 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
          privateKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.privateKey),
          publicKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.publicKey),
          keyAlgorithm: z
-            .nativeEnum(SshCertKeyAlgorithm)
+            .nativeEnum(CertKeyAlgorithm)
            .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm)
        })
      }
--- a/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
@@ -8,7 +8,7 @@ import {
  isValidHostPattern,
  isValidUserPattern
 } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-validators";
-import { ApiDocsTags, SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
+import { SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -22,8 +22,6 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateTemplates],
      params: z.object({
        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.GET.certificateTemplateId)
      }),
@@ -63,8 +61,6 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateTemplates],
      body: z
        .object({
          sshCaId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.sshCaId),
@@ -96,8 +92,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
          allowHostCertificates: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowHostCertificates),
          allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
        })
-        .refine((data) => ms(data.maxTTL) >= ms(data.ttl), {
-          message: "Max TLL must be greater than or equal to TTL",
+        .refine((data) => ms(data.maxTTL) > ms(data.ttl), {
+          message: "Max TLL must be greater than TTL",
          path: ["maxTTL"]
        }),
      response: {
@@ -145,8 +141,6 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateTemplates],
      body: z.object({
        status: z.nativeEnum(SshCertTemplateStatus).optional(),
        name: z
@@ -230,8 +224,6 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateTemplates],
      params: z.object({
        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.DELETE.certificateTemplateId)
      }),
--- a/backend/src/ee/routes/v1/ssh-host-router.ts
+++ b/backend/src/ee/routes/v1/ssh-host-router.ts
@@ -1,444 +0,0 @@
-import { z } from "zod";
-
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
-import { loginMappingSchema, sanitizedSshHost } from "@app/ee/services/ssh-host/ssh-host-schema";
-import { isValidHostname } from "@app/ee/services/ssh-host/ssh-host-validators";
-import { SSH_HOSTS } from "@app/lib/api-docs";
-import { ms } from "@app/lib/ms";
-import { publicSshCaLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
-
-export const registerSshHostRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      response: {
-        200: z.array(
-          sanitizedSshHost.extend({
-            loginMappings: z.array(loginMappingSchema)
-          })
-        )
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const hosts = await server.services.sshHost.listSshHosts({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return hosts;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:sshHostId",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        sshHostId: z.string().describe(SSH_HOSTS.GET.sshHostId)
-      }),
-      response: {
-        200: sanitizedSshHost.extend({
-          loginMappings: z.array(loginMappingSchema)
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const host = await server.services.sshHost.getSshHost({
-        sshHostId: req.params.sshHostId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: host.projectId,
-        event: {
-          type: EventType.GET_SSH_HOST,
-          metadata: {
-            sshHostId: host.id,
-            hostname: host.hostname
-          }
-        }
-      });
-
-      return host;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Add an SSH Host",
-      body: z.object({
-        projectId: z.string().describe(SSH_HOSTS.CREATE.projectId),
-        hostname: z
-          .string()
-          .min(1)
-          .refine((v) => isValidHostname(v), {
-            message: "Hostname must be a valid hostname"
-          })
-          .describe(SSH_HOSTS.CREATE.hostname),
-        userCertTtl: z
-          .string()
-          .refine((val) => ms(val) > 0, "TTL must be a positive number")
-          .default("8h")
-          .describe(SSH_HOSTS.CREATE.userCertTtl),
-        hostCertTtl: z
-          .string()
-          .refine((val) => ms(val) > 0, "TTL must be a positive number")
-          .default("1y")
-          .describe(SSH_HOSTS.CREATE.hostCertTtl),
-        loginMappings: z.array(loginMappingSchema).default([]).describe(SSH_HOSTS.CREATE.loginMappings),
-        userSshCaId: z.string().describe(SSH_HOSTS.CREATE.userSshCaId).optional(),
-        hostSshCaId: z.string().describe(SSH_HOSTS.CREATE.hostSshCaId).optional()
-      }),
-      response: {
-        200: sanitizedSshHost.extend({
-          loginMappings: z.array(loginMappingSchema)
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const host = await server.services.sshHost.createSshHost({
-        ...req.body,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: host.projectId,
-        event: {
-          type: EventType.CREATE_SSH_HOST,
-          metadata: {
-            sshHostId: host.id,
-            hostname: host.hostname,
-            userCertTtl: host.userCertTtl,
-            hostCertTtl: host.hostCertTtl,
-            loginMappings: host.loginMappings,
-            userSshCaId: host.userSshCaId,
-            hostSshCaId: host.hostSshCaId
-          }
-        }
-      });
-
-      return host;
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:sshHostId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update SSH Host",
-      params: z.object({
-        sshHostId: z.string().trim().describe(SSH_HOSTS.UPDATE.sshHostId)
-      }),
-      body: z.object({
-        hostname: z
-          .string()
-          .min(1)
-          .refine((v) => isValidHostname(v), {
-            message: "Hostname must be a valid hostname"
-          })
-          .optional()
-          .describe(SSH_HOSTS.UPDATE.hostname),
-        userCertTtl: z
-          .string()
-          .refine((val) => ms(val) > 0, "TTL must be a positive number")
-          .optional()
-          .describe(SSH_HOSTS.UPDATE.userCertTtl),
-        hostCertTtl: z
-          .string()
-          .refine((val) => ms(val) > 0, "TTL must be a positive number")
-          .optional()
-          .describe(SSH_HOSTS.UPDATE.hostCertTtl),
-        loginMappings: z.array(loginMappingSchema).optional().describe(SSH_HOSTS.UPDATE.loginMappings)
-      }),
-      response: {
-        200: sanitizedSshHost.extend({
-          loginMappings: z.array(loginMappingSchema)
-        })
-      }
-    },
-    handler: async (req) => {
-      const host = await server.services.sshHost.updateSshHost({
-        sshHostId: req.params.sshHostId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: host.projectId,
-        event: {
-          type: EventType.UPDATE_SSH_HOST,
-          metadata: {
-            sshHostId: host.id,
-            hostname: host.hostname,
-            userCertTtl: host.userCertTtl,
-            hostCertTtl: host.hostCertTtl,
-            loginMappings: host.loginMappings,
-            userSshCaId: host.userSshCaId,
-            hostSshCaId: host.hostSshCaId
-          }
-        }
-      });
-
-      return host;
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:sshHostId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        sshHostId: z.string().describe(SSH_HOSTS.DELETE.sshHostId)
-      }),
-      response: {
-        200: sanitizedSshHost.extend({
-          loginMappings: z.array(loginMappingSchema)
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const host = await server.services.sshHost.deleteSshHost({
-        sshHostId: req.params.sshHostId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: host.projectId,
-        event: {
-          type: EventType.DELETE_SSH_HOST,
-          metadata: {
-            sshHostId: host.id,
-            hostname: host.hostname
-          }
-        }
-      });
-
-      return host;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:sshHostId/issue-user-cert",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      description: "Issue SSH certificate for user",
-      params: z.object({
-        sshHostId: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.sshHostId)
-      }),
-      body: z.object({
-        loginUser: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.loginUser)
-      }),
-      response: {
-        200: z.object({
-          serialNumber: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.serialNumber),
-          signedKey: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.signedKey),
-          privateKey: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.privateKey),
-          publicKey: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.publicKey),
-          keyAlgorithm: z.nativeEnum(SshCertKeyAlgorithm).describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.keyAlgorithm)
-        })
-      }
-    },
-    handler: async (req) => {
-      const { serialNumber, signedPublicKey, privateKey, publicKey, keyAlgorithm, host, principals } =
-        await server.services.sshHost.issueSshHostUserCert({
-          sshHostId: req.params.sshHostId,
-          loginUser: req.body.loginUser,
-          actor: req.permission.type,
-          actorId: req.permission.id,
-          actorAuthMethod: req.permission.authMethod,
-          actorOrgId: req.permission.orgId
-        });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.ISSUE_SSH_HOST_USER_CERT,
-          metadata: {
-            sshHostId: req.params.sshHostId,
-            hostname: host.hostname,
-            loginUser: req.body.loginUser,
-            principals,
-            ttl: host.userCertTtl
-          }
-        }
-      });
-
-      await server.services.telemetry.sendPostHogEvents({
-        event: PostHogEventTypes.IssueSshHostUserCert,
-        distinctId: getTelemetryDistinctId(req),
-        properties: {
-          sshHostId: req.params.sshHostId,
-          hostname: host.hostname,
-          principals,
-          ...req.auditLogInfo
-        }
-      });
-
-      return {
-        serialNumber,
-        signedKey: signedPublicKey,
-        privateKey,
-        publicKey,
-        keyAlgorithm
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:sshHostId/issue-host-cert",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Issue SSH certificate for host",
-      params: z.object({
-        sshHostId: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.sshHostId)
-      }),
-      body: z.object({
-        publicKey: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.publicKey)
-      }),
-      response: {
-        200: z.object({
-          serialNumber: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.serialNumber),
-          signedKey: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.signedKey)
-        })
-      }
-    },
-    handler: async (req) => {
-      const { host, principals, serialNumber, signedPublicKey } = await server.services.sshHost.issueSshHostHostCert({
-        sshHostId: req.params.sshHostId,
-        publicKey: req.body.publicKey,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.ISSUE_SSH_HOST_HOST_CERT,
-          metadata: {
-            sshHostId: req.params.sshHostId,
-            hostname: host.hostname,
-            principals,
-            serialNumber,
-            ttl: host.hostCertTtl
-          }
-        }
-      });
-
-      await server.services.telemetry.sendPostHogEvents({
-        event: PostHogEventTypes.IssueSshHostHostCert,
-        distinctId: getTelemetryDistinctId(req),
-        properties: {
-          sshHostId: req.params.sshHostId,
-          hostname: host.hostname,
-          principals,
-          ...req.auditLogInfo
-        }
-      });
-
-      return {
-        serialNumber,
-        signedKey: signedPublicKey
-      };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:sshHostId/user-ca-public-key",
-    config: {
-      rateLimit: publicSshCaLimit
-    },
-    schema: {
-      description: "Get public key of the user SSH CA linked to the host",
-      params: z.object({
-        sshHostId: z.string().trim().describe(SSH_HOSTS.GET_USER_CA_PUBLIC_KEY.sshHostId)
-      }),
-      response: {
-        200: z.string().describe(SSH_HOSTS.GET_USER_CA_PUBLIC_KEY.publicKey)
-      }
-    },
-    handler: async (req) => {
-      const publicKey = await server.services.sshHost.getSshHostUserCaPk(req.params.sshHostId);
-      return publicKey;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:sshHostId/host-ca-public-key",
-    config: {
-      rateLimit: publicSshCaLimit
-    },
-    schema: {
-      description: "Get public key of the host SSH CA linked to the host",
-      params: z.object({
-        sshHostId: z.string().trim().describe(SSH_HOSTS.GET_HOST_CA_PUBLIC_KEY.sshHostId)
-      }),
-      response: {
-        200: z.string().describe(SSH_HOSTS.GET_HOST_CA_PUBLIC_KEY.publicKey)
-      }
-    },
-    handler: async (req) => {
-      const publicKey = await server.services.sshHost.getSshHostHostCaPk(req.params.sshHostId);
-      return publicKey;
-    }
-  });
-};
--- a/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
@@ -4,7 +4,7 @@ import { z } from "zod";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { ApiDocsTags, IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
+import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -21,8 +21,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Add an additional privilege for identity.",
      security: [
        {
@@ -86,8 +84,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Update a specific identity privilege.",
      security: [
        {
@@ -152,8 +148,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Delete the specified identity privilege.",
      security: [
        {
@@ -189,8 +183,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Retrieve details of a specific privilege by id.",
      security: [
        {
@@ -226,8 +218,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Retrieve details of a specific privilege by slug.",
      security: [
        {
@@ -268,8 +258,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "List privileges for the specified identity by project.",
      security: [
        {
--- a/backend/src/ee/routes/v2/project-role-router.ts
+++ b/backend/src/ee/routes/v2/project-role-router.ts
@@ -4,7 +4,7 @@ import { z } from "zod";
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { ApiDocsTags, PROJECT_ROLE } from "@app/lib/api-docs";
+import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -20,8 +20,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
      description: "Create a project role",
      security: [
        {
@@ -77,8 +75,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
      description: "Update a project role",
      security: [
        {
@@ -134,8 +130,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
      description: "Delete a project role",
      security: [
        {
@@ -172,8 +166,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
      description: "List project role",
      security: [
        {
@@ -212,8 +204,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
      params: z.object({
        projectId: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.projectId),
        roleSlug: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.roleSlug)
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/auth0-client-secret-rotation-router.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/auth0-client-secret-rotation-router.ts
@@ -1,19 +0,0 @@
-import {
-  Auth0ClientSecretRotationGeneratedCredentialsSchema,
-  Auth0ClientSecretRotationSchema,
-  CreateAuth0ClientSecretRotationSchema,
-  UpdateAuth0ClientSecretRotationSchema
-} from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-
-import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
-
-export const registerAuth0ClientSecretRotationRouter = async (server: FastifyZodProvider) =>
-  registerSecretRotationEndpoints({
-    type: SecretRotation.Auth0ClientSecret,
-    server,
-    responseSchema: Auth0ClientSecretRotationSchema,
-    createSchema: CreateAuth0ClientSecretRotationSchema,
-    updateSchema: UpdateAuth0ClientSecretRotationSchema,
-    generatedCredentialsSchema: Auth0ClientSecretRotationGeneratedCredentialsSchema
-  });
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts
@@ -1,6 +1,5 @@
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";

-import { registerAuth0ClientSecretRotationRouter } from "./auth0-client-secret-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";

@@ -11,6 +10,5 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
  (server: FastifyZodProvider) => Promise<void>
 > = {
  [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
-  [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
-  [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter
+  [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter
 };
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts
@@ -9,7 +9,7 @@ import {
  TSecretRotationV2GeneratedCredentials,
  TSecretRotationV2Input
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
+import { SecretRotations } from "@app/lib/api-docs";
 import { startsWithVowel } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -66,8 +66,6 @@ export const registerSecretRotationEndpoints = <
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: `List the ${rotationType} Rotations for the specified project.`,
      querystring: z.object({
        projectId: z.string().trim().min(1, "Project ID required").describe(SecretRotations.LIST(type).projectId)
@@ -111,8 +109,6 @@ export const registerSecretRotationEndpoints = <
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: `Get the specified ${rotationType} Rotation by ID.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.GET_BY_ID(type).rotationId)
@@ -155,8 +151,6 @@ export const registerSecretRotationEndpoints = <
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: `Get the specified ${rotationType} Rotation by name, secret path, environment and project ID.`,
      params: z.object({
        rotationName: z
@@ -221,8 +215,6 @@ export const registerSecretRotationEndpoints = <
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: `Create ${
        startsWithVowel(rotationType) ? "an" : "a"
      } ${rotationType} Rotation for the specified project.`,
@@ -262,8 +254,6 @@ export const registerSecretRotationEndpoints = <
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: `Update the specified ${rotationType} Rotation.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.UPDATE(type).rotationId)
@@ -306,8 +296,6 @@ export const registerSecretRotationEndpoints = <
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: `Delete the specified ${rotationType} Rotation.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.DELETE(type).rotationId)
@@ -361,8 +349,6 @@ export const registerSecretRotationEndpoints = <
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: `Get the generated credentials for the specified ${rotationType} Rotation.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.GET_GENERATED_CREDENTIALS_BY_ID(type).rotationId)
@@ -416,8 +402,6 @@ export const registerSecretRotationEndpoints = <
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: `Rotate the generated credentials for the specified ${rotationType} Rotation.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.ROTATE(type).rotationId)
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts
@@ -1,19 +1,17 @@
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { Auth0ClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
-import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
+import { SecretRotations } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
  PostgresCredentialsRotationListItemSchema,
-  MsSqlCredentialsRotationListItemSchema,
-  Auth0ClientSecretRotationListItemSchema
+  MsSqlCredentialsRotationListItemSchema
 ]);

 export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {
@@ -24,8 +22,6 @@ export const registerSecretRotationV2Router = async (server: FastifyZodProvider)
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: "List the available Secret Rotation Options.",
      response: {
        200: z.object({
@@ -47,8 +43,6 @@ export const registerSecretRotationV2Router = async (server: FastifyZodProvider)
      rateLimit: readLimit
    },
    schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
      description: "List all the Secret Rotations for the specified project.",
      querystring: z.object({
        projectId: z.string().trim().min(1, "Project ID required").describe(SecretRotations.LIST().projectId)
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -94,8 +94,7 @@ export const accessApprovalRequestServiceFactory = ({
    actor,
    actorOrgId,
    actorAuthMethod,
-    projectSlug,
-    note
+    projectSlug
  }: TCreateAccessApprovalRequestDTO) => {
    const cfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
@@ -210,8 +209,7 @@ export const accessApprovalRequestServiceFactory = ({
          requestedByUserId: actorId,
          temporaryRange: temporaryRange || null,
          permissions: JSON.stringify(requestedPermissions),
-          isTemporary,
-          note: note || null
+          isTemporary
        },
        tx
      );
@@ -234,8 +232,7 @@ export const accessApprovalRequestServiceFactory = ({
            secretPath,
            environment: envSlug,
            permissions: accessTypes,
-            approvalUrl,
-            note
+            approvalUrl
          }
        }
      });
@@ -255,8 +252,7 @@ export const accessApprovalRequestServiceFactory = ({
          secretPath,
          environment: envSlug,
          permissions: accessTypes,
-          approvalUrl,
-          note
+          approvalUrl
        },
        template: SmtpTemplates.AccessApprovalRequest
      });
--- a/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
@@ -24,7 +24,6 @@ export type TCreateAccessApprovalRequestDTO = {
  permissions: unknown;
  isTemporary: boolean;
  temporaryRange?: string;
-  note?: string;
 } & Omit<TProjectPermission, "projectId">;

 export type TListApprovalRequestsDTO = {
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -10,10 +10,8 @@ import {
  TUpdateSecretRotationV2DTO
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
 import { SshCaStatus, SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
-import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { SshCertTemplateStatus } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-types";
-import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
-import { AsymmetricKeyAlgorithm, SigningAlgorithm } from "@app/lib/crypto/sign/types";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
@@ -191,12 +189,6 @@ export enum EventType {
  UPDATE_SSH_CERTIFICATE_TEMPLATE = "update-ssh-certificate-template",
  DELETE_SSH_CERTIFICATE_TEMPLATE = "delete-ssh-certificate-template",
  GET_SSH_CERTIFICATE_TEMPLATE = "get-ssh-certificate-template",
-  CREATE_SSH_HOST = "create-ssh-host",
-  UPDATE_SSH_HOST = "update-ssh-host",
-  DELETE_SSH_HOST = "delete-ssh-host",
-  GET_SSH_HOST = "get-ssh-host",
-  ISSUE_SSH_HOST_USER_CERT = "issue-ssh-host-user-cert",
-  ISSUE_SSH_HOST_HOST_CERT = "issue-ssh-host-host-cert",
  CREATE_CA = "create-certificate-authority",
  GET_CA = "get-certificate-authority",
  UPDATE_CA = "update-certificate-authority",
@@ -234,7 +226,6 @@ export enum EventType {
  GET_PROJECT_KMS_BACKUP = "get-project-kms-backup",
  LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup",
  ORG_ADMIN_ACCESS_PROJECT = "org-admin-accessed-project",
-  ORG_ADMIN_BYPASS_SSO = "org-admin-bypassed-sso",
  CREATE_CERTIFICATE_TEMPLATE = "create-certificate-template",
  UPDATE_CERTIFICATE_TEMPLATE = "update-certificate-template",
  DELETE_CERTIFICATE_TEMPLATE = "delete-certificate-template",
@@ -249,8 +240,6 @@ export enum EventType {
  DELETE_SLACK_INTEGRATION = "delete-slack-integration",
  GET_PROJECT_SLACK_CONFIG = "get-project-slack-config",
  UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config",
-  GET_PROJECT_SSH_CONFIG = "get-project-ssh-config",
-  UPDATE_PROJECT_SSH_CONFIG = "update-project-ssh-config",
  INTEGRATION_SYNCED = "integration-synced",
  CREATE_CMEK = "create-cmek",
  UPDATE_CMEK = "update-cmek",
@@ -259,11 +248,6 @@ export enum EventType {
  GET_CMEK = "get-cmek",
  CMEK_ENCRYPT = "cmek-encrypt",
  CMEK_DECRYPT = "cmek-decrypt",
-  CMEK_SIGN = "cmek-sign",
-  CMEK_VERIFY = "cmek-verify",
-  CMEK_LIST_SIGNING_ALGORITHMS = "cmek-list-signing-algorithms",
-  CMEK_GET_PUBLIC_KEY = "cmek-get-public-key",
-
  UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
  GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping",
  GET_PROJECT_TEMPLATES = "get-project-templates",
@@ -1393,7 +1377,7 @@ interface IssueSshCreds {
  type: EventType.ISSUE_SSH_CREDS;
  metadata: {
    certificateTemplateId: string;
-    keyAlgorithm: SshCertKeyAlgorithm;
+    keyAlgorithm: CertKeyAlgorithm;
    certType: SshCertType;
    principals: string[];
    ttl: string;
@@ -1489,80 +1473,6 @@ interface DeleteSshCertificateTemplate {
  };
 }

-interface CreateSshHost {
-  type: EventType.CREATE_SSH_HOST;
-  metadata: {
-    sshHostId: string;
-    hostname: string;
-    userCertTtl: string;
-    hostCertTtl: string;
-    loginMappings: {
-      loginUser: string;
-      allowedPrincipals: {
-        usernames: string[];
-      };
-    }[];
-    userSshCaId: string;
-    hostSshCaId: string;
-  };
-}
-
-interface UpdateSshHost {
-  type: EventType.UPDATE_SSH_HOST;
-  metadata: {
-    sshHostId: string;
-    hostname?: string;
-    userCertTtl?: string;
-    hostCertTtl?: string;
-    loginMappings?: {
-      loginUser: string;
-      allowedPrincipals: {
-        usernames: string[];
-      };
-    }[];
-    userSshCaId?: string;
-    hostSshCaId?: string;
-  };
-}
-
-interface DeleteSshHost {
-  type: EventType.DELETE_SSH_HOST;
-  metadata: {
-    sshHostId: string;
-    hostname: string;
-  };
-}
-
-interface GetSshHost {
-  type: EventType.GET_SSH_HOST;
-  metadata: {
-    sshHostId: string;
-    hostname: string;
-  };
-}
-
-interface IssueSshHostUserCert {
-  type: EventType.ISSUE_SSH_HOST_USER_CERT;
-  metadata: {
-    sshHostId: string;
-    hostname: string;
-    loginUser: string;
-    principals: string[];
-    ttl: string;
-  };
-}
-
-interface IssueSshHostHostCert {
-  type: EventType.ISSUE_SSH_HOST_HOST_CERT;
-  metadata: {
-    sshHostId: string;
-    hostname: string;
-    serialNumber: string;
-    principals: string[];
-    ttl: string;
-  };
-}
-
 interface CreateCa {
  type: EventType.CREATE_CA;
  metadata: {
@@ -1910,11 +1820,6 @@ interface OrgAdminAccessProjectEvent {
  }; // no metadata yet
 }

-interface OrgAdminBypassSSOEvent {
-  type: EventType.ORG_ADMIN_BYPASS_SSO;
-  metadata: Record<string, string>; // no metadata yet
-}
-
 interface CreateCertificateTemplateEstConfig {
  type: EventType.CREATE_CERTIFICATE_TEMPLATE_EST_CONFIG;
  metadata: {
@@ -1994,25 +1899,6 @@ interface GetProjectSlackConfig {
    id: string;
  };
 }
-
-interface GetProjectSshConfig {
-  type: EventType.GET_PROJECT_SSH_CONFIG;
-  metadata: {
-    id: string;
-    projectId: string;
-  };
-}
-
-interface UpdateProjectSshConfig {
-  type: EventType.UPDATE_PROJECT_SSH_CONFIG;
-  metadata: {
-    id: string;
-    projectId: string;
-    defaultUserSshCaId?: string | null;
-    defaultHostSshCaId?: string | null;
-  };
-}
-
 interface IntegrationSyncedEvent {
  type: EventType.INTEGRATION_SYNCED;
  metadata: {
@@ -2030,7 +1916,7 @@ interface CreateCmekEvent {
    keyId: string;
    name: string;
    description?: string;
-    encryptionAlgorithm: SymmetricKeyAlgorithm | AsymmetricKeyAlgorithm;
+    encryptionAlgorithm: SymmetricEncryption;
  };
 }

@@ -2078,39 +1964,6 @@ interface CmekDecryptEvent {
  };
 }

-interface CmekSignEvent {
-  type: EventType.CMEK_SIGN;
-  metadata: {
-    keyId: string;
-    signingAlgorithm: SigningAlgorithm;
-    signature: string;
-  };
-}
-
-interface CmekVerifyEvent {
-  type: EventType.CMEK_VERIFY;
-  metadata: {
-    keyId: string;
-    signingAlgorithm: SigningAlgorithm;
-    signature: string;
-    signatureValid: boolean;
-  };
-}
-
-interface CmekListSigningAlgorithmsEvent {
-  type: EventType.CMEK_LIST_SIGNING_ALGORITHMS;
-  metadata: {
-    keyId: string;
-  };
-}
-
-interface CmekGetPublicKeyEvent {
-  type: EventType.CMEK_GET_PUBLIC_KEY;
-  metadata: {
-    keyId: string;
-  };
-}
-
 interface GetExternalGroupOrgRoleMappingsEvent {
  type: EventType.GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS;
  metadata?: Record<string, never>; // not needed, based off orgId
@@ -2640,12 +2493,6 @@ export type Event =
  | UpdateSshCertificateTemplate
  | GetSshCertificateTemplate
  | DeleteSshCertificateTemplate
-  | CreateSshHost
-  | UpdateSshHost
-  | DeleteSshHost
-  | GetSshHost
-  | IssueSshHostUserCert
-  | IssueSshHostHostCert
  | CreateCa
  | GetCa
  | UpdateCa
@@ -2683,7 +2530,6 @@ export type Event =
  | GetProjectKmsBackupEvent
  | LoadProjectKmsBackupEvent
  | OrgAdminAccessProjectEvent
-  | OrgAdminBypassSSOEvent
  | CreateCertificateTemplate
  | UpdateCertificateTemplate
  | GetCertificateTemplate
@@ -2698,8 +2544,6 @@ export type Event =
  | GetSlackIntegration
  | UpdateProjectSlackConfig
  | GetProjectSlackConfig
-  | GetProjectSshConfig
-  | UpdateProjectSshConfig
  | IntegrationSyncedEvent
  | CreateCmekEvent
  | UpdateCmekEvent
@@ -2708,10 +2552,6 @@ export type Event =
  | GetCmeksEvent
  | CmekEncryptEvent
  | CmekDecryptEvent
-  | CmekSignEvent
-  | CmekVerifyEvent
-  | CmekListSigningAlgorithmsEvent
-  | CmekGetPublicKeyEvent
  | GetExternalGroupOrgRoleMappingsEvent
  | UpdateExternalGroupOrgRoleMappingsEvent
  | GetProjectTemplatesEvent
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@@ -78,6 +78,10 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );

    const plan = await licenseService.getPlan(actorOrgId);
    if (!plan?.dynamicSecret) {
@@ -98,15 +102,6 @@ export const dynamicSecretLeaseServiceFactory = ({
        message: `Dynamic secret with name '${name}' in folder with path '${path}' not found`
      });

-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
    const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
    if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
      throw new BadRequestError({ message: `Max lease limit reached. Limit: ${appCfg.MAX_LEASE_LIMIT}` });
@@ -130,17 +125,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max TTL" });
    }

-    let result;
-    try {
-      result = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
-    } catch (error: unknown) {
-      if (error && typeof error === "object" && error !== null && "sqlMessage" in error) {
-        throw new BadRequestError({ message: error.sqlMessage as string });
-      }
-      throw error;
-    }
-    const { entityId, data } = result;
-
+    const { entityId, data } = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
    const dynamicSecretLease = await dynamicSecretLeaseDAL.create({
      expireAt,
      version: 1,
@@ -174,6 +159,10 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );

    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
@@ -198,25 +187,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
    }

-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({
-      id: dynamicSecretLease.dynamicSecretId,
-      folderId: folder.id
-    });
-
-    if (!dynamicSecretCfg)
-      throw new NotFoundError({
-        message: `Dynamic secret with ID '${dynamicSecretLease.dynamicSecretId}' not found`
-      });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
+    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
    const decryptedStoredInput = JSON.parse(
      secretManagerDecryptor({ cipherTextBlob: Buffer.from(dynamicSecretCfg.encryptedInput) }).toString()
@@ -268,6 +239,10 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );

    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
@@ -284,25 +259,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!dynamicSecretLease || dynamicSecretLease.dynamicSecret.folderId !== folder.id)
      throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });

-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({
-      id: dynamicSecretLease.dynamicSecretId,
-      folderId: folder.id
-    });
-
-    if (!dynamicSecretCfg)
-      throw new NotFoundError({
-        message: `Dynamic secret with ID '${dynamicSecretLease.dynamicSecretId}' not found`
-      });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
+    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
    const decryptedStoredInput = JSON.parse(
      secretManagerDecryptor({ cipherTextBlob: Buffer.from(dynamicSecretCfg.encryptedInput) }).toString()
@@ -352,6 +309,10 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
    if (!folder)
@@ -365,15 +326,6 @@ export const dynamicSecretLeaseServiceFactory = ({
        message: `Dynamic secret with name '${name}' in folder with path '${path}' not found`
      });

-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
    const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
    return dynamicSecretLeases;
  };
@@ -400,6 +352,10 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
    if (!folder) throw new NotFoundError({ message: `Folder with path '${path}' not found` });
@@ -408,25 +364,6 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!dynamicSecretLease)
      throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });

-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({
-      id: dynamicSecretLease.dynamicSecretId,
-      folderId: folder.id
-    });
-
-    if (!dynamicSecretCfg)
-      throw new NotFoundError({
-        message: `Dynamic secret with ID '${dynamicSecretLease.dynamicSecretId}' not found`
-      });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
    return dynamicSecretLease;
  };

--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
@@ -1,17 +1,9 @@
 import { Knex } from "knex";

 import { TDbClient } from "@app/db";
-import { TableName, TDynamicSecrets } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import {
-  buildFindFilter,
-  ormify,
-  prependTableNameToFindFilter,
-  selectAllTableCols,
-  sqlNestRelationships,
-  TFindFilter,
-  TFindOpt
-} from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";

@@ -20,86 +12,6 @@ export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory
 export const dynamicSecretDALFactory = (db: TDbClient) => {
  const orm = ormify(db, TableName.DynamicSecret);

-  const findOne = async (filter: TFindFilter<TDynamicSecrets>, tx?: Knex) => {
-    const query = (tx || db.replicaNode())(TableName.DynamicSecret)
-      .leftJoin(
-        TableName.ResourceMetadata,
-        `${TableName.ResourceMetadata}.dynamicSecretId`,
-        `${TableName.DynamicSecret}.id`
-      )
-      .select(selectAllTableCols(TableName.DynamicSecret))
-      .select(
-        db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-        db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-        db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-      )
-      .where(prependTableNameToFindFilter(TableName.DynamicSecret, filter));
-
-    const docs = sqlNestRelationships({
-      data: await query,
-      key: "id",
-      parentMapper: (el) => el,
-      childrenMapper: [
-        {
-          key: "metadataId",
-          label: "metadata" as const,
-          mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-            id: metadataId,
-            key: metadataKey,
-            value: metadataValue
-          })
-        }
-      ]
-    });
-
-    return docs[0];
-  };
-
-  const findWithMetadata = async (
-    filter: TFindFilter<TDynamicSecrets>,
-    { offset, limit, sort, tx }: TFindOpt<TDynamicSecrets> = {}
-  ) => {
-    const query = (tx || db.replicaNode())(TableName.DynamicSecret)
-      .leftJoin(
-        TableName.ResourceMetadata,
-        `${TableName.ResourceMetadata}.dynamicSecretId`,
-        `${TableName.DynamicSecret}.id`
-      )
-      .select(selectAllTableCols(TableName.DynamicSecret))
-      .select(
-        db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-        db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-        db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-      )
-      // eslint-disable-next-line @typescript-eslint/no-misused-promises
-      .where(buildFindFilter(filter));
-
-    if (limit) void query.limit(limit);
-    if (offset) void query.offset(offset);
-    if (sort) {
-      void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
-    }
-
-    const docs = sqlNestRelationships({
-      data: await query,
-      key: "id",
-      parentMapper: (el) => el,
-      childrenMapper: [
-        {
-          key: "metadataId",
-          label: "metadata" as const,
-          mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-            id: metadataId,
-            key: metadataKey,
-            value: metadataValue
-          })
-        }
-      ]
-    });
-
-    return docs;
-  };
-
  // find dynamic secrets for multiple environments (folder IDs are cross env, thus need to rank for pagination)
  const listDynamicSecretsByFolderIds = async (
    {
@@ -127,27 +39,18 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
            void bd.whereILike(`${TableName.DynamicSecret}.name`, `%${search}%`);
          }
        })
-        .leftJoin(
-          TableName.ResourceMetadata,
-          `${TableName.ResourceMetadata}.dynamicSecretId`,
-          `${TableName.DynamicSecret}.id`
-        )
        .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
        .leftJoin(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
        .select(
          selectAllTableCols(TableName.DynamicSecret),
          db.ref("slug").withSchema(TableName.Environment).as("environment"),
-          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`),
-          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`)
        )
        .orderBy(`${TableName.DynamicSecret}.${orderBy}`, orderDirection);

-      let queryWithLimit;
      if (limit) {
        const rankOffset = offset + 1;
-        queryWithLimit = (tx || db.replicaNode())
+        return await (tx || db)
          .with("w", query)
          .select("*")
          .from<Awaited<typeof query>[number]>("w")
@@ -155,22 +58,7 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
          .andWhere("w.rank", "<", rankOffset + limit);
      }

-      const dynamicSecrets = sqlNestRelationships({
-        data: await (queryWithLimit || query),
-        key: "id",
-        parentMapper: (el) => el,
-        childrenMapper: [
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
+      const dynamicSecrets = await query;

      return dynamicSecrets;
    } catch (error) {
@@ -178,5 +66,5 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
    }
  };

-  return { ...orm, listDynamicSecretsByFolderIds, findOne, findWithMetadata };
+  return { ...orm, listDynamicSecretsByFolderIds };
 };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
@@ -42,7 +42,7 @@ export const verifyHostInputValidity = async (host: string, isGateway = false) =
    inputHostIps.push(...resolvedIps);
  }

-  if (!isGateway && !(appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP || appCfg.ALLOW_INTERNAL_IP_CONNECTIONS)) {
+  if (!isGateway && !appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP) {
    const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
    if (isInternalIp) throw new BadRequestError({ message: "Invalid db host" });
  }
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@@ -12,7 +12,6 @@ import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";

 import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
@@ -47,7 +46,6 @@ type TDynamicSecretServiceFactoryDep = {
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
  projectGatewayDAL: Pick<TProjectGatewayDALFactory, "findOne">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };

 export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
@@ -62,8 +60,7 @@ export const dynamicSecretServiceFactory = ({
  dynamicSecretQueueService,
  projectDAL,
  kmsService,
-  projectGatewayDAL,
-  resourceMetadataDAL
+  projectGatewayDAL
 }: TDynamicSecretServiceFactoryDep) => {
  const create = async ({
    path,
@@ -76,8 +73,7 @@ export const dynamicSecretServiceFactory = ({
    projectSlug,
    actorOrgId,
    defaultTTL,
-    actorAuthMethod,
-    metadata
+    actorAuthMethod
  }: TCreateDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -91,10 +87,9 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
-
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.CreateRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path, metadata })
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const plan = await licenseService.getPlan(actorOrgId);
@@ -136,36 +131,16 @@ export const dynamicSecretServiceFactory = ({
      projectId
    });

-    const dynamicSecretCfg = await dynamicSecretDAL.transaction(async (tx) => {
-      const cfg = await dynamicSecretDAL.create(
-        {
-          type: provider.type,
-          version: 1,
-          encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(inputs)) }).cipherTextBlob,
-          maxTTL,
-          defaultTTL,
-          folderId: folder.id,
-          name,
-          projectGatewayId: selectedGatewayId
-        },
-        tx
-      );
-
-      if (metadata) {
-        await resourceMetadataDAL.insertMany(
-          metadata.map(({ key, value }) => ({
-            key,
-            value,
-            dynamicSecretId: cfg.id,
-            orgId: actorOrgId
-          })),
-          tx
-        );
-      }
-
-      return cfg;
+    const dynamicSecretCfg = await dynamicSecretDAL.create({
+      type: provider.type,
+      version: 1,
+      encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(inputs)) }).cipherTextBlob,
+      maxTTL,
+      defaultTTL,
+      folderId: folder.id,
+      name,
+      projectGatewayId: selectedGatewayId
    });
-
    return dynamicSecretCfg;
  };

@@ -181,8 +156,7 @@ export const dynamicSecretServiceFactory = ({
    actorId,
    newName,
    actorOrgId,
-    actorAuthMethod,
-    metadata
+    actorAuthMethod
  }: TUpdateDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -197,6 +171,10 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );

    const plan = await licenseService.getPlan(actorOrgId);
    if (!plan?.dynamicSecret) {
@@ -215,27 +193,6 @@ export const dynamicSecretServiceFactory = ({
        message: `Dynamic secret with name '${name}' in folder '${folder.path}' not found`
      });
    }
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
-    if (metadata) {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionDynamicSecretActions.EditRootCredential,
-        subject(ProjectPermissionSub.DynamicSecrets, {
-          environment: environmentSlug,
-          secretPath: path,
-          metadata
-        })
-      );
-    }
-
    if (newName) {
      const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
      if (existingDynamicSecret)
@@ -274,41 +231,14 @@ export const dynamicSecretServiceFactory = ({
    const isConnected = await selectedProvider.validateConnection(newInput);
    if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });

-    const updatedDynamicCfg = await dynamicSecretDAL.transaction(async (tx) => {
-      const cfg = await dynamicSecretDAL.updateById(
-        dynamicSecretCfg.id,
-        {
-          encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(updatedInput)) })
-            .cipherTextBlob,
-          maxTTL,
-          defaultTTL,
-          name: newName ?? name,
-          status: null,
-          projectGatewayId: selectedGatewayId
-        },
-        tx
-      );
-
-      if (metadata) {
-        await resourceMetadataDAL.delete(
-          {
-            dynamicSecretId: cfg.id
-          },
-          tx
-        );
-
-        await resourceMetadataDAL.insertMany(
-          metadata.map(({ key, value }) => ({
-            key,
-            value,
-            dynamicSecretId: cfg.id,
-            orgId: actorOrgId
-          })),
-          tx
-        );
-      }
-
-      return cfg;
+    const updatedDynamicCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
+      encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(updatedInput)) }).cipherTextBlob,
+      maxTTL,
+      defaultTTL,
+      name: newName ?? name,
+      status: null,
+      statusDetails: null,
+      projectGatewayId: selectedGatewayId
    });

    return updatedDynamicCfg;
@@ -338,6 +268,10 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
    if (!folder)
@@ -348,15 +282,6 @@ export const dynamicSecretServiceFactory = ({
      throw new NotFoundError({ message: `Dynamic secret with name '${name}' in folder '${folder.path}' not found` });
    }

-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
    const leases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
    // when not forced we check with the external system to first remove the things
    // we introduce a forced concept because consider the external lease got deleted by some other external like a human or another system
@@ -404,6 +329,14 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
    if (!folder)
@@ -413,25 +346,6 @@ export const dynamicSecretServiceFactory = ({
    if (!dynamicSecretCfg) {
      throw new NotFoundError({ message: `Dynamic secret with name '${name} in folder '${path}' not found` });
    }
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
      projectId
@@ -442,7 +356,6 @@ export const dynamicSecretServiceFactory = ({
    ) as object;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
    const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput)) as object;
-
    return { ...dynamicSecretCfg, inputs: providerInputs };
  };

@@ -513,7 +426,7 @@ export const dynamicSecretServiceFactory = ({
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      ProjectPermissionSub.DynamicSecrets
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -560,12 +473,16 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
    if (!folder)
      throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });

-    const dynamicSecretCfg = await dynamicSecretDAL.findWithMetadata(
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
      {
        limit,
@@ -573,17 +490,7 @@ export const dynamicSecretServiceFactory = ({
        sort: orderBy ? [[orderBy, orderDirection]] : undefined
      }
    );
-
-    return dynamicSecretCfg.filter((dynamicSecret) => {
-      return permission.can(
-        ProjectPermissionDynamicSecretActions.ReadRootCredential,
-        subject(ProjectPermissionSub.DynamicSecrets, {
-          environment: environmentSlug,
-          secretPath: path,
-          metadata: dynamicSecret.metadata
-        })
-      );
-    });
+    return dynamicSecretCfg;
  };

  const listDynamicSecretsByFolderIds = async (
@@ -635,14 +542,24 @@ export const dynamicSecretServiceFactory = ({
    isInternal,
    ...params
  }: TListDynamicSecretsMultiEnvDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+    if (!isInternal) {
+      const { permission } = await permissionService.getProjectPermission({
+        actor,
+        actorId,
+        projectId,
+        actorAuthMethod,
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
+      });
+
+      // verify user has access to each env in request
+      environmentSlugs.forEach((environmentSlug) =>
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionDynamicSecretActions.ReadRootCredential,
+          subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+        )
+      );
+    }

    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
    if (!folders.length)
@@ -655,16 +572,7 @@ export const dynamicSecretServiceFactory = ({
      ...params
    });

-    return dynamicSecretCfg.filter((dynamicSecret) => {
-      return permission.can(
-        ProjectPermissionDynamicSecretActions.ReadRootCredential,
-        subject(ProjectPermissionSub.DynamicSecrets, {
-          environment: dynamicSecret.environment,
-          secretPath: path,
-          metadata: dynamicSecret.metadata
-        })
-      );
-    });
+    return dynamicSecretCfg;
  };

  const fetchAzureEntraIdUsers = async ({
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
@@ -1,7 +1,6 @@
 import { z } from "zod";

 import { OrderByDirection, TProjectPermission } from "@app/lib/types";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";

 import { DynamicSecretProviderSchema } from "./providers/models";
@@ -21,7 +20,6 @@ export type TCreateDynamicSecretDTO = {
  environmentSlug: string;
  name: string;
  projectSlug: string;
-  metadata?: ResourceMetadataDTO;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateDynamicSecretDTO = {
@@ -33,7 +31,6 @@ export type TUpdateDynamicSecretDTO = {
  environmentSlug: string;
  inputs?: TProvider["inputs"];
  projectSlug: string;
-  metadata?: ResourceMetadataDTO;
 } & Omit<TProjectPermission, "projectId">;

 export type TDeleteDynamicSecretDTO = {
--- a/backend/src/ee/services/dynamic-secret/providers/ldap.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/ldap.ts
@@ -2,7 +2,6 @@ import handlebars from "handlebars";
 import ldapjs from "ldapjs";
 import ldif from "ldif";
 import { customAlphabet } from "nanoid";
-import RE2 from "re2";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
@@ -195,8 +194,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
    const client = await $getClient(providerInputs);

    if (providerInputs.credentialType === LdapCredentialType.Static) {
-      const dnRegex = new RE2("^dn:\\s*(.+)", "m");
-      const dnMatch = dnRegex.exec(providerInputs.rotationLdif);
+      const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);

      if (dnMatch) {
        const username = dnMatch[1];
@@ -240,8 +238,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
    const client = await $getClient(providerInputs);

    if (providerInputs.credentialType === LdapCredentialType.Static) {
-      const dnRegex = new RE2("^dn:\\s*(.+)", "m");
-      const dnMatch = dnRegex.exec(providerInputs.rotationLdif);
+      const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);

      if (dnMatch) {
        const username = dnMatch[1];
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@@ -7,7 +7,7 @@ import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/er
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey, KmsKeyUsage } from "@app/services/kms/kms-types";
+import { KmsDataKey } from "@app/services/kms/kms-types";

 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -115,7 +115,6 @@ export const externalKmsServiceFactory = ({
        {
          isReserved: false,
          description,
-          keyUsage: KmsKeyUsage.ENCRYPT_DECRYPT,
          name: kmsName,
          orgId: actorOrgId
        },
--- a/backend/src/ee/services/external-kms/providers/gcp-kms.ts
+++ b/backend/src/ee/services/external-kms/providers/gcp-kms.ts
@@ -92,7 +92,7 @@ export const GcpKmsProviderFactory = async ({ inputs }: GcpKmsProviderArgs): Pro
      plaintext: data
    });
    if (!encryptedText[0].ciphertext) throw new Error("encryption failed");
-    return { encryptedBlob: Buffer.from(encryptedText[0].ciphertext as Uint8Array) };
+    return { encryptedBlob: Buffer.from(encryptedText[0].ciphertext) };
  };

  const decrypt = async (encryptedBlob: Buffer) => {
@@ -101,7 +101,7 @@ export const GcpKmsProviderFactory = async ({ inputs }: GcpKmsProviderArgs): Pro
      ciphertext: encryptedBlob
    });
    if (!decryptedText[0].plaintext) throw new Error("decryption failed");
-    return { data: Buffer.from(decryptedText[0].plaintext as Uint8Array) };
+    return { data: Buffer.from(decryptedText[0].plaintext) };
  };

  return {
--- a/backend/src/ee/services/hsm/hsm-service.ts
+++ b/backend/src/ee/services/hsm/hsm-service.ts
@@ -258,7 +258,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
  const decrypt: {
    (encryptedBlob: Buffer, providedSession: pkcs11js.Handle): Promise<Buffer>;
    (encryptedBlob: Buffer): Promise<Buffer>;
-  } = async (encryptedBlob: Buffer, providedSession?: pkcs11js.Handle): Promise<Buffer> => {
+  } = async (encryptedBlob: Buffer, providedSession?: pkcs11js.Handle) => {
    if (!pkcs11 || !isInitialized) {
      throw new Error("PKCS#11 module is not initialized");
    }
@@ -309,10 +309,10 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon

        pkcs11.C_DecryptInit(sessionHandle, decryptMechanism, aesKey);

-        const tempBuffer: Buffer = Buffer.alloc(encryptedData.length);
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+        const tempBuffer = Buffer.alloc(encryptedData.length);
        const decryptedData = pkcs11.C_Decrypt(sessionHandle, encryptedData, tempBuffer);

+        // Create a new buffer from the decrypted data
        return Buffer.from(decryptedData);
      } catch (error) {
        logger.error(error, "HSM: Failed to perform decryption");
--- a/backend/src/ee/services/kmip/kmip-operation-service.ts
+++ b/backend/src/ee/services/kmip/kmip-operation-service.ts
@@ -3,7 +3,6 @@ import { ForbiddenError } from "@casl/ability";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsKeyUsage } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";

 import { OrgPermissionKmipActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -404,7 +403,6 @@ export const kmipOperationServiceFactory = ({
      algorithm,
      isReserved: false,
      projectId,
-      keyUsage: KmsKeyUsage.ENCRYPT_DECRYPT,
      orgId: project.orgId
    });

--- a/backend/src/ee/services/kmip/kmip-types.ts
+++ b/backend/src/ee/services/kmip/kmip-types.ts
@@ -1,4 +1,4 @@
-import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { OrderByDirection, TOrgPermission, TProjectPermission } from "@app/lib/types";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";

@@ -49,7 +49,7 @@ type KmipOperationBaseDTO = {
 } & Omit<TOrgPermission, "orgId">;

 export type TKmipCreateDTO = {
-  algorithm: SymmetricKeyAlgorithm;
+  algorithm: SymmetricEncryption;
 } & KmipOperationBaseDTO;

 export type TKmipGetDTO = {
@@ -77,7 +77,7 @@ export type TKmipLocateDTO = KmipOperationBaseDTO;
 export type TKmipRegisterDTO = {
  name: string;
  key: string;
-  algorithm: SymmetricKeyAlgorithm;
+  algorithm: SymmetricEncryption;
 } & KmipOperationBaseDTO;

 export type TSetupOrgKmipDTO = {
--- a/backend/src/ee/services/oidc/oidc-config-dal.ts
+++ b/backend/src/ee/services/oidc/oidc-config-dal.ts
@@ -1,5 +1,6 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";

 export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
@@ -7,5 +8,22 @@ export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
 export const oidcConfigDALFactory = (db: TDbClient) => {
  const oidcCfgOrm = ormify(db, TableName.OidcConfig);

-  return oidcCfgOrm;
+  const findEnforceableOidcCfg = async (orgId: string) => {
+    try {
+      const oidcCfg = await db
+        .replicaNode()(TableName.OidcConfig)
+        .where({
+          orgId,
+          isActive: true
+        })
+        .whereNotNull("lastUsed")
+        .first();
+
+      return oidcCfg;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org by id" });
+    }
+  };
+
+  return { ...oidcCfgOrm, findEnforceableOidcCfg };
 };
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -165,8 +165,7 @@ export const oidcConfigServiceFactory = ({
      allowedEmailDomains: oidcCfg.allowedEmailDomains,
      clientId,
      clientSecret,
-      manageGroupMemberships: oidcCfg.manageGroupMemberships,
-      jwtSignatureAlgorithm: oidcCfg.jwtSignatureAlgorithm
+      manageGroupMemberships: oidcCfg.manageGroupMemberships
    };
  };

@@ -482,8 +481,7 @@ export const oidcConfigServiceFactory = ({
    userinfoEndpoint,
    clientId,
    clientSecret,
-    manageGroupMemberships,
-    jwtSignatureAlgorithm
+    manageGroupMemberships
  }: TUpdateOidcCfgDTO) => {
    const org = await orgDAL.findOne({
      slug: orgSlug
@@ -538,8 +536,7 @@ export const oidcConfigServiceFactory = ({
      jwksUri,
      isActive,
      lastUsed: null,
-      manageGroupMemberships,
-      jwtSignatureAlgorithm
+      manageGroupMemberships
    };

    if (clientId !== undefined) {
@@ -572,8 +569,7 @@ export const oidcConfigServiceFactory = ({
    userinfoEndpoint,
    clientId,
    clientSecret,
-    manageGroupMemberships,
-    jwtSignatureAlgorithm
+    manageGroupMemberships
  }: TCreateOidcCfgDTO) => {
    const org = await orgDAL.findOne({
      slug: orgSlug
@@ -617,7 +613,6 @@ export const oidcConfigServiceFactory = ({
      userinfoEndpoint,
      orgId: org.id,
      manageGroupMemberships,
-      jwtSignatureAlgorithm,
      encryptedOidcClientId: encryptor({ plainText: Buffer.from(clientId) }).cipherTextBlob,
      encryptedOidcClientSecret: encryptor({ plainText: Buffer.from(clientSecret) }).cipherTextBlob
    });
@@ -681,8 +676,7 @@ export const oidcConfigServiceFactory = ({
    const client = new issuer.Client({
      client_id: oidcCfg.clientId,
      client_secret: oidcCfg.clientSecret,
-      redirect_uris: [`${appCfg.SITE_URL}/api/v1/sso/oidc/callback`],
-      id_token_signed_response_alg: oidcCfg.jwtSignatureAlgorithm
+      redirect_uris: [`${appCfg.SITE_URL}/api/v1/sso/oidc/callback`]
    });

    const strategy = new OpenIdStrategy(
--- a/backend/src/ee/services/oidc/oidc-config-types.ts
+++ b/backend/src/ee/services/oidc/oidc-config-types.ts
@@ -5,12 +5,6 @@ export enum OIDCConfigurationType {
  DISCOVERY_URL = "discoveryURL"
 }

-export enum OIDCJWTSignatureAlgorithm {
-  RS256 = "RS256",
-  HS256 = "HS256",
-  RS512 = "RS512"
-}
-
 export type TOidcLoginDTO = {
  externalId: string;
  email: string;
@@ -46,7 +40,6 @@ export type TCreateOidcCfgDTO = {
  isActive: boolean;
  orgSlug: string;
  manageGroupMemberships: boolean;
-  jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 } & TGenericPermission;

 export type TUpdateOidcCfgDTO = Partial<{
@@ -63,6 +56,5 @@ export type TUpdateOidcCfgDTO = Partial<{
  isActive: boolean;
  orgSlug: string;
  manageGroupMemberships: boolean;
-  jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 }> &
  TGenericPermission;
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@@ -3,7 +3,6 @@ import { z } from "zod";
 import { TDbClient } from "@app/db";
 import {
  IdentityProjectMembershipRoleSchema,
-  OrgMembershipRole,
  OrgMembershipsSchema,
  TableName,
  TProjectRoles,
@@ -54,7 +53,6 @@ export const permissionDALFactory = (db: TDbClient) => {
          db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
          db.ref("permissions").withSchema(TableName.OrgRoles),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
          db.ref("groupId").withSchema("userGroups"),
          db.ref("groupOrgId").withSchema("userGroups"),
          db.ref("groupName").withSchema("userGroups"),
@@ -73,7 +71,6 @@ export const permissionDALFactory = (db: TDbClient) => {
          OrgMembershipsSchema.extend({
            permissions: z.unknown(),
            orgAuthEnforced: z.boolean().optional().nullable(),
-            bypassOrgAuthEnabled: z.boolean(),
            customRoleSlug: z.string().optional().nullable(),
            shouldUseNewPrivilegeSystem: z.boolean()
          }).parse(el),
@@ -574,11 +571,6 @@ export const permissionDALFactory = (db: TDbClient) => {
        })
        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-        .join(TableName.OrgMembership, (qb) => {
-          void qb
-            .on(`${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
-            .andOn(`${TableName.OrgMembership}.orgId`, `${TableName.Organization}.id`);
-        })
        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
          void queryBuilder
            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
@@ -678,8 +670,6 @@ export const permissionDALFactory = (db: TDbClient) => {
          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
-          db.ref("role").withSchema(TableName.OrgMembership).as("orgRole"),
          db.ref("orgId").withSchema(TableName.Project),
          db.ref("type").withSchema(TableName.Project).as("projectType"),
          db.ref("id").withSchema(TableName.Project).as("projectId"),
@@ -693,7 +683,6 @@ export const permissionDALFactory = (db: TDbClient) => {
          orgId,
          username,
          orgAuthEnforced,
-          orgRole,
          membershipId,
          groupMembershipId,
          membershipCreatedAt,
@@ -701,12 +690,10 @@ export const permissionDALFactory = (db: TDbClient) => {
          groupMembershipUpdatedAt,
          membershipUpdatedAt,
          projectType,
-          shouldUseNewPrivilegeSystem,
-          bypassOrgAuthEnabled
+          shouldUseNewPrivilegeSystem
        }) => ({
          orgId,
          orgAuthEnforced,
-          orgRole: orgRole as OrgMembershipRole,
          userId,
          projectId,
          username,
@@ -714,8 +701,7 @@ export const permissionDALFactory = (db: TDbClient) => {
          id: membershipId || groupMembershipId,
          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt,
-          shouldUseNewPrivilegeSystem,
-          bypassOrgAuthEnabled
+          shouldUseNewPrivilegeSystem
        }),
        childrenMapper: [
          {
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@@ -2,7 +2,7 @@
 import { ForbiddenError, MongoAbility, PureAbility, subject } from "@casl/ability";
 import { z } from "zod";

-import { OrgMembershipRole, TOrganizations } from "@app/db/schemas";
+import { TOrganizations } from "@app/db/schemas";
 import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
@@ -118,20 +118,11 @@ function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
  ].includes(actorAuthMethod);
 }

-function validateOrgSSO(
-  actorAuthMethod: ActorAuthMethod,
-  isOrgSsoEnforced: TOrganizations["authEnforced"],
-  isOrgSsoBypassEnabled: TOrganizations["bypassOrgAuthEnabled"],
-  orgRole: OrgMembershipRole
-) {
+function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrganizations["authEnforced"]) {
  if (actorAuthMethod === undefined) {
    throw new UnauthorizedError({ name: "No auth method defined" });
  }

-  if (isOrgSsoEnforced && isOrgSsoBypassEnabled && orgRole === OrgMembershipRole.Admin) {
-    return;
-  }
-
  if (
    isOrgSsoEnforced &&
    actorAuthMethod !== null &&
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -139,12 +139,7 @@ export const permissionServiceFactory = ({
      throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
    }

-    validateOrgSSO(
-      authMethod,
-      membership.orgAuthEnforced,
-      membership.bypassOrgAuthEnabled,
-      membership.role as OrgMembershipRole
-    );
+    validateOrgSSO(authMethod, membership.orgAuthEnforced);

    const finalPolicyRoles = [{ role: membership.role, permissions: membership.permissions }].concat(
      membership?.groups?.map(({ role, customRolePermission }) => ({
@@ -231,12 +226,7 @@ export const permissionServiceFactory = ({
      throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
    }

-    validateOrgSSO(
-      authMethod,
-      userProjectPermission.orgAuthEnforced,
-      userProjectPermission.bypassOrgAuthEnabled,
-      userProjectPermission.orgRole
-    );
+    validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);

    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
      throw new BadRequestError({
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -32,9 +32,7 @@ export enum ProjectPermissionCmekActions {
  Edit = "edit",
  Delete = "delete",
  Encrypt = "encrypt",
-  Decrypt = "decrypt",
-  Sign = "sign",
-  Verify = "verify"
+  Decrypt = "decrypt"
 }

 export enum ProjectPermissionDynamicSecretActions {
@@ -69,14 +67,6 @@ export enum ProjectPermissionGroupActions {
  GrantPrivileges = "grant-privileges"
 }

-export enum ProjectPermissionSshHostActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  IssueHostCert = "issue-host-cert"
-}
-
 export enum ProjectPermissionSecretSyncActions {
  Read = "read",
  Create = "create",
@@ -131,7 +121,6 @@ export enum ProjectPermissionSub {
  SshCertificateAuthorities = "ssh-certificate-authorities",
  SshCertificates = "ssh-certificates",
  SshCertificateTemplates = "ssh-certificate-templates",
-  SshHosts = "ssh-hosts",
  PkiAlerts = "pki-alerts",
  PkiCollections = "pki-collections",
  Kms = "kms",
@@ -155,10 +144,6 @@ export type SecretFolderSubjectFields = {
 export type DynamicSecretSubjectFields = {
  environment: string;
  secretPath: string;
-  metadata?: {
-    key: string;
-    value: string;
-  }[];
 };

 export type SecretImportSubjectFields = {
@@ -175,10 +160,6 @@ export type IdentityManagementSubjectFields = {
  identityId: string;
 };

-export type SshHostSubjectFields = {
-  hostname: string;
-};
-
 export type ProjectPermissionSet =
  | [
      ProjectPermissionSecretActions,
@@ -234,10 +215,6 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateAuthorities]
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificates]
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
-  | [
-      ProjectPermissionSshHostActions,
-      ProjectPermissionSub.SshHosts | (ForcedSubject<ProjectPermissionSub.SshHosts> & SshHostSubjectFields)
-    ]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
  | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
@@ -288,42 +265,6 @@ const SecretConditionV1Schema = z
  })
  .partial();

-const DynamicSecretConditionV2Schema = z
-  .object({
-    environment: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-        })
-        .partial()
-    ]),
-    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA,
-    metadata: z.object({
-      [PermissionConditionOperators.$ELEMENTMATCH]: z
-        .object({
-          key: z
-            .object({
-              [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-              [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-              [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-            })
-            .partial(),
-          value: z
-            .object({
-              [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-              [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-              [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-            })
-            .partial()
-        })
-        .partial()
-    })
-  })
-  .partial();
-
 const SecretConditionV2Schema = z
  .object({
    environment: z.union([
@@ -372,21 +313,6 @@ const IdentityManagementConditionSchema = z
  })
  .partial();

-const SshHostConditionSchema = z
-  .object({
-    hostname: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-        })
-        .partial()
-    ])
-  })
-  .partial();
-
 const GeneralPermissionSchema = [
  z.object({
    subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
@@ -621,7 +547,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionDynamicSecretActions).describe(
      "Describe what action an entity can take."
    ),
-    conditions: DynamicSecretConditionV2Schema.describe(
+    conditions: SecretConditionV1Schema.describe(
      "When specified, only matching conditions will be allowed to access given resource."
    ).optional()
  }),
@@ -635,16 +561,6 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
      "When specified, only matching conditions will be allowed to access given resource."
    ).optional()
  }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.SshHosts).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSshHostActions).describe(
-      "Describe what action an entity can take."
-    ),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    conditions: SshHostConditionSchema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.SecretRotation).describe("The entity this permission pertains to."),
    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
@@ -697,17 +613,6 @@ const buildAdminPermissionRules = () => {
    );
  });

-  can(
-    [
-      ProjectPermissionSshHostActions.Edit,
-      ProjectPermissionSshHostActions.Read,
-      ProjectPermissionSshHostActions.Create,
-      ProjectPermissionSshHostActions.Delete,
-      ProjectPermissionSshHostActions.IssueHostCert
-    ],
-    ProjectPermissionSub.SshHosts
-  );
-
  can(
    [
      ProjectPermissionMemberActions.Create,
@@ -774,9 +679,7 @@ const buildAdminPermissionRules = () => {
      ProjectPermissionCmekActions.Delete,
      ProjectPermissionCmekActions.Read,
      ProjectPermissionCmekActions.Encrypt,
-      ProjectPermissionCmekActions.Decrypt,
-      ProjectPermissionCmekActions.Sign,
-      ProjectPermissionCmekActions.Verify
+      ProjectPermissionCmekActions.Decrypt
    ],
    ProjectPermissionSub.Cmek
  );
@@ -965,12 +868,11 @@ const buildMemberPermissionRules = () => {
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);

+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateAuthorities);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Create], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);

-  can([ProjectPermissionSshHostActions.Read], ProjectPermissionSub.SshHosts);
-
  can(
    [
      ProjectPermissionCmekActions.Create,
@@ -978,9 +880,7 @@ const buildMemberPermissionRules = () => {
      ProjectPermissionCmekActions.Delete,
      ProjectPermissionCmekActions.Read,
      ProjectPermissionCmekActions.Encrypt,
-      ProjectPermissionCmekActions.Decrypt,
-      ProjectPermissionCmekActions.Sign,
-      ProjectPermissionCmekActions.Verify
+      ProjectPermissionCmekActions.Decrypt
    ],
    ProjectPermissionSub.Cmek
  );
@@ -1030,6 +930,7 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
--- a/backend/src/ee/services/saml-config/saml-config-dal.ts
+++ b/backend/src/ee/services/saml-config/saml-config-dal.ts
@@ -1,5 +1,6 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";

 export type TSamlConfigDALFactory = ReturnType<typeof samlConfigDALFactory>;
@@ -7,5 +8,25 @@ export type TSamlConfigDALFactory = ReturnType<typeof samlConfigDALFactory>;
 export const samlConfigDALFactory = (db: TDbClient) => {
  const samlCfgOrm = ormify(db, TableName.SamlConfig);

-  return samlCfgOrm;
+  const findEnforceableSamlCfg = async (orgId: string) => {
+    try {
+      const samlCfg = await db
+        .replicaNode()(TableName.SamlConfig)
+        .where({
+          orgId,
+          isActive: true
+        })
+        .whereNotNull("lastUsed")
+        .first();
+
+      return samlCfg;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org by id" });
+    }
+  };
+
+  return {
+    ...samlCfgOrm,
+    findEnforceableSamlCfg
+  };
 };
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@@ -594,7 +594,6 @@ export const scimServiceFactory = ({
        },
        tx
      );
-
      await orgMembershipDAL.updateById(
        membership.id,
        {
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -113,13 +113,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "encryptWithInputKey" | "decryptWithInputKey">;
  secretV2BridgeDAL: Pick<
    TSecretV2BridgeDALFactory,
-    | "insertMany"
-    | "upsertSecretReferences"
-    | "findBySecretKeys"
-    | "bulkUpdate"
-    | "deleteMany"
-    | "find"
-    | "invalidateSecretCacheByProjectId"
+    "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "bulkUpdate" | "deleteMany" | "find"
  >;
  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
  secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
@@ -268,14 +262,13 @@ export const secretApprovalRequestServiceFactory = ({
        id: el.id,
        version: el.version,
        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
-        isRotatedSecret: el.secret?.isRotatedSecret ?? false,
-        secretValue:
-          // eslint-disable-next-line no-nested-ternary
-          el.secret && el.secret.isRotatedSecret
-            ? undefined
-            : el.encryptedValue
-              ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
-              : "",
+        isRotatedSecret: el.secret.isRotatedSecret,
+        // eslint-disable-next-line no-nested-ternary
+        secretValue: el.secret.isRotatedSecret
+          ? undefined
+          : el.encryptedValue
+            ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
+            : "",
        secretComment: el.encryptedComment
          ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
          : "",
@@ -622,7 +615,7 @@ export const secretApprovalRequestServiceFactory = ({
              tx,
              inputSecrets: secretUpdationCommits.map((el) => {
                const encryptedValue =
-                  !el.secret?.isRotatedSecret && typeof el.encryptedValue !== "undefined"
+                  !el.secret.isRotatedSecret && typeof el.encryptedValue !== "undefined"
                    ? {
                        encryptedValue: el.encryptedValue as Buffer,
                        references: el.encryptedValue
@@ -870,7 +863,6 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }

-    await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
    await snapshotService.performSnapshot(folderId);
    const [folder] = await folderDAL.findSecretPathByFolderIds(projectId, [folderId]);
    if (!folder) {
--- a/backend/src/ee/services/secret-replication/secret-replication-service.ts
+++ b/backend/src/ee/services/secret-replication/secret-replication-service.ts
@@ -45,14 +45,7 @@ type TSecretReplicationServiceFactoryDep = {
  secretVersionDAL: Pick<TSecretVersionDALFactory, "find" | "insertMany" | "update" | "findLatestVersionMany">;
  secretV2BridgeDAL: Pick<
    TSecretV2BridgeDALFactory,
-    | "find"
-    | "findBySecretKeys"
-    | "insertMany"
-    | "bulkUpdate"
-    | "delete"
-    | "upsertSecretReferences"
-    | "transaction"
-    | "invalidateSecretCacheByProjectId"
+    "find" | "findBySecretKeys" | "insertMany" | "bulkUpdate" | "delete" | "upsertSecretReferences" | "transaction"
  >;
  secretVersionV2BridgeDAL: Pick<
    TSecretVersionV2DALFactory,
@@ -504,7 +497,6 @@ export const secretReplicationServiceFactory = ({
                }
              });

-              await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
              await secretQueueService.syncSecrets({
                projectId,
                orgId,
--- a/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-constants.ts
+++ b/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-constants.ts
@@ -1,15 +0,0 @@
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
-  name: "Auth0 Client Secret",
-  type: SecretRotation.Auth0ClientSecret,
-  connection: AppConnection.Auth0,
-  template: {
-    secretsMapping: {
-      clientId: "AUTH0_CLIENT_ID",
-      clientSecret: "AUTH0_CLIENT_SECRET"
-    }
-  }
-};
--- a/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-fns.ts
+++ b/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-fns.ts
@@ -1,104 +0,0 @@
-import {
-  TAuth0ClientSecretRotationGeneratedCredentials,
-  TAuth0ClientSecretRotationWithConnection
-} from "@app/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-types";
-import {
-  TRotationFactory,
-  TRotationFactoryGetSecretsPayload,
-  TRotationFactoryIssueCredentials,
-  TRotationFactoryRevokeCredentials,
-  TRotationFactoryRotateCredentials
-} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { request } from "@app/lib/config/request";
-import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
-import { getAuth0ConnectionAccessToken } from "@app/services/app-connection/auth0";
-
-import { generatePassword } from "../shared/utils";
-
-export const auth0ClientSecretRotationFactory: TRotationFactory<
-  TAuth0ClientSecretRotationWithConnection,
-  TAuth0ClientSecretRotationGeneratedCredentials
-> = (secretRotation, appConnectionDAL, kmsService) => {
-  const {
-    connection,
-    parameters: { clientId },
-    secretsMapping
-  } = secretRotation;
-
-  const $rotateClientSecret = async () => {
-    const accessToken = await getAuth0ConnectionAccessToken(connection, appConnectionDAL, kmsService);
-    const { audience } = connection.credentials;
-    await blockLocalAndPrivateIpAddresses(audience);
-    const clientSecret = generatePassword();
-
-    await request.request({
-      method: "PATCH",
-      url: `${audience}clients/${clientId}`,
-      headers: { authorization: `Bearer ${accessToken}` },
-      data: {
-        client_secret: clientSecret
-      }
-    });
-
-    return { clientId, clientSecret };
-  };
-
-  const issueCredentials: TRotationFactoryIssueCredentials<TAuth0ClientSecretRotationGeneratedCredentials> = async (
-    callback
-  ) => {
-    const credentials = await $rotateClientSecret();
-
-    return callback(credentials);
-  };
-
-  const revokeCredentials: TRotationFactoryRevokeCredentials<TAuth0ClientSecretRotationGeneratedCredentials> = async (
-    _,
-    callback
-  ) => {
-    const accessToken = await getAuth0ConnectionAccessToken(connection, appConnectionDAL, kmsService);
-    const { audience } = connection.credentials;
-    await blockLocalAndPrivateIpAddresses(audience);
-
-    // we just trigger an auth0 rotation to negate our credentials
-    await request.request({
-      method: "POST",
-      url: `${audience}clients/${clientId}/rotate-secret`,
-      headers: { authorization: `Bearer ${accessToken}` }
-    });
-
-    return callback();
-  };
-
-  const rotateCredentials: TRotationFactoryRotateCredentials<TAuth0ClientSecretRotationGeneratedCredentials> = async (
-    _,
-    callback
-  ) => {
-    const credentials = await $rotateClientSecret();
-
-    return callback(credentials);
-  };
-
-  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TAuth0ClientSecretRotationGeneratedCredentials> = (
-    generatedCredentials
-  ) => {
-    const secrets = [
-      {
-        key: secretsMapping.clientId,
-        value: generatedCredentials.clientId
-      },
-      {
-        key: secretsMapping.clientSecret,
-        value: generatedCredentials.clientSecret
-      }
-    ];
-
-    return secrets;
-  };
-
-  return {
-    issueCredentials,
-    revokeCredentials,
-    rotateCredentials,
-    getSecretsPayload
-  };
-};
--- a/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-schemas.ts
+++ b/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-schemas.ts
@@ -1,67 +0,0 @@
-import { z } from "zod";
-
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-import {
-  BaseCreateSecretRotationSchema,
-  BaseSecretRotationSchema,
-  BaseUpdateSecretRotationSchema
-} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
-import { SecretRotations } from "@app/lib/api-docs";
-import { SecretNameSchema } from "@app/server/lib/schemas";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const Auth0ClientSecretRotationGeneratedCredentialsSchema = z
-  .object({
-    clientId: z.string(),
-    clientSecret: z.string()
-  })
-  .array()
-  .min(1)
-  .max(2);
-
-const Auth0ClientSecretRotationParametersSchema = z.object({
-  clientId: z
-    .string()
-    .trim()
-    .min(1, "Client ID Required")
-    .describe(SecretRotations.PARAMETERS.AUTH0_CLIENT_SECRET.clientId)
-});
-
-const Auth0ClientSecretRotationSecretsMappingSchema = z.object({
-  clientId: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AUTH0_CLIENT_SECRET.clientId),
-  clientSecret: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AUTH0_CLIENT_SECRET.clientSecret)
-});
-
-export const Auth0ClientSecretRotationTemplateSchema = z.object({
-  secretsMapping: z.object({
-    clientId: z.string(),
-    clientSecret: z.string()
-  })
-});
-
-export const Auth0ClientSecretRotationSchema = BaseSecretRotationSchema(SecretRotation.Auth0ClientSecret).extend({
-  type: z.literal(SecretRotation.Auth0ClientSecret),
-  parameters: Auth0ClientSecretRotationParametersSchema,
-  secretsMapping: Auth0ClientSecretRotationSecretsMappingSchema
-});
-
-export const CreateAuth0ClientSecretRotationSchema = BaseCreateSecretRotationSchema(
-  SecretRotation.Auth0ClientSecret
-).extend({
-  parameters: Auth0ClientSecretRotationParametersSchema,
-  secretsMapping: Auth0ClientSecretRotationSecretsMappingSchema
-});
-
-export const UpdateAuth0ClientSecretRotationSchema = BaseUpdateSecretRotationSchema(
-  SecretRotation.Auth0ClientSecret
-).extend({
-  parameters: Auth0ClientSecretRotationParametersSchema.optional(),
-  secretsMapping: Auth0ClientSecretRotationSecretsMappingSchema.optional()
-});
-
-export const Auth0ClientSecretRotationListItemSchema = z.object({
-  name: z.literal("Auth0 Client Secret"),
-  connection: z.literal(AppConnection.Auth0),
-  type: z.literal(SecretRotation.Auth0ClientSecret),
-  template: Auth0ClientSecretRotationTemplateSchema
-});
--- a/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-types.ts
+++ b/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-types.ts
@@ -1,24 +0,0 @@
-import { z } from "zod";
-
-import { TAuth0Connection } from "@app/services/app-connection/auth0";
-
-import {
-  Auth0ClientSecretRotationGeneratedCredentialsSchema,
-  Auth0ClientSecretRotationListItemSchema,
-  Auth0ClientSecretRotationSchema,
-  CreateAuth0ClientSecretRotationSchema
-} from "./auth0-client-secret-rotation-schemas";
-
-export type TAuth0ClientSecretRotation = z.infer<typeof Auth0ClientSecretRotationSchema>;
-
-export type TAuth0ClientSecretRotationInput = z.infer<typeof CreateAuth0ClientSecretRotationSchema>;
-
-export type TAuth0ClientSecretRotationListItem = z.infer<typeof Auth0ClientSecretRotationListItemSchema>;
-
-export type TAuth0ClientSecretRotationWithConnection = TAuth0ClientSecretRotation & {
-  connection: TAuth0Connection;
-};
-
-export type TAuth0ClientSecretRotationGeneratedCredentials = z.infer<
-  typeof Auth0ClientSecretRotationGeneratedCredentialsSchema
->;
--- a/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/index.ts
+++ b/backend/src/ee/services/secret-rotation-v2/auth0-client-secret/index.ts
@@ -1,3 +0,0 @@
-export * from "./auth0-client-secret-rotation-constants";
-export * from "./auth0-client-secret-rotation-schemas";
-export * from "./auth0-client-secret-rotation-types";
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts
@@ -1,7 +1,6 @@
 export enum SecretRotation {
  PostgresCredentials = "postgres-credentials",
-  MsSqlCredentials = "mssql-credentials",
-  Auth0ClientSecret = "auth0-client-secret"
+  MsSqlCredentials = "mssql-credentials"
 }

 export enum SecretRotationStatus {
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
@@ -3,7 +3,6 @@ import { AxiosError } from "axios";
 import { getConfig } from "@app/lib/config/env";
 import { KmsDataKey } from "@app/services/kms/kms-types";

-import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
@@ -17,8 +16,7 @@ import {

 const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2ListItem> = {
  [SecretRotation.PostgresCredentials]: POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION,
-  [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION,
-  [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION
+  [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION
 };

 export const listSecretRotationOptions = () => {
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts
@@ -3,12 +3,10 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums

 export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
  [SecretRotation.PostgresCredentials]: "PostgreSQL Credentials",
-  [SecretRotation.MsSqlCredentials]: "Microsoft SQL Sever Credentials",
-  [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret"
+  [SecretRotation.MsSqlCredentials]: "Microsoft SQL Sever Credentials"
 };

 export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
  [SecretRotation.PostgresCredentials]: AppConnection.Postgres,
-  [SecretRotation.MsSqlCredentials]: AppConnection.MsSql,
-  [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0
+  [SecretRotation.MsSqlCredentials]: AppConnection.MsSql
 };
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts
@@ -13,7 +13,6 @@ import {
  ProjectPermissionSecretRotationActions,
  ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
-import { auth0ClientSecretRotationFactory } from "@app/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-fns";
 import { SecretRotation, SecretRotationStatus } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 import {
  calculateNextRotationAt,
@@ -42,7 +41,6 @@ import {
  TRotationFactory,
  TSecretRotationRotateGeneratedCredentials,
  TSecretRotationV2,
-  TSecretRotationV2GeneratedCredentials,
  TSecretRotationV2Raw,
  TSecretRotationV2WithConnection,
  TUpdateSecretRotationV2DTO
@@ -55,7 +53,6 @@ import { DatabaseErrorCode } from "@app/lib/error-codes";
 import { BadRequestError, DatabaseError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { QueueJobs, TQueueServiceFactory } from "@app/queue";
-import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { decryptAppConnection } from "@app/services/app-connection/app-connection-fns";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -91,7 +88,7 @@ export type TSecretRotationV2ServiceFactoryDep = {
  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
  secretV2BridgeDAL: Pick<
    TSecretV2BridgeDALFactory,
-    "bulkUpdate" | "insertMany" | "deleteMany" | "upsertSecretReferences" | "find" | "invalidateSecretCacheByProjectId"
+    "bulkUpdate" | "insertMany" | "deleteMany" | "upsertSecretReferences" | "find"
  >;
  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
  secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
@@ -100,21 +97,15 @@ export type TSecretRotationV2ServiceFactoryDep = {
  secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "removeSecretReminder">;
  snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
  queueService: Pick<TQueueServiceFactory, "queuePg">;
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
 };

 export type TSecretRotationV2ServiceFactory = ReturnType<typeof secretRotationV2ServiceFactory>;

 const MAX_GENERATED_CREDENTIALS_LENGTH = 2;

-type TRotationFactoryImplementation = TRotationFactory<
-  TSecretRotationV2WithConnection,
-  TSecretRotationV2GeneratedCredentials
->;
-const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplementation> = {
-  [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation
+const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactory> = {
+  [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory,
+  [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory
 };

 export const secretRotationV2ServiceFactory = ({
@@ -134,8 +125,7 @@ export const secretRotationV2ServiceFactory = ({
  secretQueueService,
  snapshotService,
  keyStore,
-  queueService,
-  appConnectionDAL
+  queueService
 }: TSecretRotationV2ServiceFactoryDep) => {
  const $queueSendSecretRotationStatusNotification = async (secretRotation: TSecretRotationV2Raw) => {
    const appCfg = getConfig();
@@ -439,15 +429,11 @@ export const secretRotationV2ServiceFactory = ({
    // validates permission to connect and app is valid for rotation type
    const connection = await appConnectionService.connectAppConnectionById(typeApp, payload.connectionId, actor);

-    const rotationFactory = SECRET_ROTATION_FACTORY_MAP[payload.type](
-      {
-        parameters: payload.parameters,
-        secretsMapping,
-        connection
-      } as TSecretRotationV2WithConnection,
-      appConnectionDAL,
-      kmsService
-    );
+    const rotationFactory = SECRET_ROTATION_FACTORY_MAP[payload.type]({
+      parameters: payload.parameters,
+      secretsMapping,
+      connection
+    } as TSecretRotationV2WithConnection);

    try {
      const currentTime = new Date();
@@ -455,7 +441,7 @@ export const secretRotationV2ServiceFactory = ({
      // callback structure to support transactional rollback when possible
      const secretRotation = await rotationFactory.issueCredentials(async (newCredentials) => {
        const encryptedGeneratedCredentials = await encryptSecretRotationCredentials({
-          generatedCredentials: [newCredentials] as TSecretRotationV2GeneratedCredentials,
+          generatedCredentials: [newCredentials],
          projectId,
          kmsService
        });
@@ -529,7 +515,6 @@ export const secretRotationV2ServiceFactory = ({
        });
      });

-      await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
      await snapshotService.performSnapshot(folder.id);
      await secretQueueService.syncSecrets({
        orgId: connection.orgId,
@@ -666,7 +651,6 @@ export const secretRotationV2ServiceFactory = ({
      });

      if (secretsMappingUpdated) {
-        await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
        await snapshotService.performSnapshot(folder.id);
        await secretQueueService.syncSecrets({
          orgId: connection.orgId,
@@ -754,37 +738,32 @@ export const secretRotationV2ServiceFactory = ({
        message: `Secret Rotation with ID "${rotationId}" is not configured for ${SECRET_ROTATION_NAME_MAP[type]}`
      });

-    const deleteTransaction = async () =>
-      secretRotationV2DAL.transaction(async (tx) => {
-        if (deleteSecrets) {
-          await fnSecretBulkDelete({
-            secretDAL: secretV2BridgeDAL,
-            secretQueueService,
-            inputSecrets: Object.values(secretsMapping as TSecretRotationV2["secretsMapping"]).map((secretKey) => ({
-              secretKey,
-              type: SecretType.Shared
-            })),
-            projectId,
-            folderId,
-            actorId: actor.id, // not actually used since rotated secrets are shared
-            tx
-          });
-        }
+    const deleteTransaction = secretRotationV2DAL.transaction(async (tx) => {
+      if (deleteSecrets) {
+        await fnSecretBulkDelete({
+          secretDAL: secretV2BridgeDAL,
+          secretQueueService,
+          inputSecrets: Object.values(secretsMapping as TSecretRotationV2["secretsMapping"]).map((secretKey) => ({
+            secretKey,
+            type: SecretType.Shared
+          })),
+          projectId,
+          folderId,
+          actorId: actor.id, // not actually used since rotated secrets are shared
+          tx
+        });
+      }

-        return secretRotationV2DAL.deleteById(rotationId, tx);
-      });
+      return secretRotationV2DAL.deleteById(rotationId, tx);
+    });

    if (revokeGeneratedCredentials) {
      const appConnection = await decryptAppConnection(connection, kmsService);

-      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type](
-        {
-          ...secretRotation,
-          connection: appConnection
-        } as TSecretRotationV2WithConnection,
-        appConnectionDAL,
-        kmsService
-      );
+      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type]({
+        ...secretRotation,
+        connection: appConnection
+      } as TSecretRotationV2WithConnection);

      const generatedCredentials = await decryptSecretRotationCredentials({
        encryptedGeneratedCredentials,
@@ -792,13 +771,12 @@ export const secretRotationV2ServiceFactory = ({
        kmsService
      });

-      await rotationFactory.revokeCredentials(generatedCredentials, deleteTransaction);
+      await rotationFactory.revokeCredentials(generatedCredentials, async () => deleteTransaction);
    } else {
-      await deleteTransaction();
+      await deleteTransaction;
    }

    if (deleteSecrets) {
-      await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
      await snapshotService.performSnapshot(folder.id);
      await secretQueueService.syncSecrets({
        orgId: connection.orgId,
@@ -859,14 +837,10 @@ export const secretRotationV2ServiceFactory = ({

      const inactiveCredentials = generatedCredentials[inactiveIndex];

-      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type as SecretRotation](
-        {
-          ...secretRotation,
-          connection: appConnection
-        } as TSecretRotationV2WithConnection,
-        appConnectionDAL,
-        kmsService
-      );
+      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type as SecretRotation]({
+        ...secretRotation,
+        connection: appConnection
+      } as TSecretRotationV2WithConnection);

      const updatedRotation = await rotationFactory.rotateCredentials(inactiveCredentials, async (newCredentials) => {
        const updatedCredentials = [...generatedCredentials];
@@ -874,7 +848,7 @@ export const secretRotationV2ServiceFactory = ({

        const encryptedUpdatedCredentials = await encryptSecretRotationCredentials({
          projectId,
-          generatedCredentials: updatedCredentials as TSecretRotationV2GeneratedCredentials,
+          generatedCredentials: updatedCredentials,
          kmsService
        });

@@ -961,7 +935,6 @@ export const secretRotationV2ServiceFactory = ({
        }
      });

-      await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
      await snapshotService.performSnapshot(folder.id);
      await secretQueueService.syncSecrets({
        orgId: connection.orgId,
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts
@@ -1,17 +1,8 @@
 import { AuditLogInfo } from "@app/ee/services/audit-log/audit-log-types";
 import { TSqlCredentialsRotationGeneratedCredentials } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types";
 import { OrderByDirection } from "@app/lib/types";
-import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";

-import {
-  TAuth0ClientSecretRotation,
-  TAuth0ClientSecretRotationGeneratedCredentials,
-  TAuth0ClientSecretRotationInput,
-  TAuth0ClientSecretRotationListItem,
-  TAuth0ClientSecretRotationWithConnection
-} from "./auth0-client-secret";
 import {
  TMsSqlCredentialsRotation,
  TMsSqlCredentialsRotationInput,
@@ -27,26 +18,17 @@ import {
 import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 import { SecretRotation } from "./secret-rotation-v2-enums";

-export type TSecretRotationV2 = TPostgresCredentialsRotation | TMsSqlCredentialsRotation | TAuth0ClientSecretRotation;
+export type TSecretRotationV2 = TPostgresCredentialsRotation | TMsSqlCredentialsRotation;

 export type TSecretRotationV2WithConnection =
  | TPostgresCredentialsRotationWithConnection
-  | TMsSqlCredentialsRotationWithConnection
-  | TAuth0ClientSecretRotationWithConnection;
+  | TMsSqlCredentialsRotationWithConnection;

-export type TSecretRotationV2GeneratedCredentials =
-  | TSqlCredentialsRotationGeneratedCredentials
-  | TAuth0ClientSecretRotationGeneratedCredentials;
+export type TSecretRotationV2GeneratedCredentials = TSqlCredentialsRotationGeneratedCredentials;

-export type TSecretRotationV2Input =
-  | TPostgresCredentialsRotationInput
-  | TMsSqlCredentialsRotationInput
-  | TAuth0ClientSecretRotationInput;
+export type TSecretRotationV2Input = TPostgresCredentialsRotationInput | TMsSqlCredentialsRotationInput;

-export type TSecretRotationV2ListItem =
-  | TPostgresCredentialsRotationListItem
-  | TMsSqlCredentialsRotationListItem
-  | TAuth0ClientSecretRotationListItem;
+export type TSecretRotationV2ListItem = TPostgresCredentialsRotationListItem | TMsSqlCredentialsRotationListItem;

 export type TSecretRotationV2Raw = NonNullable<Awaited<ReturnType<TSecretRotationV2DALFactory["findById"]>>>;

@@ -147,34 +129,27 @@ export type TSecretRotationSendNotificationJobPayload = {
 // transactional behavior. By passing in the rotation mutation, if this mutation fails we can roll back the
 // third party credential changes (when supported), preventing credentials getting out of sync

-export type TRotationFactoryIssueCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
-  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
+export type TRotationFactoryIssueCredentials = (
+  callback: (newCredentials: TSecretRotationV2GeneratedCredentials[number]) => Promise<TSecretRotationV2Raw>
 ) => Promise<TSecretRotationV2Raw>;

-export type TRotationFactoryRevokeCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
-  generatedCredentials: T,
+export type TRotationFactoryRevokeCredentials = (
+  generatedCredentials: TSecretRotationV2GeneratedCredentials,
  callback: () => Promise<TSecretRotationV2Raw>
 ) => Promise<TSecretRotationV2Raw>;

-export type TRotationFactoryRotateCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
-  credentialsToRevoke: T[number] | undefined,
-  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
+export type TRotationFactoryRotateCredentials = (
+  credentialsToRevoke: TSecretRotationV2GeneratedCredentials[number] | undefined,
+  callback: (newCredentials: TSecretRotationV2GeneratedCredentials[number]) => Promise<TSecretRotationV2Raw>
 ) => Promise<TSecretRotationV2Raw>;

-export type TRotationFactoryGetSecretsPayload<T extends TSecretRotationV2GeneratedCredentials> = (
-  generatedCredentials: T[number]
+export type TRotationFactoryGetSecretsPayload = (
+  generatedCredentials: TSecretRotationV2GeneratedCredentials[number]
 ) => { key: string; value: string }[];

-export type TRotationFactory<
-  T extends TSecretRotationV2WithConnection,
-  C extends TSecretRotationV2GeneratedCredentials
-> = (
-  secretRotation: T,
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
-) => {
-  issueCredentials: TRotationFactoryIssueCredentials<C>;
-  revokeCredentials: TRotationFactoryRevokeCredentials<C>;
-  rotateCredentials: TRotationFactoryRotateCredentials<C>;
-  getSecretsPayload: TRotationFactoryGetSecretsPayload<C>;
+export type TRotationFactory = (secretRotation: TSecretRotationV2WithConnection) => {
+  issueCredentials: TRotationFactoryIssueCredentials;
+  revokeCredentials: TRotationFactoryRevokeCredentials;
+  rotateCredentials: TRotationFactoryRotateCredentials;
+  getSecretsPayload: TRotationFactoryGetSecretsPayload;
 };
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts
@@ -1,11 +1,9 @@
 import { z } from "zod";

-import { Auth0ClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";

 export const SecretRotationV2Schema = z.discriminatedUnion("type", [
  PostgresCredentialsRotationSchema,
-  MsSqlCredentialsRotationSchema,
-  Auth0ClientSecretRotationSchema
+  MsSqlCredentialsRotationSchema
 ]);
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Maidul Islam	e35135e4e3	test	2025-04-08 17:08:56 -04:00
Maidul Islam	c95dd69167	test upload	2025-04-08 16:58:35 -04:00