Merge branch 'main' into feature/mongodb-secret-rotation

backend/package-lock.json

@@ -98,7 +98,6 @@
         "ms": "^2.1.3",
         "mysql2": "^3.9.8",
         "nanoid": "^3.3.8",
-        "nock": "^14.0.10",
         "node-forge": "^1.3.1",
         "nodemailer": "^6.9.9",
         "oci-sdk": "^2.108.0",
@@ -178,6 +177,7 @@
         "eslint-plugin-import": "^2.29.1",
         "eslint-plugin-prettier": "^5.1.3",
         "eslint-plugin-simple-import-sort": "^10.0.0",
+        "nock": "^14.0.10",
         "nodemon": "^3.0.2",
         "pino-pretty": "^10.2.3",
         "prompt-sync": "^4.2.0",
@@ -9710,6 +9710,7 @@
       "version": "0.39.8",
       "resolved": "https://registry.npmjs.org/@mswjs/interceptors/-/interceptors-0.39.8.tgz",
       "integrity": "sha512-2+BzZbjRO7Ct61k8fMNHEtoKjeWI9pIlHFTqBwZ5icHpqszIgEZbjb1MW5Z0+bITTCTl3gk4PDBxs9tA/csXvA==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@open-draft/deferred-promise": "^2.2.0",
@@ -10736,12 +10737,14 @@
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/@open-draft/deferred-promise/-/deferred-promise-2.2.0.tgz",
       "integrity": "sha512-CecwLWx3rhxVQF6V4bAgPS5t+So2sTbPgAzafKkVizyi7tlwpcFpdFqq+wqF2OwNBmqFuu6tOyouTuxgpMfzmA==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@open-draft/logger": {
       "version": "0.3.0",
       "resolved": "https://registry.npmjs.org/@open-draft/logger/-/logger-0.3.0.tgz",
       "integrity": "sha512-X2g45fzhxH238HKO4xbSr7+wBS8Fvw6ixhTDuvLd5mqh6bJJCFAPwU9mPDxbcrRtfxv4u5IHCEH77BmxvXmmxQ==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "is-node-process": "^1.2.0",
@@ -10752,6 +10755,7 @@
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/@open-draft/until/-/until-2.1.0.tgz",
       "integrity": "sha512-U69T3ItWHvLwGg5eJ0n3I62nWuE6ilHlmz7zM0npLBRvPRd7e6NYmg54vvRtP5mZG7kZqZCFVdsTWo7BPtBujg==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@opentelemetry/api": {
@@ -23002,6 +23006,7 @@
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/is-node-process/-/is-node-process-1.2.0.tgz",
       "integrity": "sha512-Vg4o6/fqPxIjtxgUH5QLJhwZ7gW5diGCVlXpuUfELC62CuxM1iHcRe51f2W1FDy04Ai4KJkagKjx3XaqyfRKXw==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/is-number": {
@@ -23557,6 +23562,7 @@
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz",
       "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==",
+      "dev": true,
       "license": "ISC"
     },
     "node_modules/json5": {
@@ -25130,6 +25136,7 @@
       "version": "14.0.10",
       "resolved": "https://registry.npmjs.org/nock/-/nock-14.0.10.tgz",
       "integrity": "sha512-Q7HjkpyPeLa0ZVZC5qpxBt5EyLczFJ91MEewQiIi9taWuA0KB/MDJlUWtON+7dGouVdADTQsf9RA7TZk6D8VMw==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@mswjs/interceptors": "^0.39.5",
@@ -27772,6 +27779,7 @@
       "version": "1.4.3",
       "resolved": "https://registry.npmjs.org/outvariant/-/outvariant-1.4.3.tgz",
       "integrity": "sha512-+Sl2UErvtsoajRDKCE5/dBz4DIvHXQQnAxtQTF04OJxY0+DyZXSo5P5Bb7XYWOh81syohlYL24hbDwxedPUJCA==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/p-finally": {
@@ -29179,6 +29187,7 @@
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/propagate/-/propagate-2.0.1.tgz",
       "integrity": "sha512-vGrhOavPSTz4QVNuBNdcNXePNdNMaO1xj9yBeH1ScQPjk/rhg9sSlCXPhMkFuaNNW/syTvYqsnbIJxMBfRbbag==",
+      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">= 8"
@@ -31686,6 +31695,7 @@
       "version": "0.5.1",
       "resolved": "https://registry.npmjs.org/strict-event-emitter/-/strict-event-emitter-0.5.1.tgz",
       "integrity": "sha512-vMgjE/GGEPEFnhFub6pa4FmJBRBVOLpIII2hvCZ8Kzb7K0hlHo7mQv6xYrBvCL2LtAIBwFUK8wvuJgTVSQ5MFQ==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/string_decoder": {

backend/package.json

@@ -123,6 +123,7 @@
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-prettier": "^5.1.3",
     "eslint-plugin-simple-import-sort": "^10.0.0",
+    "nock": "^14.0.10",
     "nodemon": "^3.0.2",
     "pino-pretty": "^10.2.3",
     "prompt-sync": "^4.2.0",
@@ -226,7 +227,6 @@
     "ms": "^2.1.3",
     "mysql2": "^3.9.8",
     "nanoid": "^3.3.8",
-    "nock": "^14.0.10",
     "node-forge": "^1.3.1",
     "nodemailer": "^6.9.9",
     "oci-sdk": "^2.108.0",

backend/src/ee/routes/v1/pit-router.ts

@@ -435,14 +435,7 @@ export const registerPITRouter = async (server: FastifyZodProvider) => {
         projectId: z.string().trim(),
         environment: z.string().trim(),
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        message: z
-          .string()
-          .trim()
-          .min(1)
-          .max(255)
-          .refine((message) => message.trim() !== "", {
-            message: "Commit message cannot be empty"
-          }),
+        message: z.string().trim().max(255).optional(),
         changes: z.object({
           secrets: z.object({
             create: z
@@ -546,7 +539,7 @@ export const registerPITRouter = async (server: FastifyZodProvider) => {
         projectId: req.body.projectId,
         environment: req.body.environment,
         secretPath: req.body.secretPath,
-        message: req.body.message,
+        message: req.body.message || "",
         changes: {
           secrets: req.body.changes.secrets,
           folders: req.body.changes.folders
@@ -564,7 +557,7 @@ export const registerPITRouter = async (server: FastifyZodProvider) => {
             projectId: req.body.projectId,
             environment: req.body.environment,
             secretPath: req.body.secretPath,
-            message: req.body.message
+            message: req.body.message || ""
           }
         }
       });

backend/src/ee/services/app-connections/chef/chef-connection-schemas.ts

@@ -2,6 +2,7 @@ import z from "zod";
 
 import { AppConnections } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
 import {
   BaseAppConnectionSchema,
   GenericCreateAppConnectionFieldsSchema,
@@ -48,7 +49,7 @@ export const SanitizedChefConnectionSchema = z.discriminatedUnion("method", [
   BaseChefConnectionSchema.extend({
     method: z.literal(ChefConnectionMethod.UserKey),
     credentials: ChefConnectionUserKeyCredentialsSchema.pick({ serverUrl: true, orgName: true, userName: true })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Chef]} (User Key)` }))
 ]);
 
 export const ValidateChefConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -70,8 +71,10 @@ export const UpdateChefConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Chef));
 
-export const ChefConnectionListItemSchema = z.object({
-  name: z.literal("Chef"),
-  app: z.literal(AppConnection.Chef),
-  methods: z.nativeEnum(ChefConnectionMethod).array()
-});
+export const ChefConnectionListItemSchema = z
+  .object({
+    name: z.literal("Chef"),
+    app: z.literal(AppConnection.Chef),
+    methods: z.nativeEnum(ChefConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Chef] }));

backend/src/ee/services/app-connections/oci/oci-connection-schemas.ts

@@ -2,6 +2,7 @@ import z from "zod";
 
 import { AppConnections } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
 import {
   BaseAppConnectionSchema,
   GenericCreateAppConnectionFieldsSchema,
@@ -34,7 +35,7 @@ export const SanitizedOCIConnectionSchema = z.discriminatedUnion("method", [
       region: true,
       fingerprint: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.OCI]} (Access Key)` }))
 ]);
 
 export const ValidateOCIConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -58,8 +59,10 @@ export const UpdateOCIConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OCI));
 
-export const OCIConnectionListItemSchema = z.object({
-  name: z.literal("OCI"),
-  app: z.literal(AppConnection.OCI),
-  methods: z.nativeEnum(OCIConnectionMethod).array()
-});
+export const OCIConnectionListItemSchema = z
+  .object({
+    name: z.literal("OCI"),
+    app: z.literal(AppConnection.OCI),
+    methods: z.nativeEnum(OCIConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.OCI] }));

backend/src/ee/services/app-connections/oracledb/oracledb-connection-schemas.ts

@@ -2,6 +2,7 @@ import z from "zod";
 
 import { AppConnections } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
 import {
   BaseAppConnectionSchema,
   GenericCreateAppConnectionFieldsSchema,
@@ -32,7 +33,7 @@ export const SanitizedOracleDBConnectionSchema = z.discriminatedUnion("method",
       sslRejectUnauthorized: true,
       sslCertificate: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.OracleDB]} (Username and Password)` }))
 ]);
 
 export const ValidateOracleDBConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -64,9 +65,11 @@ export const UpdateOracleDBConnectionSchema = z
     })
   );
 
-export const OracleDBConnectionListItemSchema = z.object({
-  name: z.literal("OracleDB"),
-  app: z.literal(AppConnection.OracleDB),
-  methods: z.nativeEnum(OracleDBConnectionMethod).array(),
-  supportsPlatformManagement: z.literal(true)
-});
+export const OracleDBConnectionListItemSchema = z
+  .object({
+    name: z.literal("OracleDB"),
+    app: z.literal(AppConnection.OracleDB),
+    methods: z.nativeEnum(OracleDBConnectionMethod).array(),
+    supportsPlatformManagement: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.OracleDB] }));

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -365,6 +365,8 @@ export enum EventType {
   LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup",
   ORG_ADMIN_ACCESS_PROJECT = "org-admin-accessed-project",
   ORG_ADMIN_BYPASS_SSO = "org-admin-bypassed-sso",
+  USER_LOGIN = "user-login",
+  SELECT_ORGANIZATION = "select-organization",
   CREATE_CERTIFICATE_TEMPLATE = "create-certificate-template",
   UPDATE_CERTIFICATE_TEMPLATE = "update-certificate-template",
   DELETE_CERTIFICATE_TEMPLATE = "delete-certificate-template",
@@ -570,6 +572,7 @@ interface UserActorMetadata {
   email?: string | null;
   username: string;
   permission?: Record<string, unknown>;
+  authMethod?: string;
 }
 
 interface ServiceActorMetadata {
@@ -2657,6 +2660,22 @@ interface OrgAdminBypassSSOEvent {
   metadata: Record<string, string>; // no metadata yet
 }
 
+interface UserLoginEvent {
+  type: EventType.USER_LOGIN;
+  metadata: {
+    organizationId?: string;
+    authProvider?: string;
+  };
+}
+
+interface SelectOrganizationEvent {
+  type: EventType.SELECT_ORGANIZATION;
+  metadata: {
+    organizationId: string;
+    organizationName: string;
+  };
+}
+
 interface CreateCertificateTemplateEstConfig {
   type: EventType.CREATE_CERTIFICATE_TEMPLATE_EST_CONFIG;
   metadata: {
@@ -4535,4 +4554,6 @@ export type Event =
   | UpdateCertificateRenewalConfigEvent
   | DisableCertificateRenewalConfigEvent
   | AutomatedRenewCertificate
-  | AutomatedRenewCertificateFailed;
+  | AutomatedRenewCertificateFailed
+  | UserLoginEvent
+  | SelectOrganizationEvent;

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -354,16 +354,21 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           (tx || db.replicaNode())(TableName.SecretApprovalRequest)
             .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
             .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-            .join(
-              TableName.SecretApprovalPolicyApprover,
-              `${TableName.SecretApprovalRequest}.policyId`,
-              `${TableName.SecretApprovalPolicyApprover}.policyId`
-            )
             .join(
               TableName.SecretApprovalPolicy,
               `${TableName.SecretApprovalRequest}.policyId`,
               `${TableName.SecretApprovalPolicy}.id`
             )
+            .leftJoin(
+              TableName.SecretApprovalPolicyApprover,
+              `${TableName.SecretApprovalPolicy}.id`,
+              `${TableName.SecretApprovalPolicyApprover}.policyId`
+            )
+            .leftJoin(
+              TableName.UserGroupMembership,
+              `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+              `${TableName.UserGroupMembership}.groupId`
+            )
             .where({ projectId })
             .where((qb) => {
               if (policyId) void qb.where(`${TableName.SecretApprovalPolicy}.id`, policyId);
@@ -373,10 +378,10 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                 void bd
                   .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
                   .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
+                  .orWhere(`${TableName.UserGroupMembership}.userId`, userId)
             )
             .select("status", `${TableName.SecretApprovalRequest}.id`)
             .groupBy(`${TableName.SecretApprovalRequest}.id`, "status")
-            .count("status")
         )
         .select("status")
         .from("temp")
@@ -499,7 +504,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
 
       const query = (tx || db.replicaNode())
         .select("*")
-        .select(db.raw("count(*) OVER() as total_count"))
         .from(innerQuery)
         .orderBy("createdAt", "desc") as typeof innerQuery;
 
@@ -519,6 +523,14 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         });
       }
 
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+      const countResult = await (tx || db.replicaNode())
+        .count({ count: "*" })
+        .from(query.clone().as("count_query"))
+        .first();
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+      const totalCount = Number(countResult?.count || 0);
+
       const docs = await (tx || db)
         .with("w", query)
         .select("*")
@@ -526,9 +538,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         .where("w.rank", ">=", offset)
         .andWhere("w.rank", "<", offset + limit);
 
-      // @ts-expect-error knex does not infer
-      const totalCount = Number(docs[0]?.total_count || 0);
-
       const formattedDoc = sqlNestRelationships({
         data: docs,
         key: "id",

backend/src/ee/services/secret-rotation-v2/ldap-password/ldap-password-rotation-fns.ts

@@ -10,7 +10,7 @@ import {
 import { logger } from "@app/lib/logger";
 import { DistinguishedNameRegex } from "@app/lib/regex";
 import { encryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
-import { getLdapConnectionClient, LdapProvider, TLdapConnection } from "@app/services/app-connection/ldap";
+import { executeWithPotentialGateway, LdapProvider, TLdapConnection } from "@app/services/app-connection/ldap";
 
 import { generatePassword } from "../shared/utils";
 import {
@@ -71,17 +71,18 @@ export const ldapPasswordRotationFactory: TRotationFactory<
   TLdapPasswordRotationWithConnection,
   TLdapPasswordRotationGeneratedCredentials,
   TLdapPasswordRotationInput["temporaryParameters"]
-> = (secretRotation, appConnectionDAL, kmsService) => {
+> = (secretRotation, appConnectionDAL, kmsService, gatewayService, gatewayV2Service) => {
   const { connection, parameters, secretsMapping, activeIndex } = secretRotation;
 
   const { dn, passwordRequirements } = parameters;
 
   const $verifyCredentials = async (credentials: Pick<TLdapConnection["credentials"], "dn" | "password">) => {
     try {
-      const client = await getLdapConnectionClient({ ...connection.credentials, ...credentials });
-
-      client.unbind();
-      client.destroy();
+      await executeWithPotentialGateway(
+        { ...connection, credentials: { ...connection.credentials, ...credentials } },
+        gatewayV2Service,
+        async () => {}
+      );
     } catch (error) {
       throw new Error(`Failed to verify credentials - ${(error as Error).message}`);
     }
@@ -92,17 +93,7 @@ export const ldapPasswordRotationFactory: TRotationFactory<
 
     if (!credentials.url.startsWith("ldaps")) throw new Error("Password Rotation requires an LDAPS connection");
 
-    const client = await getLdapConnectionClient(
-      currentPassword
-        ? {
-            ...credentials,
-            password: currentPassword,
-            dn
-          }
-        : credentials
-    );
     const isConnectionRotation = credentials.dn === dn;
-
     const password = generatePassword(passwordRequirements);
 
     let changes: ldap.Change[] | ldap.Change;
@@ -147,22 +138,32 @@ export const ldapPasswordRotationFactory: TRotationFactory<
         throw new Error(`Unhandled provider: ${credentials.provider as LdapProvider}`);
     }
 
-    try {
-      const userDn = await getDN(dn, client);
-      await new Promise((resolve, reject) => {
-        client.modify(userDn, changes, (err) => {
-          if (err) {
-            logger.error(err, "LDAP Password Rotation Failed");
-            reject(new Error(`Provider Modify Error: ${err.message}`));
-          } else {
-            resolve(true);
-          }
+    await executeWithPotentialGateway(
+      {
+        ...connection,
+        credentials: currentPassword
+          ? {
+              ...credentials,
+              password: currentPassword,
+              dn
+            }
+          : credentials
+      },
+      gatewayV2Service,
+      async (client) => {
+        const userDn = await getDN(dn, client);
+        await new Promise<void>((resolve, reject) => {
+          client.modify(userDn, changes, (err) => {
+            if (err) {
+              logger.error(err, "LDAP Password Rotation Failed");
+              reject(new Error(`Provider Modify Error: ${err.message}`));
+            } else {
+              resolve();
+            }
+          });
         });
-      });
-    } finally {
-      client.unbind();
-      client.destroy();
-    }
+      }
+    );
 
     await $verifyCredentials({ dn, password });
 

backend/src/ee/services/secret-sync/chef/chef-sync-schemas.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { SecretSyncs } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 import {
   BaseSecretSyncSchema,
   GenericCreateSecretSyncFieldsSchema,
@@ -25,10 +26,12 @@ const ChefSyncDestinationConfigSchema = z.object({
 
 const ChefSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const ChefSyncSchema = BaseSecretSyncSchema(SecretSync.Chef, ChefSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Chef),
-  destinationConfig: ChefSyncDestinationConfigSchema
-});
+export const ChefSyncSchema = BaseSecretSyncSchema(SecretSync.Chef, ChefSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Chef),
+    destinationConfig: ChefSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Chef] }));
 
 export const CreateChefSyncSchema = GenericCreateSecretSyncFieldsSchema(SecretSync.Chef, ChefSyncOptionsConfig).extend({
   destinationConfig: ChefSyncDestinationConfigSchema
@@ -38,10 +41,12 @@ export const UpdateChefSyncSchema = GenericUpdateSecretSyncFieldsSchema(SecretSy
   destinationConfig: ChefSyncDestinationConfigSchema.optional()
 });
 
-export const ChefSyncListItemSchema = z.object({
-  name: z.literal("Chef"),
-  connection: z.literal(AppConnection.Chef),
-  destination: z.literal(SecretSync.Chef),
-  canImportSecrets: z.literal(true),
-  enterprise: z.boolean()
-});
+export const ChefSyncListItemSchema = z
+  .object({
+    name: z.literal("Chef"),
+    connection: z.literal(AppConnection.Chef),
+    destination: z.literal(SecretSync.Chef),
+    canImportSecrets: z.literal(true),
+    enterprise: z.boolean()
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Chef] }));

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-schemas.ts

@@ -4,6 +4,7 @@ import { z } from "zod";
 import { SecretSyncs } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 import {
   BaseSecretSyncSchema,
   GenericCreateSecretSyncFieldsSchema,
@@ -43,10 +44,12 @@ const OCIVaultSyncDestinationConfigSchema = z.object({
 
 const OCIVaultSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const OCIVaultSyncSchema = BaseSecretSyncSchema(SecretSync.OCIVault, OCIVaultSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.OCIVault),
-  destinationConfig: OCIVaultSyncDestinationConfigSchema
-});
+export const OCIVaultSyncSchema = BaseSecretSyncSchema(SecretSync.OCIVault, OCIVaultSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.OCIVault),
+    destinationConfig: OCIVaultSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.OCIVault] }));
 
 export const CreateOCIVaultSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.OCIVault,
@@ -62,10 +65,12 @@ export const UpdateOCIVaultSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: OCIVaultSyncDestinationConfigSchema.optional()
 });
 
-export const OCIVaultSyncListItemSchema = z.object({
-  name: z.literal("OCI Vault"),
-  connection: z.literal(AppConnection.OCI),
-  destination: z.literal(SecretSync.OCIVault),
-  canImportSecrets: z.literal(true),
-  enterprise: z.boolean()
-});
+export const OCIVaultSyncListItemSchema = z
+  .object({
+    name: z.literal("OCI Vault"),
+    connection: z.literal(AppConnection.OCI),
+    destination: z.literal(SecretSync.OCIVault),
+    canImportSecrets: z.literal(true),
+    enterprise: z.boolean()
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.OCIVault] }));

backend/src/lib/validator/validate-url.ts

@@ -8,10 +8,10 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "../errors";
 import { isPrivateIp } from "../ip/ipRange";
 
-export const blockLocalAndPrivateIpAddresses = async (url: string) => {
+export const blockLocalAndPrivateIpAddresses = async (url: string, isGateway = false) => {
   const appCfg = getConfig();
 
-  if (appCfg.isDevelopmentMode) return;
+  if (appCfg.isDevelopmentMode || isGateway) return;
 
   const validUrl = new URL(url);
 

backend/src/server/routes/index.ts

@@ -643,7 +643,8 @@ export const registerRoutes = async (
     projectDAL,
     identityDAL,
     userDAL,
-    externalGroupOrgRoleMappingDAL
+    externalGroupOrgRoleMappingDAL,
+    membershipRoleDAL
   });
   const additionalPrivilegeService = additionalPrivilegeServiceFactory({
     additionalPrivilegeDAL,

backend/src/server/routes/v1/bdd-nock-router.ts

@@ -1,88 +1,87 @@
-import nock, { Definition } from "nock";
-import { z } from "zod";
+// import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
-import { ForbiddenRequestError } from "@app/lib/errors";
-import { logger } from "@app/lib/logger";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
+// import { getConfig } from "@app/lib/config/env";
+// import { ForbiddenRequestError } from "@app/lib/errors";
+// import { logger } from "@app/lib/logger";
+// import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+// import { AuthMode } from "@app/services/auth/auth-type";
 
-export const registerBddNockRouter = async (server: FastifyZodProvider) => {
-  const checkIfBddNockApiEnabled = () => {
-    const appCfg = getConfig();
-    // Note: Please note that this API is only available in development mode and only for BDD tests.
-    // This endpoint should NEVER BE ENABLED IN PRODUCTION!
-    if (appCfg.NODE_ENV !== "development" || !appCfg.isBddNockApiEnabled) {
-      throw new ForbiddenRequestError({ message: "BDD Nock API is not enabled" });
-    }
-  };
+// export const registerBddNockRouter = async (server: FastifyZodProvider) => {
+//   const checkIfBddNockApiEnabled = () => {
+//     const appCfg = getConfig();
+//     // Note: Please note that this API is only available in development mode and only for BDD tests.
+//     // This endpoint should NEVER BE ENABLED IN PRODUCTION!
+//     if (appCfg.NODE_ENV !== "development" || !appCfg.isBddNockApiEnabled) {
+//       throw new ForbiddenRequestError({ message: "BDD Nock API is not enabled" });
+//     }
+//   };
 
-  server.route({
-    method: "POST",
-    url: "/define",
-    schema: {
-      body: z.object({ definitions: z.unknown().array() }),
-      response: {
-        200: z.object({ status: z.string() })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      checkIfBddNockApiEnabled();
-      const { body } = req;
-      const { definitions } = body;
-      logger.info(definitions, "Defining nock");
-      const processedDefinitions = definitions.map((definition: unknown) => {
-        const { path, ...rest } = definition as Definition;
-        return {
-          ...rest,
-          path:
-            path !== undefined && typeof path === "string"
-              ? path
-              : new RegExp((path as unknown as { regex: string }).regex ?? "")
-        } as Definition;
-      });
+//   server.route({
+//     method: "POST",
+//     url: "/define",
+//     schema: {
+//       body: z.object({ definitions: z.unknown().array() }),
+//       response: {
+//         200: z.object({ status: z.string() })
+//       }
+//     },
+//     onRequest: verifyAuth([AuthMode.JWT]),
+//     handler: async (req) => {
+//       checkIfBddNockApiEnabled();
+//       const { body } = req;
+//       const { definitions } = body;
+//       logger.info(definitions, "Defining nock");
+//       const processedDefinitions = definitions.map((definition: unknown) => {
+//         const { path, ...rest } = definition as Definition;
+//         return {
+//           ...rest,
+//           path:
+//             path !== undefined && typeof path === "string"
+//               ? path
+//               : new RegExp((path as unknown as { regex: string }).regex ?? "")
+//         } as Definition;
+//       });
 
-      nock.define(processedDefinitions);
-      // Ensure we are activating the nocks, because we could have called `nock.restore()` before this call.
-      if (!nock.isActive()) {
-        nock.activate();
-      }
-      return { status: "ok" };
-    }
-  });
+//       nock.define(processedDefinitions);
+//       // Ensure we are activating the nocks, because we could have called `nock.restore()` before this call.
+//       if (!nock.isActive()) {
+//         nock.activate();
+//       }
+//       return { status: "ok" };
+//     }
+//   });
 
-  server.route({
-    method: "POST",
-    url: "/clean-all",
-    schema: {
-      response: {
-        200: z.object({ status: z.string() })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async () => {
-      checkIfBddNockApiEnabled();
-      logger.info("Cleaning all nocks");
-      nock.cleanAll();
-      return { status: "ok" };
-    }
-  });
+//   server.route({
+//     method: "POST",
+//     url: "/clean-all",
+//     schema: {
+//       response: {
+//         200: z.object({ status: z.string() })
+//       }
+//     },
+//     onRequest: verifyAuth([AuthMode.JWT]),
+//     handler: async () => {
+//       checkIfBddNockApiEnabled();
+//       logger.info("Cleaning all nocks");
+//       nock.cleanAll();
+//       return { status: "ok" };
+//     }
+//   });
 
-  server.route({
-    method: "POST",
-    url: "/restore",
-    schema: {
-      response: {
-        200: z.object({ status: z.string() })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async () => {
-      checkIfBddNockApiEnabled();
-      logger.info("Restore network requests from nock");
-      nock.restore();
-      return { status: "ok" };
-    }
-  });
-};
+//   server.route({
+//     method: "POST",
+//     url: "/restore",
+//     schema: {
+//       response: {
+//         200: z.object({ status: z.string() })
+//       }
+//     },
+//     onRequest: verifyAuth([AuthMode.JWT]),
+//     handler: async () => {
+//       checkIfBddNockApiEnabled();
+//       logger.info("Restore network requests from nock");
+//       nock.restore();
+//       return { status: "ok" };
+//     }
+//   });
+// };

backend/src/server/routes/v1/index.ts

@@ -9,7 +9,7 @@ import { registerSecretSyncRouter, SECRET_SYNC_REGISTER_ROUTER_MAP } from "@app/
 
 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
-import { registerBddNockRouter } from "./bdd-nock-router";
+// import { registerBddNockRouter } from "./bdd-nock-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerCaRouter } from "./certificate-authority-router";
 import { CERTIFICATE_AUTHORITY_REGISTER_ROUTER_MAP } from "./certificate-authority-routers";
@@ -242,7 +242,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
 
   // Note: This is a special route for BDD tests. It's only available in development mode and only for BDD tests.
   // This route should NEVER BE ENABLED IN PRODUCTION!
-  if (getConfig().isBddNockApiEnabled) {
-    await server.register(registerBddNockRouter, { prefix: "/bdd-nock" });
-  }
+  // if (getConfig().isBddNockApiEnabled) {
+  //   await server.register(registerBddNockRouter, { prefix: "/bdd-nock" });
+  // }
 };

backend/src/services/app-connection/1password/1password-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { OnePassConnectionMethod } from "./1password-connection-enums";
 
 export const OnePassConnectionAccessTokenCredentialsSchema = z.object({
@@ -33,7 +34,7 @@ export const SanitizedOnePassConnectionSchema = z.discriminatedUnion("method", [
     credentials: OnePassConnectionAccessTokenCredentialsSchema.pick({
       instanceUrl: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.OnePass]} (API Token)` }))
 ]);
 
 export const ValidateOnePassConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -57,8 +58,10 @@ export const UpdateOnePassConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OnePass));
 
-export const OnePassConnectionListItemSchema = z.object({
-  name: z.literal("1Password"),
-  app: z.literal(AppConnection.OnePass),
-  methods: z.nativeEnum(OnePassConnectionMethod).array()
-});
+export const OnePassConnectionListItemSchema = z
+  .object({
+    name: z.literal("1Password"),
+    app: z.literal(AppConnection.OnePass),
+    methods: z.nativeEnum(OnePassConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.OnePass] }));

backend/src/services/app-connection/auth0/auth0-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { Auth0ConnectionMethod } from "./auth0-connection-enums";
 
 export const Auth0ConnectionClientCredentialsInputCredentialsSchema = z.object({
@@ -59,7 +60,7 @@ export const SanitizedAuth0ConnectionSchema = z.discriminatedUnion("method", [
       clientId: true,
       audience: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Auth0]} (Client Credentials)` }))
 ]);
 
 export const ValidateAuth0ConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -85,10 +86,12 @@ export const UpdateAuth0ConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Auth0));
 
-export const Auth0ConnectionListItemSchema = z.object({
-  name: z.literal("Auth0"),
-  app: z.literal(AppConnection.Auth0),
-  // the below is preferable but currently breaks with our zod to json schema parser
-  // methods: z.tuple([z.literal(AwsConnectionMethod.ServicePrincipal), z.literal(AwsConnectionMethod.AccessKey)]),
-  methods: z.nativeEnum(Auth0ConnectionMethod).array()
-});
+export const Auth0ConnectionListItemSchema = z
+  .object({
+    name: z.literal("Auth0"),
+    app: z.literal(AppConnection.Auth0),
+    // the below is preferable but currently breaks with our zod to json schema parser
+    // methods: z.tuple([z.literal(AwsConnectionMethod.ServicePrincipal), z.literal(AwsConnectionMethod.AccessKey)]),
+    methods: z.nativeEnum(Auth0ConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Auth0] }));

backend/src/services/app-connection/aws/aws-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { AwsConnectionMethod } from "./aws-connection-enums";
 
 export const AwsConnectionAssumeRoleCredentialsSchema = z.object({
@@ -39,11 +40,11 @@ export const SanitizedAwsConnectionSchema = z.discriminatedUnion("method", [
   BaseAwsConnectionSchema.extend({
     method: z.literal(AwsConnectionMethod.AssumeRole),
     credentials: AwsConnectionAssumeRoleCredentialsSchema.pick({})
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AWS]} (Assume Role)` })),
   BaseAwsConnectionSchema.extend({
     method: z.literal(AwsConnectionMethod.AccessKey),
     credentials: AwsConnectionAccessTokenCredentialsSchema.pick({ accessKeyId: true })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AWS]} (Access Key)` }))
 ]);
 
 export const ValidateAwsConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -72,11 +73,13 @@ export const UpdateAwsConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.AWS));
 
-export const AwsConnectionListItemSchema = z.object({
-  name: z.literal("AWS"),
-  app: z.literal(AppConnection.AWS),
-  // the below is preferable but currently breaks with our zod to json schema parser
-  // methods: z.tuple([z.literal(AwsConnectionMethod.AssumeRole), z.literal(AwsConnectionMethod.AccessKey)]),
-  methods: z.nativeEnum(AwsConnectionMethod).array(),
-  accessKeyId: z.string().optional()
-});
+export const AwsConnectionListItemSchema = z
+  .object({
+    name: z.literal("AWS"),
+    app: z.literal(AppConnection.AWS),
+    // the below is preferable but currently breaks with our zod to json schema parser
+    // methods: z.tuple([z.literal(AwsConnectionMethod.AssumeRole), z.literal(AwsConnectionMethod.AccessKey)]),
+    methods: z.nativeEnum(AwsConnectionMethod).array(),
+    accessKeyId: z.string().optional()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.AWS] }));

backend/src/services/app-connection/azure-adcs/azure-adcs-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { AzureADCSConnectionMethod } from "./azure-adcs-connection-enums";
 
 export const AzureADCSUsernamePasswordCredentialsSchema = z.object({
@@ -55,7 +56,7 @@ export const SanitizedAzureADCSConnectionSchema = z.discriminatedUnion("method",
       sslRejectUnauthorized: true,
       sslCertificate: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureADCS]} (Username and Password)` }))
 ]);
 
 export const ValidateAzureADCSConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -81,8 +82,10 @@ export const UpdateAzureADCSConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.AzureADCS));
 
-export const AzureADCSConnectionListItemSchema = z.object({
-  name: z.literal("Azure ADCS"),
-  app: z.literal(AppConnection.AzureADCS),
-  methods: z.nativeEnum(AzureADCSConnectionMethod).array()
-});
+export const AzureADCSConnectionListItemSchema = z
+  .object({
+    name: z.literal("Azure ADCS"),
+    app: z.literal(AppConnection.AzureADCS),
+    methods: z.nativeEnum(AzureADCSConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.AzureADCS] }));

backend/src/services/app-connection/azure-app-configuration/azure-app-configuration-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { AzureAppConfigurationConnectionMethod } from "./azure-app-configuration-connection-enums";
 
 export const AzureAppConfigurationConnectionOAuthInputCredentialsSchema = z.object({
@@ -104,19 +105,23 @@ export const SanitizedAzureAppConfigurationConnectionSchema = z.discriminatedUni
     credentials: AzureAppConfigurationConnectionOAuthOutputCredentialsSchema.pick({
       tenantId: true
     })
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureAppConfiguration]} (OAuth)` })),
   BaseAzureAppConfigurationConnectionSchema.extend({
     method: z.literal(AzureAppConfigurationConnectionMethod.ClientSecret),
     credentials: AzureAppConfigurationConnectionClientSecretOutputCredentialsSchema.pick({
       clientId: true,
       tenantId: true
     })
-  })
+  }).describe(
+    JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureAppConfiguration]} (Client Secret)` })
+  )
 ]);
 
-export const AzureAppConfigurationConnectionListItemSchema = z.object({
-  name: z.literal("Azure App Configuration"),
-  app: z.literal(AppConnection.AzureAppConfiguration),
-  methods: z.nativeEnum(AzureAppConfigurationConnectionMethod).array(),
-  oauthClientId: z.string().optional()
-});
+export const AzureAppConfigurationConnectionListItemSchema = z
+  .object({
+    name: z.literal("Azure App Configuration"),
+    app: z.literal(AppConnection.AzureAppConfiguration),
+    methods: z.nativeEnum(AzureAppConfigurationConnectionMethod).array(),
+    oauthClientId: z.string().optional()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.AzureAppConfiguration] }));

backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { AzureClientSecretsConnectionMethod } from "./azure-client-secrets-connection-enums";
 
 export const AzureClientSecretsConnectionOAuthInputCredentialsSchema = z.object({
@@ -162,26 +163,30 @@ export const SanitizedAzureClientSecretsConnectionSchema = z.discriminatedUnion(
     credentials: AzureClientSecretsConnectionOAuthOutputCredentialsSchema.pick({
       tenantId: true
     })
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureClientSecrets]} (OAuth)` })),
   BaseAzureClientSecretsConnectionSchema.extend({
     method: z.literal(AzureClientSecretsConnectionMethod.ClientSecret),
     credentials: AzureClientSecretsConnectionClientSecretOutputCredentialsSchema.pick({
       clientId: true,
       tenantId: true
     })
-  }),
+  }).describe(
+    JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureClientSecrets]} (Client Secret)` })
+  ),
   BaseAzureClientSecretsConnectionSchema.extend({
     method: z.literal(AzureClientSecretsConnectionMethod.Certificate),
     credentials: AzureClientSecretsConnectionCertificateOutputCredentialsSchema.pick({
       tenantId: true,
       clientId: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureClientSecrets]} (Certificate)` }))
 ]);
 
-export const AzureClientSecretsConnectionListItemSchema = z.object({
-  name: z.literal("Azure Client Secrets"),
-  app: z.literal(AppConnection.AzureClientSecrets),
-  methods: z.nativeEnum(AzureClientSecretsConnectionMethod).array(),
-  oauthClientId: z.string().optional()
-});
+export const AzureClientSecretsConnectionListItemSchema = z
+  .object({
+    name: z.literal("Azure Client Secrets"),
+    app: z.literal(AppConnection.AzureClientSecrets),
+    methods: z.nativeEnum(AzureClientSecretsConnectionMethod).array(),
+    oauthClientId: z.string().optional()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.AzureClientSecrets] }));

backend/src/services/app-connection/azure-devops/azure-devops-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { AzureDevOpsConnectionMethod } from "./azure-devops-enums";
 
 export const AzureDevOpsConnectionOAuthInputCredentialsSchema = z.object({
@@ -147,13 +148,13 @@ export const SanitizedAzureDevOpsConnectionSchema = z.discriminatedUnion("method
       tenantId: true,
       orgName: true
     })
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureDevOps]} (OAuth)` })),
   BaseAzureDevOpsConnectionSchema.extend({
     method: z.literal(AzureDevOpsConnectionMethod.AccessToken),
     credentials: AzureDevOpsConnectionAccessTokenOutputCredentialsSchema.pick({
       orgName: true
     })
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureDevOps]} (Access Token)` })),
   BaseAzureDevOpsConnectionSchema.extend({
     method: z.literal(AzureDevOpsConnectionMethod.ClientSecret),
     credentials: AzureDevOpsConnectionClientSecretOutputCredentialsSchema.pick({
@@ -161,12 +162,14 @@ export const SanitizedAzureDevOpsConnectionSchema = z.discriminatedUnion("method
       tenantId: true,
       orgName: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureDevOps]} (Client Secret)` }))
 ]);
 
-export const AzureDevOpsConnectionListItemSchema = z.object({
-  name: z.literal("Azure DevOps"),
-  app: z.literal(AppConnection.AzureDevOps),
-  methods: z.nativeEnum(AzureDevOpsConnectionMethod).array(),
-  oauthClientId: z.string().optional()
-});
+export const AzureDevOpsConnectionListItemSchema = z
+  .object({
+    name: z.literal("Azure DevOps"),
+    app: z.literal(AppConnection.AzureDevOps),
+    methods: z.nativeEnum(AzureDevOpsConnectionMethod).array(),
+    oauthClientId: z.string().optional()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.AzureDevOps] }));

backend/src/services/app-connection/azure-key-vault/azure-key-vault-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { AzureKeyVaultConnectionMethod } from "./azure-key-vault-connection-enums";
 
 export const AzureKeyVaultConnectionOAuthInputCredentialsSchema = z.object({
@@ -104,19 +105,21 @@ export const SanitizedAzureKeyVaultConnectionSchema = z.discriminatedUnion("meth
     credentials: AzureKeyVaultConnectionOAuthOutputCredentialsSchema.pick({
       tenantId: true
     })
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureKeyVault]} (OAuth)` })),
   BaseAzureKeyVaultConnectionSchema.extend({
     method: z.literal(AzureKeyVaultConnectionMethod.ClientSecret),
     credentials: AzureKeyVaultConnectionClientSecretOutputCredentialsSchema.pick({
       clientId: true,
       tenantId: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.AzureKeyVault]} (Client Secret)` }))
 ]);
 
-export const AzureKeyVaultConnectionListItemSchema = z.object({
-  name: z.literal("Azure Key Vault"),
-  app: z.literal(AppConnection.AzureKeyVault),
-  methods: z.nativeEnum(AzureKeyVaultConnectionMethod).array(),
-  oauthClientId: z.string().optional()
-});
+export const AzureKeyVaultConnectionListItemSchema = z
+  .object({
+    name: z.literal("Azure Key Vault"),
+    app: z.literal(AppConnection.AzureKeyVault),
+    methods: z.nativeEnum(AzureKeyVaultConnectionMethod).array(),
+    oauthClientId: z.string().optional()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.AzureKeyVault] }));

backend/src/services/app-connection/bitbucket/bitbucket-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { BitbucketConnectionMethod } from "./bitbucket-connection-enums";
 
 export const BitbucketConnectionAccessTokenCredentialsSchema = z.object({
@@ -39,7 +40,7 @@ export const SanitizedBitbucketConnectionSchema = z.discriminatedUnion("method",
     credentials: BitbucketConnectionAccessTokenCredentialsSchema.pick({
       email: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Bitbucket]} (API Token)` }))
 ]);
 
 export const ValidateBitbucketConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -65,8 +66,10 @@ export const UpdateBitbucketConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Bitbucket));
 
-export const BitbucketConnectionListItemSchema = z.object({
-  name: z.literal("Bitbucket"),
-  app: z.literal(AppConnection.Bitbucket),
-  methods: z.nativeEnum(BitbucketConnectionMethod).array()
-});
+export const BitbucketConnectionListItemSchema = z
+  .object({
+    name: z.literal("Bitbucket"),
+    app: z.literal(AppConnection.Bitbucket),
+    methods: z.nativeEnum(BitbucketConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Bitbucket] }));

backend/src/services/app-connection/camunda/camunda-connection-schema.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { CamundaConnectionMethod } from "./camunda-connection-enums";
 
 const BaseCamundaConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Camunda) });
@@ -44,7 +45,7 @@ export const SanitizedCamundaConnectionSchema = z.discriminatedUnion("method", [
     credentials: CamundaConnectionClientCredentialsOutputCredentialsSchema.pick({
       clientId: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Camunda]} (Client Credentials)` }))
 ]);
 
 export const ValidateCamundaConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -70,8 +71,10 @@ export const UpdateCamundaConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Camunda));
 
-export const CamundaConnectionListItemSchema = z.object({
-  name: z.literal("Camunda"),
-  app: z.literal(AppConnection.Camunda),
-  methods: z.nativeEnum(CamundaConnectionMethod).array()
-});
+export const CamundaConnectionListItemSchema = z
+  .object({
+    name: z.literal("Camunda"),
+    app: z.literal(AppConnection.Camunda),
+    methods: z.nativeEnum(CamundaConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Camunda] }));

backend/src/services/app-connection/checkly/checkly-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { ChecklyConnectionMethod } from "./checkly-connection-constants";
 
 export const ChecklyConnectionMethodSchema = z
@@ -31,7 +32,7 @@ export const SanitizedChecklyConnectionSchema = z.discriminatedUnion("method", [
   BaseChecklyConnectionSchema.extend({
     method: ChecklyConnectionMethodSchema,
     credentials: ChecklyConnectionAccessTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Checkly]} (Access Token)` }))
 ]);
 
 export const ValidateChecklyConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -55,8 +56,10 @@ export const UpdateChecklyConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Checkly));
 
-export const ChecklyConnectionListItemSchema = z.object({
-  name: z.literal("Checkly"),
-  app: z.literal(AppConnection.Checkly),
-  methods: z.nativeEnum(ChecklyConnectionMethod).array()
-});
+export const ChecklyConnectionListItemSchema = z
+  .object({
+    name: z.literal("Checkly"),
+    app: z.literal(AppConnection.Checkly),
+    methods: z.nativeEnum(ChecklyConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Checkly] }));

backend/src/services/app-connection/cloudflare/cloudflare-connection-schema.ts

@@ -9,6 +9,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { CloudflareConnectionMethod } from "./cloudflare-connection-enum";
 
 const accountIdCharacterValidator = characterValidator([
@@ -41,7 +42,7 @@ export const SanitizedCloudflareConnectionSchema = z.discriminatedUnion("method"
   BaseCloudflareConnectionSchema.extend({
     method: z.literal(CloudflareConnectionMethod.APIToken),
     credentials: CloudflareConnectionApiTokenCredentialsSchema.pick({ accountId: true })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Cloudflare]} (API Token)` }))
 ]);
 
 export const ValidateCloudflareConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -67,8 +68,10 @@ export const UpdateCloudflareConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Cloudflare));
 
-export const CloudflareConnectionListItemSchema = z.object({
-  name: z.literal("Cloudflare"),
-  app: z.literal(AppConnection.Cloudflare),
-  methods: z.nativeEnum(CloudflareConnectionMethod).array()
-});
+export const CloudflareConnectionListItemSchema = z
+  .object({
+    name: z.literal("Cloudflare"),
+    app: z.literal(AppConnection.Cloudflare),
+    methods: z.nativeEnum(CloudflareConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Cloudflare] }));

backend/src/services/app-connection/databricks/databricks-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { DatabricksConnectionMethod } from "./databricks-connection-enums";
 
 export const DatabricksConnectionServicePrincipalInputCredentialsSchema = z.object({
@@ -42,7 +43,7 @@ export const SanitizedDatabricksConnectionSchema = z.discriminatedUnion("method"
       clientId: true,
       workspaceUrl: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Databricks]} (Service Principal)` }))
 ]);
 
 export const ValidateDatabricksConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -68,10 +69,12 @@ export const UpdateDatabricksConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Databricks));
 
-export const DatabricksConnectionListItemSchema = z.object({
-  name: z.literal("Databricks"),
-  app: z.literal(AppConnection.Databricks),
-  // the below is preferable but currently breaks with our zod to json schema parser
-  // methods: z.tuple([z.literal(AwsConnectionMethod.ServicePrincipal), z.literal(AwsConnectionMethod.AccessKey)]),
-  methods: z.nativeEnum(DatabricksConnectionMethod).array()
-});
+export const DatabricksConnectionListItemSchema = z
+  .object({
+    name: z.literal("Databricks"),
+    app: z.literal(AppConnection.Databricks),
+    // the below is preferable but currently breaks with our zod to json schema parser
+    // methods: z.tuple([z.literal(AwsConnectionMethod.ServicePrincipal), z.literal(AwsConnectionMethod.AccessKey)]),
+    methods: z.nativeEnum(DatabricksConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Databricks] }));

backend/src/services/app-connection/digital-ocean/digital-ocean-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { DigitalOceanConnectionMethod } from "./digital-ocean-connection-constants";
 
 export const DigitalOceanConnectionMethodSchema = z
@@ -36,7 +37,7 @@ export const SanitizedDigitalOceanConnectionSchema = z.discriminatedUnion("metho
   BaseDigitalOceanConnectionSchema.extend({
     method: DigitalOceanConnectionMethodSchema,
     credentials: DigitalOceanConnectionAccessTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.DigitalOcean]} (Access Token)` }))
 ]);
 
 export const ValidateDigitalOceanConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -60,8 +61,10 @@ export const UpdateDigitalOceanConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.DigitalOcean));
 
-export const DigitalOceanConnectionListItemSchema = z.object({
-  name: z.literal("Digital Ocean"),
-  app: z.literal(AppConnection.DigitalOcean),
-  methods: z.nativeEnum(DigitalOceanConnectionMethod).array()
-});
+export const DigitalOceanConnectionListItemSchema = z
+  .object({
+    name: z.literal("Digital Ocean"),
+    app: z.literal(AppConnection.DigitalOcean),
+    methods: z.nativeEnum(DigitalOceanConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.DigitalOcean] }));

backend/src/services/app-connection/flyio/flyio-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { FlyioConnectionMethod } from "./flyio-connection-enums";
 
 export const FlyioConnectionAccessTokenCredentialsSchema = z.object({
@@ -31,7 +32,7 @@ export const SanitizedFlyioConnectionSchema = z.discriminatedUnion("method", [
   BaseFlyioConnectionSchema.extend({
     method: z.literal(FlyioConnectionMethod.AccessToken),
     credentials: FlyioConnectionAccessTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Flyio]} (Access Token)` }))
 ]);
 
 export const ValidateFlyioConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -55,8 +56,10 @@ export const UpdateFlyioConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Flyio));
 
-export const FlyioConnectionListItemSchema = z.object({
-  name: z.literal("Fly.io"),
-  app: z.literal(AppConnection.Flyio),
-  methods: z.nativeEnum(FlyioConnectionMethod).array()
-});
+export const FlyioConnectionListItemSchema = z
+  .object({
+    name: z.literal("Fly.io"),
+    app: z.literal(AppConnection.Flyio),
+    methods: z.nativeEnum(FlyioConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Flyio] }));

backend/src/services/app-connection/gcp/gcp-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { GcpConnectionMethod } from "./gcp-connection-enums";
 
 export const GcpConnectionServiceAccountImpersonationCredentialsSchema = z.object({
@@ -30,7 +31,9 @@ export const SanitizedGcpConnectionSchema = z.discriminatedUnion("method", [
   BaseGcpConnectionSchema.extend({
     method: z.literal(GcpConnectionMethod.ServiceAccountImpersonation),
     credentials: GcpConnectionServiceAccountImpersonationCredentialsSchema.pick({})
-  })
+  }).describe(
+    JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.GCP]} (Service Account Impersonation)` })
+  )
 ]);
 
 export const ValidateGcpConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -56,10 +59,12 @@ export const UpdateGcpConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.GCP));
 
-export const GcpConnectionListItemSchema = z.object({
-  name: z.literal("GCP"),
-  app: z.literal(AppConnection.GCP),
-  // the below is preferable but currently breaks with our zod to json schema parser
-  // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
-  methods: z.nativeEnum(GcpConnectionMethod).array()
-});
+export const GcpConnectionListItemSchema = z
+  .object({
+    name: z.literal("GCP"),
+    app: z.literal(AppConnection.GCP),
+    // the below is preferable but currently breaks with our zod to json schema parser
+    // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
+    methods: z.nativeEnum(GcpConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.GCP] }));

backend/src/services/app-connection/github-radar/github-radar-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { GitHubRadarConnectionMethod } from "./github-radar-connection-enums";
 
 export const GitHubRadarConnectionInputCredentialsSchema = z.object({
@@ -53,14 +54,16 @@ export const SanitizedGitHubRadarConnectionSchema = z.discriminatedUnion("method
   BaseGitHubRadarConnectionSchema.extend({
     method: z.literal(GitHubRadarConnectionMethod.App),
     credentials: GitHubRadarConnectionOutputCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.GitHubRadar]} (GitHub App)` }))
 ]);
 
-export const GitHubRadarConnectionListItemSchema = z.object({
-  name: z.literal("GitHub Radar"),
-  app: z.literal(AppConnection.GitHubRadar),
-  // the below is preferable but currently breaks with our zod to json schema parser
-  // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
-  methods: z.nativeEnum(GitHubRadarConnectionMethod).array(),
-  appClientSlug: z.string().optional()
-});
+export const GitHubRadarConnectionListItemSchema = z
+  .object({
+    name: z.literal("GitHub Radar"),
+    app: z.literal(AppConnection.GitHubRadar),
+    // the below is preferable but currently breaks with our zod to json schema parser
+    // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
+    methods: z.nativeEnum(GitHubRadarConnectionMethod).array(),
+    appClientSlug: z.string().optional()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.GitHubRadar] }));

backend/src/services/app-connection/github/github-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { GitHubConnectionMethod } from "./github-connection-enums";
 
 export const GitHubConnectionOAuthInputCredentialsSchema = z.union([
@@ -161,29 +162,31 @@ export const SanitizedGitHubConnectionSchema = z.discriminatedUnion("method", [
       instanceType: z.union([z.literal("server"), z.literal("cloud")]).optional(),
       host: z.string().optional()
     })
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.GitHub]} (GitHub App)` })),
   BaseGitHubConnectionSchema.extend({
     method: z.literal(GitHubConnectionMethod.OAuth),
     credentials: z.object({
       instanceType: z.union([z.literal("server"), z.literal("cloud")]).optional(),
       host: z.string().optional()
     })
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.GitHub]} (OAuth)` })),
   BaseGitHubConnectionSchema.extend({
     method: z.literal(GitHubConnectionMethod.Pat),
     credentials: z.object({
       instanceType: z.union([z.literal("server"), z.literal("cloud")]).optional(),
       host: z.string().optional()
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.GitHub]} (Personal Access Token)` }))
 ]);
 
-export const GitHubConnectionListItemSchema = z.object({
-  name: z.literal("GitHub"),
-  app: z.literal(AppConnection.GitHub),
-  // the below is preferable but currently breaks with our zod to json schema parser
-  // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
-  methods: z.nativeEnum(GitHubConnectionMethod).array(),
-  oauthClientId: z.string().optional(),
-  appClientSlug: z.string().optional()
-});
+export const GitHubConnectionListItemSchema = z
+  .object({
+    name: z.literal("GitHub"),
+    app: z.literal(AppConnection.GitHub),
+    // the below is preferable but currently breaks with our zod to json schema parser
+    // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
+    methods: z.nativeEnum(GitHubConnectionMethod).array(),
+    oauthClientId: z.string().optional(),
+    appClientSlug: z.string().optional()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.GitHub] }));

backend/src/services/app-connection/gitlab/gitlab-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { GitLabAccessTokenType, GitLabConnectionMethod } from "./gitlab-connection-enums";
 
 export const GitLabConnectionAccessTokenCredentialsSchema = z.object({
@@ -84,13 +85,13 @@ export const SanitizedGitLabConnectionSchema = z.discriminatedUnion("method", [
       instanceUrl: true,
       accessTokenType: true
     })
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.GitLab]} (Access Token)` })),
   BaseGitLabConnectionSchema.extend({
     method: z.literal(GitLabConnectionMethod.OAuth),
     credentials: GitLabConnectionOAuthOutputCredentialsSchema.pick({
       instanceUrl: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.GitLab]} (OAuth)` }))
 ]);
 
 export const ValidateGitLabConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -130,9 +131,11 @@ export const UpdateGitLabConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.GitLab));
 
-export const GitLabConnectionListItemSchema = z.object({
-  name: z.literal("GitLab"),
-  app: z.literal(AppConnection.GitLab),
-  methods: z.nativeEnum(GitLabConnectionMethod).array(),
-  oauthClientId: z.string().optional()
-});
+export const GitLabConnectionListItemSchema = z
+  .object({
+    name: z.literal("GitLab"),
+    app: z.literal(AppConnection.GitLab),
+    methods: z.nativeEnum(GitLabConnectionMethod).array(),
+    oauthClientId: z.string().optional()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.GitLab] }));

backend/src/services/app-connection/hc-vault/hc-vault-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { HCVaultConnectionMethod } from "./hc-vault-connection-enums";
 
 const InstanceUrlSchema = z
@@ -59,7 +60,7 @@ export const SanitizedHCVaultConnectionSchema = z.discriminatedUnion("method", [
       namespace: true,
       instanceUrl: true
     })
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.HCVault]} (Access Token)` })),
   BaseHCVaultConnectionSchema.extend({
     method: z.literal(HCVaultConnectionMethod.AppRole),
     credentials: HCVaultConnectionAppRoleCredentialsSchema.pick({
@@ -67,7 +68,7 @@ export const SanitizedHCVaultConnectionSchema = z.discriminatedUnion("method", [
       instanceUrl: true,
       roleId: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.HCVault]} (App Role)` }))
 ]);
 
 export const ValidateHCVaultConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -100,8 +101,10 @@ export const UpdateHCVaultConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.HCVault, { supportsGateways: true }));
 
-export const HCVaultConnectionListItemSchema = z.object({
-  name: z.literal("HCVault"),
-  app: z.literal(AppConnection.HCVault),
-  methods: z.nativeEnum(HCVaultConnectionMethod).array()
-});
+export const HCVaultConnectionListItemSchema = z
+  .object({
+    name: z.literal("HCVault"),
+    app: z.literal(AppConnection.HCVault),
+    methods: z.nativeEnum(HCVaultConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.HCVault] }));

backend/src/services/app-connection/heroku/heroku-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { HerokuConnectionMethod } from "./heroku-connection-enums";
 
 export const HerokuConnectionAuthTokenCredentialsSchema = z.object({
@@ -51,11 +52,11 @@ export const SanitizedHerokuConnectionSchema = z.discriminatedUnion("method", [
   BaseHerokuConnectionSchema.extend({
     method: z.literal(HerokuConnectionMethod.AuthToken),
     credentials: HerokuConnectionAuthTokenCredentialsSchema.pick({})
-  }),
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Heroku]} (Auth Token)` })),
   BaseHerokuConnectionSchema.extend({
     method: z.literal(HerokuConnectionMethod.OAuth),
     credentials: HerokuConnectionOAuthOutputCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Heroku]} (OAuth)` }))
 ]);
 
 export const ValidateHerokuConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -95,9 +96,11 @@ export const UpdateHerokuConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Heroku));
 
-export const HerokuConnectionListItemSchema = z.object({
-  name: z.literal("Heroku"),
-  app: z.literal(AppConnection.Heroku),
-  methods: z.nativeEnum(HerokuConnectionMethod).array(),
-  oauthClientId: z.string().optional()
-});
+export const HerokuConnectionListItemSchema = z
+  .object({
+    name: z.literal("Heroku"),
+    app: z.literal(AppConnection.Heroku),
+    methods: z.nativeEnum(HerokuConnectionMethod).array(),
+    oauthClientId: z.string().optional()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Heroku] }));

backend/src/services/app-connection/humanitec/humanitec-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { HumanitecConnectionMethod } from "./humanitec-connection-enums";
 
 export const HumanitecConnectionAccessTokenCredentialsSchema = z.object({
@@ -25,7 +26,7 @@ export const SanitizedHumanitecConnectionSchema = z.discriminatedUnion("method",
   BaseHumanitecConnectionSchema.extend({
     method: z.literal(HumanitecConnectionMethod.ApiToken),
     credentials: HumanitecConnectionAccessTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Humanitec]} (API Token)` }))
 ]);
 
 export const ValidateHumanitecConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -51,8 +52,10 @@ export const UpdateHumanitecConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Humanitec));
 
-export const HumanitecConnectionListItemSchema = z.object({
-  name: z.literal("Humanitec"),
-  app: z.literal(AppConnection.Humanitec),
-  methods: z.nativeEnum(HumanitecConnectionMethod).array()
-});
+export const HumanitecConnectionListItemSchema = z
+  .object({
+    name: z.literal("Humanitec"),
+    app: z.literal(AppConnection.Humanitec),
+    methods: z.nativeEnum(HumanitecConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Humanitec] }));

backend/src/services/app-connection/laravel-forge/laravel-forge-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { LaravelForgeConnectionMethod } from "./laravel-forge-connection-enums";
 
 export const LaravelForgeConnectionApiTokenCredentialsSchema = z.object({
@@ -25,7 +26,7 @@ export const SanitizedLaravelForgeConnectionSchema = z.discriminatedUnion("metho
   BaseLaravelForgeConnectionSchema.extend({
     method: z.literal(LaravelForgeConnectionMethod.ApiToken),
     credentials: LaravelForgeConnectionApiTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.LaravelForge]} (API Token)` }))
 ]);
 
 export const ValidateLaravelForgeConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -51,8 +52,10 @@ export const UpdateLaravelForgeConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.LaravelForge));
 
-export const LaravelForgeConnectionListItemSchema = z.object({
-  name: z.literal("Laravel Forge"),
-  app: z.literal(AppConnection.LaravelForge),
-  methods: z.nativeEnum(LaravelForgeConnectionMethod).array()
-});
+export const LaravelForgeConnectionListItemSchema = z
+  .object({
+    name: z.literal("Laravel Forge"),
+    app: z.literal(AppConnection.LaravelForge),
+    methods: z.nativeEnum(LaravelForgeConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.LaravelForge] }));

backend/src/services/app-connection/ldap/ldap-connection-fns.ts

@@ -1,6 +1,11 @@
 import ldap from "ldapjs";
 
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
+import { TGatewayV2ServiceFactory } from "@app/ee/services/gateway-v2/gateway-v2-service";
+import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
+import { GatewayProxyProtocol } from "@app/lib/gateway";
+import { withGatewayV2Proxy } from "@app/lib/gateway-v2/gateway-v2";
 import { logger } from "@app/lib/logger";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
@@ -8,6 +13,66 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 import { LdapConnectionMethod } from "./ldap-connection-enums";
 import { TLdapConnectionConfig } from "./ldap-connection-types";
 
+const LDAP_TIMEOUT = 15_000;
+
+const parseLdapUrl = (url: string): { protocol: string; host: string; port: number } => {
+  const urlObj = new URL(url);
+  const isSSL = urlObj.protocol === "ldaps:";
+  const defaultPort = isSSL ? 636 : 389;
+
+  return {
+    protocol: urlObj.protocol.replace(":", ""),
+    host: urlObj.hostname,
+    port: urlObj.port ? parseInt(urlObj.port, 10) : defaultPort
+  };
+};
+
+const constructLdapUrl = (protocol: string, host: string, port: number): string => {
+  return `${protocol}://${host}:${port}`;
+};
+
+const setupLdapClientHandlers = <T>(
+  client: ldap.Client,
+  dn: string,
+  password: string,
+  onSuccess: (client: ldap.Client) => T | Promise<T>
+): Promise<T> => {
+  return new Promise<T>((resolve, reject) => {
+    const handleError = (errorType: string, err: Error) => {
+      logger.error(err, errorType);
+      client.destroy();
+      reject(new Error(`${errorType.replace("LDAP ", "")} - ${err.message}`));
+    };
+
+    client.on("error", (err: Error) => handleError("LDAP Error", err));
+    client.on("connectError", (err: Error) => handleError("LDAP Connection Error", err));
+    client.on("connectRefused", (err: Error) => handleError("LDAP Connection Refused", err));
+    client.on("connectTimeout", (err: Error) => handleError("LDAP Connection Timeout", err));
+
+    client.on("connect", () => {
+      client.bind(dn, password, (err) => {
+        if (err) {
+          logger.error(err, "LDAP Bind Error");
+          client.destroy();
+          reject(new Error(`Bind Error: ${err.message}`));
+          return;
+        }
+
+        try {
+          const result = onSuccess(client);
+          if (result instanceof Promise) {
+            result.then((value) => resolve(value)).catch(reject);
+          } else {
+            resolve(result);
+          }
+        } catch (error) {
+          reject(error);
+        }
+      });
+    });
+  });
+};
+
 export const getLdapConnectionListItem = () => {
   return {
     name: "LDAP" as const,
@@ -16,8 +81,6 @@ export const getLdapConnectionListItem = () => {
   };
 };
 
-const LDAP_TIMEOUT = 15_000;
-
 export const getLdapConnectionClient = async ({
   url,
   dn,
@@ -25,78 +88,112 @@ export const getLdapConnectionClient = async ({
   sslCertificate,
   sslRejectUnauthorized = true
 }: TLdapConnectionConfig["credentials"]) => {
-  await blockLocalAndPrivateIpAddresses(url);
+  await blockLocalAndPrivateIpAddresses(url, false);
 
   const isSSL = url.startsWith("ldaps");
 
-  return new Promise<ldap.Client>((resolve, reject) => {
-    const client = ldap.createClient({
-      url,
-      timeout: LDAP_TIMEOUT,
-      connectTimeout: LDAP_TIMEOUT,
-      tlsOptions: isSSL
-        ? {
-            rejectUnauthorized: sslRejectUnauthorized,
-            ca: sslCertificate ? [sslCertificate] : undefined
-          }
-        : undefined
-    });
-
-    client.on("error", (err: Error) => {
-      logger.error(err, "LDAP Error");
-      client.destroy();
-      reject(new Error(`Provider Error - ${err.message}`));
-    });
-
-    client.on("connectError", (err: Error) => {
-      logger.error(err, "LDAP Connection Error");
-      client.destroy();
-      reject(new Error(`Provider Connect Error - ${err.message}`));
-    });
-
-    client.on("connectRefused", (err: Error) => {
-      logger.error(err, "LDAP Connection Refused");
-      client.destroy();
-      reject(new Error(`Provider Connection Refused - ${err.message}`));
-    });
-
-    client.on("connectTimeout", (err: Error) => {
-      logger.error(err, "LDAP Connection Timeout");
-      client.destroy();
-      reject(new Error(`Provider Connection Timeout - ${err.message}`));
-    });
-
-    client.on("connect", () => {
-      client.bind(dn, password, (err) => {
-        if (err) {
-          logger.error(err, "LDAP Bind Error");
-          reject(new Error(`Bind Error: ${err.message}`));
-          client.destroy();
+  const client = ldap.createClient({
+    url,
+    timeout: LDAP_TIMEOUT,
+    connectTimeout: LDAP_TIMEOUT,
+    tlsOptions: isSSL
+      ? {
+          rejectUnauthorized: sslRejectUnauthorized,
+          ca: sslCertificate ? [sslCertificate] : undefined
         }
-
-        resolve(client);
-      });
-    });
+      : undefined
   });
+
+  return setupLdapClientHandlers<ldap.Client>(client, dn, password, (ldapClient) => ldapClient);
 };
 
-export const validateLdapConnectionCredentials = async ({ credentials }: TLdapConnectionConfig) => {
-  let client: ldap.Client | undefined;
+export const executeWithPotentialGateway = async <T>(
+  config: TLdapConnectionConfig,
+  gatewayV2Service: Pick<TGatewayV2ServiceFactory, "getPlatformConnectionDetailsByGatewayId">,
+  operation: (client: ldap.Client) => Promise<T>
+): Promise<T> => {
+  const { gatewayId, credentials } = config;
+  const { protocol, host, port } = parseLdapUrl(credentials.url);
+  const appCfg = getConfig();
 
-  try {
-    client = await getLdapConnectionClient(credentials);
+  if (gatewayId && gatewayV2Service) {
+    await blockLocalAndPrivateIpAddresses(credentials.url, true);
+    const platformConnectionDetails = await gatewayV2Service.getPlatformConnectionDetailsByGatewayId({
+      gatewayId,
+      targetHost: host,
+      targetPort: port
+    });
 
-    // this shouldn't occur as handle connection error events in client but here as fallback
-    if (!client.connected) {
-      throw new BadRequestError({ message: "Unable to connect to LDAP server" });
+    if (!platformConnectionDetails) {
+      throw new BadRequestError({ message: "Unable to connect to gateway, no platform connection details found" });
     }
 
-    return credentials;
-  } catch (e: unknown) {
-    throw new BadRequestError({
-      message: `Unable to validate connection: ${(e as Error).message || "verify credentials"}`
-    });
+    return withGatewayV2Proxy(
+      async (proxyPort) => {
+        const proxyUrl = constructLdapUrl(protocol, "localhost", proxyPort);
+        const isSSL = protocol === "ldaps";
+
+        const client = ldap.createClient({
+          url: proxyUrl,
+          timeout: LDAP_TIMEOUT,
+          connectTimeout: LDAP_TIMEOUT,
+          tlsOptions: isSSL
+            ? {
+                rejectUnauthorized: config.credentials.sslRejectUnauthorized,
+                ca: config.credentials.sslCertificate ? [config.credentials.sslCertificate] : undefined,
+                servername: host,
+                // bypass hostname verification for development
+                ...(appCfg.isDevelopmentMode ? { checkServerIdentity: () => undefined } : {})
+              }
+            : undefined
+        });
+
+        return setupLdapClientHandlers<T>(client, credentials.dn, credentials.password, async (ldapClient) => {
+          try {
+            return await operation(ldapClient);
+          } finally {
+            ldapClient.destroy();
+          }
+        });
+      },
+      {
+        protocol: GatewayProxyProtocol.Tcp,
+        relayHost: platformConnectionDetails.relayHost,
+        gateway: platformConnectionDetails.gateway,
+        relay: platformConnectionDetails.relay
+      }
+    );
+  }
+
+  // Non-gateway path - calls getLdapConnectionClient which has validation
+  const client = await getLdapConnectionClient(credentials);
+  try {
+    return await operation(client);
   } finally {
-    client?.destroy();
+    client.destroy();
+  }
+};
+
+export const validateLdapConnectionCredentials = async (
+  config: TLdapConnectionConfig,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">,
+  gatewayV2Service: Pick<TGatewayV2ServiceFactory, "getPlatformConnectionDetailsByGatewayId">
+) => {
+  try {
+    await executeWithPotentialGateway(config, gatewayV2Service, async (client) => {
+      // this shouldn't occur as handle connection error events in client but here as fallback
+      if (!client.connected) {
+        throw new BadRequestError({ message: "Unable to connect to LDAP server" });
+      }
+    });
+
+    return config.credentials;
+  } catch (error) {
+    throw new BadRequestError({
+      message: `Unable to validate connection: ${
+        (error as Error)?.message?.replaceAll(config.credentials.password, "********************") ??
+        "verify credentials"
+      }`
+    });
   }
 };

backend/src/services/app-connection/ldap/ldap-connection-schemas.ts

@@ -9,6 +9,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { LdapConnectionMethod, LdapProvider } from "./ldap-connection-enums";
 
 export const LdapConnectionSimpleBindCredentialsSchema = z.object({
@@ -61,7 +62,7 @@ export const SanitizedLdapConnectionSchema = z.discriminatedUnion("method", [
       sslRejectUnauthorized: true,
       sslCertificate: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.LDAP]} (Simple Bind)` }))
 ]);
 
 export const ValidateLdapConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -74,7 +75,9 @@ export const ValidateLdapConnectionCredentialsSchema = z.discriminatedUnion("met
 ]);
 
 export const CreateLdapConnectionSchema = ValidateLdapConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.LDAP)
+  GenericCreateAppConnectionFieldsSchema(AppConnection.LDAP, {
+    supportsGateways: true
+  })
 );
 
 export const UpdateLdapConnectionSchema = z
@@ -83,12 +86,18 @@ export const UpdateLdapConnectionSchema = z
       AppConnections.UPDATE(AppConnection.LDAP).credentials
     )
   })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.LDAP));
+  .and(
+    GenericUpdateAppConnectionFieldsSchema(AppConnection.LDAP, {
+      supportsGateways: true
+    })
+  );
 
-export const LdapConnectionListItemSchema = z.object({
-  name: z.literal("LDAP"),
-  app: z.literal(AppConnection.LDAP),
-  // the below is preferable but currently breaks with our zod to json schema parser
-  // methods: z.tuple([z.literal(AwsConnectionMethod.ServicePrincipal), z.literal(AwsConnectionMethod.AccessKey)]),
-  methods: z.nativeEnum(LdapConnectionMethod).array()
-});
+export const LdapConnectionListItemSchema = z
+  .object({
+    name: z.literal("LDAP"),
+    app: z.literal(AppConnection.LDAP),
+    // the below is preferable but currently breaks with our zod to json schema parser
+    // methods: z.tuple([z.literal(AwsConnectionMethod.ServicePrincipal), z.literal(AwsConnectionMethod.AccessKey)]),
+    methods: z.nativeEnum(LdapConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.LDAP] }));

backend/src/services/app-connection/ldap/ldap-connection-types.ts

@@ -17,6 +17,9 @@ export type TLdapConnectionInput = z.infer<typeof CreateLdapConnectionSchema> &
 
 export type TValidateLdapConnectionCredentialsSchema = typeof ValidateLdapConnectionCredentialsSchema;
 
-export type TLdapConnectionConfig = DiscriminativePick<TLdapConnection, "method" | "app" | "credentials"> & {
+export type TLdapConnectionConfig = DiscriminativePick<
+  TLdapConnectionInput,
+  "method" | "app" | "credentials" | "gatewayId"
+> & {
   orgId: string;
 };

backend/src/services/app-connection/mssql/mssql-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
 } from "@app/services/app-connection/app-connection-schemas";
 
 import { AppConnection } from "../app-connection-enums";
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { BaseSqlUsernameAndPasswordConnectionSchema } from "../shared/sql";
 import { MsSqlConnectionMethod } from "./mssql-connection-enums";
 
@@ -34,7 +35,7 @@ export const SanitizedMsSqlConnectionSchema = z.discriminatedUnion("method", [
       sslRejectUnauthorized: true,
       sslCertificate: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.MsSql]} (Username and Password)` }))
 ]);
 
 export const ValidateMsSqlConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -68,9 +69,11 @@ export const UpdateMsSqlConnectionSchema = z
     })
   );
 
-export const MsSqlConnectionListItemSchema = z.object({
-  name: z.literal("Microsoft SQL Server"),
-  app: z.literal(AppConnection.MsSql),
-  methods: z.nativeEnum(MsSqlConnectionMethod).array(),
-  supportsPlatformManagement: z.literal(true)
-});
+export const MsSqlConnectionListItemSchema = z
+  .object({
+    name: z.literal("Microsoft SQL Server"),
+    app: z.literal(AppConnection.MsSql),
+    methods: z.nativeEnum(MsSqlConnectionMethod).array(),
+    supportsPlatformManagement: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.MsSql] }));

backend/src/services/app-connection/mysql/mysql-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
 } from "@app/services/app-connection/app-connection-schemas";
 
 import { AppConnection } from "../app-connection-enums";
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { BaseSqlUsernameAndPasswordConnectionSchema } from "../shared/sql";
 import { MySqlConnectionMethod } from "./mysql-connection-enums";
 
@@ -32,7 +33,7 @@ export const SanitizedMySqlConnectionSchema = z.discriminatedUnion("method", [
       sslRejectUnauthorized: true,
       sslCertificate: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.MySql]} (Username and Password)` }))
 ]);
 
 export const ValidateMySqlConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -66,9 +67,11 @@ export const UpdateMySqlConnectionSchema = z
     })
   );
 
-export const MySqlConnectionListItemSchema = z.object({
-  name: z.literal("MySQL"),
-  app: z.literal(AppConnection.MySql),
-  methods: z.nativeEnum(MySqlConnectionMethod).array(),
-  supportsPlatformManagement: z.literal(true)
-});
+export const MySqlConnectionListItemSchema = z
+  .object({
+    name: z.literal("MySQL"),
+    app: z.literal(AppConnection.MySql),
+    methods: z.nativeEnum(MySqlConnectionMethod).array(),
+    supportsPlatformManagement: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.MySql] }));

backend/src/services/app-connection/netlify/netlify-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { NetlifyConnectionMethod } from "./netlify-connection-constants";
 
 export const NetlifyConnectionMethodSchema = z
@@ -36,7 +37,7 @@ export const SanitizedNetlifyConnectionSchema = z.discriminatedUnion("method", [
   BaseNetlifyConnectionSchema.extend({
     method: NetlifyConnectionMethodSchema,
     credentials: NetlifyConnectionAccessTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Netlify]} (Access Token)` }))
 ]);
 
 export const ValidateNetlifyConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -60,8 +61,10 @@ export const UpdateNetlifyConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Netlify));
 
-export const NetlifyConnectionListItemSchema = z.object({
-  name: z.literal("Netlify"),
-  app: z.literal(AppConnection.Netlify),
-  methods: z.nativeEnum(NetlifyConnectionMethod).array()
-});
+export const NetlifyConnectionListItemSchema = z
+  .object({
+    name: z.literal("Netlify"),
+    app: z.literal(AppConnection.Netlify),
+    methods: z.nativeEnum(NetlifyConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Netlify] }));

backend/src/services/app-connection/northflank/northflank-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { NorthflankConnectionMethod } from "./northflank-connection-enums";
 
 export const NorthflankConnectionApiTokenCredentialsSchema = z.object({
@@ -27,7 +28,7 @@ export const SanitizedNorthflankConnectionSchema = z.discriminatedUnion("method"
   BaseNorthflankConnectionSchema.extend({
     method: z.literal(NorthflankConnectionMethod.ApiToken),
     credentials: NorthflankConnectionApiTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Northflank]} (API Token)` }))
 ]);
 
 export const ValidateNorthflankConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -53,8 +54,10 @@ export const UpdateNorthflankConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Northflank));
 
-export const NorthflankConnectionListItemSchema = z.object({
-  name: z.literal("Northflank"),
-  app: z.literal(AppConnection.Northflank),
-  methods: z.nativeEnum(NorthflankConnectionMethod).array()
-});
+export const NorthflankConnectionListItemSchema = z
+  .object({
+    name: z.literal("Northflank"),
+    app: z.literal(AppConnection.Northflank),
+    methods: z.nativeEnum(NorthflankConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Northflank] }));

backend/src/services/app-connection/okta/okta-connection-schemas.ts

@@ -9,6 +9,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { OktaConnectionMethod } from "./okta-connection-enums";
 
 export const OktaConnectionApiTokenCredentialsSchema = z.object({
@@ -40,7 +41,7 @@ export const SanitizedOktaConnectionSchema = z.discriminatedUnion("method", [
     credentials: OktaConnectionApiTokenCredentialsSchema.pick({
       instanceUrl: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Okta]} (API Token)` }))
 ]);
 
 export const ValidateOktaConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -62,8 +63,10 @@ export const UpdateOktaConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Okta));
 
-export const OktaConnectionListItemSchema = z.object({
-  name: z.literal("Okta"),
-  app: z.literal(AppConnection.Okta),
-  methods: z.nativeEnum(OktaConnectionMethod).array()
-});
+export const OktaConnectionListItemSchema = z
+  .object({
+    name: z.literal("Okta"),
+    app: z.literal(AppConnection.Okta),
+    methods: z.nativeEnum(OktaConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Okta] }));

backend/src/services/app-connection/postgres/postgres-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
 } from "@app/services/app-connection/app-connection-schemas";
 
 import { AppConnection } from "../app-connection-enums";
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { BaseSqlUsernameAndPasswordConnectionSchema } from "../shared/sql";
 import { PostgresConnectionMethod } from "./postgres-connection-enums";
 
@@ -32,7 +33,7 @@ export const SanitizedPostgresConnectionSchema = z.discriminatedUnion("method",
       sslRejectUnauthorized: true,
       sslCertificate: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Postgres]} (Username and Password)` }))
 ]);
 
 export const ValidatePostgresConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -66,9 +67,11 @@ export const UpdatePostgresConnectionSchema = z
     })
   );
 
-export const PostgresConnectionListItemSchema = z.object({
-  name: z.literal("PostgreSQL"),
-  app: z.literal(AppConnection.Postgres),
-  methods: z.nativeEnum(PostgresConnectionMethod).array(),
-  supportsPlatformManagement: z.literal(true)
-});
+export const PostgresConnectionListItemSchema = z
+  .object({
+    name: z.literal("PostgreSQL"),
+    app: z.literal(AppConnection.Postgres),
+    methods: z.nativeEnum(PostgresConnectionMethod).array(),
+    supportsPlatformManagement: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Postgres] }));

backend/src/services/app-connection/railway/railway-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { RailwayConnectionMethod } from "./railway-connection-constants";
 
 export const RailwayConnectionMethodSchema = z
@@ -36,7 +37,7 @@ export const SanitizedRailwayConnectionSchema = z.discriminatedUnion("method", [
   BaseRailwayConnectionSchema.extend({
     method: RailwayConnectionMethodSchema,
     credentials: RailwayConnectionAccessTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Railway]} (Access Token)` }))
 ]);
 
 export const ValidateRailwayConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -60,11 +61,13 @@ export const UpdateRailwayConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Railway));
 
-export const RailwayConnectionListItemSchema = z.object({
-  name: z.literal("Railway"),
-  app: z.literal(AppConnection.Railway),
-  methods: z.nativeEnum(RailwayConnectionMethod).array()
-});
+export const RailwayConnectionListItemSchema = z
+  .object({
+    name: z.literal("Railway"),
+    app: z.literal(AppConnection.Railway),
+    methods: z.nativeEnum(RailwayConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Railway] }));
 
 export const RailwayResourceSchema = z.object({
   node: z.object({

backend/src/services/app-connection/redis/redis-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
 } from "@app/services/app-connection/app-connection-schemas";
 
 import { AppConnection } from "../app-connection-enums";
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { RedisConnectionMethod } from "./redis-connection-enums";
 
 export const BaseRedisUsernameAndPasswordConnectionSchema = z.object({
@@ -45,7 +46,7 @@ export const SanitizedRedisConnectionSchema = z.discriminatedUnion("method", [
       sslRejectUnauthorized: true,
       sslCertificate: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Redis]} (Username and Password)` }))
 ]);
 
 export const ValidateRedisConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -79,9 +80,11 @@ export const UpdateRedisConnectionSchema = z
     })
   );
 
-export const RedisConnectionListItemSchema = z.object({
-  name: z.literal("Redis"),
-  app: z.literal(AppConnection.Redis),
-  methods: z.nativeEnum(RedisConnectionMethod).array(),
-  supportsPlatformManagement: z.literal(false)
-});
+export const RedisConnectionListItemSchema = z
+  .object({
+    name: z.literal("Redis"),
+    app: z.literal(AppConnection.Redis),
+    methods: z.nativeEnum(RedisConnectionMethod).array(),
+    supportsPlatformManagement: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Redis] }));

backend/src/services/app-connection/render/render-connection-schema.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { RenderConnectionMethod } from "./render-connection-enums";
 
 export const RenderConnectionApiKeyCredentialsSchema = z.object({
@@ -25,7 +26,7 @@ export const SanitizedRenderConnectionSchema = z.discriminatedUnion("method", [
   BaseRenderConnectionSchema.extend({
     method: z.literal(RenderConnectionMethod.ApiKey),
     credentials: RenderConnectionApiKeyCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Render]} (API Key)` }))
 ]);
 
 export const ValidateRenderConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -49,8 +50,10 @@ export const UpdateRenderConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Render));
 
-export const RenderConnectionListItemSchema = z.object({
-  name: z.literal("Render"),
-  app: z.literal(AppConnection.Render),
-  methods: z.nativeEnum(RenderConnectionMethod).array()
-});
+export const RenderConnectionListItemSchema = z
+  .object({
+    name: z.literal("Render"),
+    app: z.literal(AppConnection.Render),
+    methods: z.nativeEnum(RenderConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Render] }));

backend/src/services/app-connection/supabase/supabase-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { SupabaseConnectionMethod } from "./supabase-connection-constants";
 
 export const SupabaseConnectionMethodSchema = z
@@ -39,7 +40,7 @@ export const SanitizedSupabaseConnectionSchema = z.discriminatedUnion("method",
     credentials: SupabaseConnectionAccessTokenCredentialsSchema.pick({
       instanceUrl: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Supabase]} (Access Token)` }))
 ]);
 
 export const ValidateSupabaseConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -63,8 +64,10 @@ export const UpdateSupabaseConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Supabase));
 
-export const SupabaseConnectionListItemSchema = z.object({
-  name: z.literal("Supabase"),
-  app: z.literal(AppConnection.Supabase),
-  methods: z.nativeEnum(SupabaseConnectionMethod).array()
-});
+export const SupabaseConnectionListItemSchema = z
+  .object({
+    name: z.literal("Supabase"),
+    app: z.literal(AppConnection.Supabase),
+    methods: z.nativeEnum(SupabaseConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Supabase] }));

backend/src/services/app-connection/teamcity/teamcity-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { TeamCityConnectionMethod } from "./teamcity-connection-enums";
 
 export const TeamCityConnectionAccessTokenCredentialsSchema = z.object({
@@ -37,7 +38,7 @@ export const SanitizedTeamCityConnectionSchema = z.discriminatedUnion("method",
     credentials: TeamCityConnectionAccessTokenCredentialsSchema.pick({
       instanceUrl: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.TeamCity]} (Access Token)` }))
 ]);
 
 export const ValidateTeamCityConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -63,8 +64,10 @@ export const UpdateTeamCityConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.TeamCity));
 
-export const TeamCityConnectionListItemSchema = z.object({
-  name: z.literal("TeamCity"),
-  app: z.literal(AppConnection.TeamCity),
-  methods: z.nativeEnum(TeamCityConnectionMethod).array()
-});
+export const TeamCityConnectionListItemSchema = z
+  .object({
+    name: z.literal("TeamCity"),
+    app: z.literal(AppConnection.TeamCity),
+    methods: z.nativeEnum(TeamCityConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.TeamCity] }));

backend/src/services/app-connection/terraform-cloud/terraform-cloud-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { TerraformCloudConnectionMethod } from "./terraform-cloud-connection-enums";
 
 export const TerraformCloudConnectionAccessTokenCredentialsSchema = z.object({
@@ -27,7 +28,7 @@ export const SanitizedTerraformCloudConnectionSchema = z.discriminatedUnion("met
   BaseTerraformCloudConnectionSchema.extend({
     method: z.literal(TerraformCloudConnectionMethod.ApiToken),
     credentials: TerraformCloudConnectionAccessTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.TerraformCloud]} (API Token)` }))
 ]);
 
 export const ValidateTerraformCloudConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -53,8 +54,10 @@ export const UpdateTerraformCloudConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.TerraformCloud));
 
-export const TerraformCloudConnectionListItemSchema = z.object({
-  name: z.literal("Terraform Cloud"),
-  app: z.literal(AppConnection.TerraformCloud),
-  methods: z.nativeEnum(TerraformCloudConnectionMethod).array()
-});
+export const TerraformCloudConnectionListItemSchema = z
+  .object({
+    name: z.literal("Terraform Cloud"),
+    app: z.literal(AppConnection.TerraformCloud),
+    methods: z.nativeEnum(TerraformCloudConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.TerraformCloud] }));

backend/src/services/app-connection/vercel/vercel-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { VercelConnectionMethod } from "./vercel-connection-enums";
 
 export const VercelConnectionAccessTokenCredentialsSchema = z.object({
@@ -27,7 +28,7 @@ export const SanitizedVercelConnectionSchema = z.discriminatedUnion("method", [
   BaseVercelConnectionSchema.extend({
     method: z.literal(VercelConnectionMethod.ApiToken),
     credentials: VercelConnectionAccessTokenCredentialsSchema.pick({})
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Vercel]} (API Token)` }))
 ]);
 
 export const ValidateVercelConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -51,8 +52,10 @@ export const UpdateVercelConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Vercel));
 
-export const VercelConnectionListItemSchema = z.object({
-  name: z.literal("Vercel"),
-  app: z.literal(AppConnection.Vercel),
-  methods: z.nativeEnum(VercelConnectionMethod).array()
-});
+export const VercelConnectionListItemSchema = z
+  .object({
+    name: z.literal("Vercel"),
+    app: z.literal(AppConnection.Vercel),
+    methods: z.nativeEnum(VercelConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Vercel] }));

backend/src/services/app-connection/windmill/windmill-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { WindmillConnectionMethod } from "./windmill-connection-enums";
 
 export const WindmillConnectionAccessTokenCredentialsSchema = z.object({
@@ -37,7 +38,7 @@ export const SanitizedWindmillConnectionSchema = z.discriminatedUnion("method",
     credentials: WindmillConnectionAccessTokenCredentialsSchema.pick({
       instanceUrl: true
     })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Windmill]} (Access Token)` }))
 ]);
 
 export const ValidateWindmillConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -63,8 +64,10 @@ export const UpdateWindmillConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Windmill));
 
-export const WindmillConnectionListItemSchema = z.object({
-  name: z.literal("Windmill"),
-  app: z.literal(AppConnection.Windmill),
-  methods: z.nativeEnum(WindmillConnectionMethod).array()
-});
+export const WindmillConnectionListItemSchema = z
+  .object({
+    name: z.literal("Windmill"),
+    app: z.literal(AppConnection.Windmill),
+    methods: z.nativeEnum(WindmillConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Windmill] }));

backend/src/services/app-connection/zabbix/zabbix-connection-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
 import { ZabbixConnectionMethod } from "./zabbix-connection-enums";
 
 export const ZabbixConnectionApiTokenCredentialsSchema = z.object({
@@ -31,7 +32,7 @@ export const SanitizedZabbixConnectionSchema = z.discriminatedUnion("method", [
   BaseZabbixConnectionSchema.extend({
     method: z.literal(ZabbixConnectionMethod.ApiToken),
     credentials: ZabbixConnectionApiTokenCredentialsSchema.pick({ instanceUrl: true })
-  })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.Zabbix]} (API Token)` }))
 ]);
 
 export const ValidateZabbixConnectionCredentialsSchema = z.discriminatedUnion("method", [
@@ -55,8 +56,10 @@ export const UpdateZabbixConnectionSchema = z
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Zabbix));
 
-export const ZabbixConnectionListItemSchema = z.object({
-  name: z.literal("Zabbix"),
-  app: z.literal(AppConnection.Zabbix),
-  methods: z.nativeEnum(ZabbixConnectionMethod).array()
-});
+export const ZabbixConnectionListItemSchema = z
+  .object({
+    name: z.literal("Zabbix"),
+    app: z.literal(AppConnection.Zabbix),
+    methods: z.nativeEnum(ZabbixConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.Zabbix] }));

backend/src/services/auth/auth-login-service.ts

@@ -454,6 +454,30 @@ export const authLoginServiceFactory = ({
         });
       }
 
+      if (organizationId) {
+        await auditLogService.createAuditLog({
+          orgId: organizationId,
+          ipAddress: ip,
+          userAgent,
+          userAgentType: getUserAgentType(userAgent),
+          actor: {
+            type: ActorType.USER,
+            metadata: {
+              email: userEnc.email,
+              userId: userEnc.userId,
+              username: userEnc.username,
+              authMethod
+            }
+          },
+          event: {
+            type: EventType.USER_LOGIN,
+            metadata: {
+              organizationId
+            }
+          }
+        });
+      }
+
       return {
         tokens: {
           accessToken: token.access,
@@ -646,6 +670,29 @@ export const authLoginServiceFactory = ({
       }
     }
 
+    await auditLogService.createAuditLog({
+      orgId: organizationId,
+      ipAddress,
+      userAgent,
+      userAgentType: getUserAgentType(userAgent),
+      actor: {
+        type: ActorType.USER,
+        metadata: {
+          email: user.email,
+          userId: user.id,
+          username: user.username,
+          authMethod: decodedToken.authMethod
+        }
+      },
+      event: {
+        type: EventType.SELECT_ORGANIZATION,
+        metadata: {
+          organizationId,
+          organizationName: selectedOrg.name
+        }
+      }
+    });
+
     return {
       ...tokens,
       user,
@@ -1039,6 +1086,33 @@ export const authLoginServiceFactory = ({
       organizationId
     });
 
+    if (organizationId) {
+      await auditLogService.createAuditLog({
+        orgId: organizationId,
+        ipAddress: ip,
+        userAgent,
+        userAgentType: getUserAgentType(userAgent),
+        actor: {
+          type: ActorType.USER,
+          metadata: {
+            email: userEnc.email,
+            userId: userEnc.userId,
+            username: userEnc.username,
+            authMethod: decodedProviderToken.authMethod
+          }
+        },
+        event: {
+          type: EventType.USER_LOGIN,
+          metadata: {
+            organizationId,
+            ...(isAuthMethodSaml(decodedProviderToken.authMethod) && {
+              authProvider: decodedProviderToken.authMethod
+            })
+          }
+        }
+      });
+    }
+
     return { token, isMfaEnabled: false, user: userEnc, decodedProviderToken } as const;
   };
 

backend/src/services/role/role-service.ts

@@ -6,6 +6,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { UnpackedPermissionSchema, unpackPermissions } from "@app/server/routes/sanitizedSchema/permission";
+import { TMembershipRoleDALFactory } from "@app/services/membership/membership-role-dal";
 
 import { ActorType } from "../auth/auth-type";
 import { TExternalGroupOrgRoleMappingDALFactory } from "../external-group-org-role-mapping/external-group-org-role-mapping-dal";
@@ -33,6 +34,7 @@ type TRoleServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
   projectDAL: Pick<TProjectDALFactory, "findById">;
   externalGroupOrgRoleMappingDAL: Pick<TExternalGroupOrgRoleMappingDALFactory, "findOne">;
+  membershipRoleDAL: Pick<TMembershipRoleDALFactory, "find">;
 };
 
 export type TRoleServiceFactory = ReturnType<typeof roleServiceFactory>;
@@ -43,7 +45,8 @@ export const roleServiceFactory = ({
   projectDAL,
   identityDAL,
   userDAL,
-  externalGroupOrgRoleMappingDAL
+  externalGroupOrgRoleMappingDAL,
+  membershipRoleDAL
 }: TRoleServiceFactoryDep) => {
   const orgRoleFactory = newOrgRoleFactory({
     permissionService,
@@ -137,6 +140,23 @@ export const roleServiceFactory = ({
     });
     if (!existingRole) throw new NotFoundError({ message: `Role with ${dto.selector.id} not found` });
 
+    const [roleUsageData] = await membershipRoleDAL.find(
+      {
+        customRoleId: dto.selector.id
+      },
+      { count: true }
+    );
+
+    if (roleUsageData) {
+      const count = Number.parseInt(roleUsageData.count, 10);
+      if (count > 0) {
+        const plural = count > 1 ? "s" : "";
+        throw new BadRequestError({
+          message: `Role is assigned to ${count} identity membership${plural}. Re-assign membership role${plural} to delete this role.`
+        });
+      }
+    }
+
     const [role] = await roleDAL.delete({
       id: existingRole.id,
       [scope.key]: scope.value

backend/src/services/secret-sync/1password/1password-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const OnePassSyncDestinationConfigSchema = z.object({
   vaultId: z.string().trim().min(1, "Vault required").describe(SecretSyncs.DESTINATION_CONFIG.ONEPASS.vaultId),
   valueLabel: z.string().trim().optional().describe(SecretSyncs.DESTINATION_CONFIG.ONEPASS.valueLabel)
@@ -17,10 +19,12 @@ const OnePassSyncDestinationConfigSchema = z.object({
 
 const OnePassSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const OnePassSyncSchema = BaseSecretSyncSchema(SecretSync.OnePass, OnePassSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.OnePass),
-  destinationConfig: OnePassSyncDestinationConfigSchema
-});
+export const OnePassSyncSchema = BaseSecretSyncSchema(SecretSync.OnePass, OnePassSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.OnePass),
+    destinationConfig: OnePassSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.OnePass] }));
 
 export const CreateOnePassSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.OnePass,
@@ -36,9 +40,11 @@ export const UpdateOnePassSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: OnePassSyncDestinationConfigSchema.optional()
 });
 
-export const OnePassSyncListItemSchema = z.object({
-  name: z.literal("1Password"),
-  connection: z.literal(AppConnection.OnePass),
-  destination: z.literal(SecretSync.OnePass),
-  canImportSecrets: z.literal(true)
-});
+export const OnePassSyncListItemSchema = z
+  .object({
+    name: z.literal("1Password"),
+    connection: z.literal(AppConnection.OnePass),
+    destination: z.literal(SecretSync.OnePass),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.OnePass] }));

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-schemas.ts

@@ -11,6 +11,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const tagFieldCharacterValidator = characterValidator([
   CharacterType.AlphaNumeric,
   CharacterType.Spaces,
@@ -105,10 +107,12 @@ export const AwsParameterStoreSyncSchema = BaseSecretSyncSchema(
   SecretSync.AWSParameterStore,
   AwsParameterStoreSyncOptionsConfig,
   AwsParameterStoreSyncOptionsSchema
-).extend({
-  destination: z.literal(SecretSync.AWSParameterStore),
-  destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
-});
+)
+  .extend({
+    destination: z.literal(SecretSync.AWSParameterStore),
+    destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AWSParameterStore] }));
 
 export const CreateAwsParameterStoreSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.AWSParameterStore,
@@ -126,9 +130,11 @@ export const UpdateAwsParameterStoreSyncSchema = GenericUpdateSecretSyncFieldsSc
   destinationConfig: AwsParameterStoreSyncDestinationConfigSchema.optional()
 });
 
-export const AwsParameterStoreSyncListItemSchema = z.object({
-  name: z.literal("AWS Parameter Store"),
-  connection: z.literal(AppConnection.AWS),
-  destination: z.literal(SecretSync.AWSParameterStore),
-  canImportSecrets: z.literal(true)
-});
+export const AwsParameterStoreSyncListItemSchema = z
+  .object({
+    name: z.literal("AWS Parameter Store"),
+    connection: z.literal(AppConnection.AWS),
+    destination: z.literal(SecretSync.AWSParameterStore),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AWSParameterStore] }));

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-schemas.ts

@@ -12,6 +12,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const AwsSecretsManagerSyncDestinationConfigSchema = z
   .discriminatedUnion("mappingBehavior", [
     z.object({
@@ -119,10 +121,12 @@ export const AwsSecretsManagerSyncSchema = BaseSecretSyncSchema(
   SecretSync.AWSSecretsManager,
   AwsSecretsManagerSyncOptionsConfig,
   AwsSecretsManagerSyncOptionsSchema
-).extend({
-  destination: z.literal(SecretSync.AWSSecretsManager),
-  destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema
-});
+)
+  .extend({
+    destination: z.literal(SecretSync.AWSSecretsManager),
+    destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AWSSecretsManager] }));
 
 export const CreateAwsSecretsManagerSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.AWSSecretsManager,
@@ -164,9 +168,11 @@ export const UpdateAwsSecretsManagerSyncSchema = GenericUpdateSecretSyncFieldsSc
     }
   });
 
-export const AwsSecretsManagerSyncListItemSchema = z.object({
-  name: z.literal("AWS Secrets Manager"),
-  connection: z.literal(AppConnection.AWS),
-  destination: z.literal(SecretSync.AWSSecretsManager),
-  canImportSecrets: z.literal(true)
-});
+export const AwsSecretsManagerSyncListItemSchema = z
+  .object({
+    name: z.literal("AWS Secrets Manager"),
+    connection: z.literal(AppConnection.AWS),
+    destination: z.literal(SecretSync.AWSSecretsManager),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AWSSecretsManager] }));

backend/src/services/secret-sync/azure-app-configuration/azure-app-configuration-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const AzureAppConfigurationSyncDestinationConfigSchema = z.object({
   configurationUrl: z
     .string()
@@ -23,10 +25,12 @@ const AzureAppConfigurationSyncOptionsConfig: TSyncOptionsConfig = { canImportSe
 export const AzureAppConfigurationSyncSchema = BaseSecretSyncSchema(
   SecretSync.AzureAppConfiguration,
   AzureAppConfigurationSyncOptionsConfig
-).extend({
-  destination: z.literal(SecretSync.AzureAppConfiguration),
-  destinationConfig: AzureAppConfigurationSyncDestinationConfigSchema
-});
+)
+  .extend({
+    destination: z.literal(SecretSync.AzureAppConfiguration),
+    destinationConfig: AzureAppConfigurationSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AzureAppConfiguration] }));
 
 export const CreateAzureAppConfigurationSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.AzureAppConfiguration,
@@ -42,9 +46,11 @@ export const UpdateAzureAppConfigurationSyncSchema = GenericUpdateSecretSyncFiel
   destinationConfig: AzureAppConfigurationSyncDestinationConfigSchema.optional()
 });
 
-export const AzureAppConfigurationSyncListItemSchema = z.object({
-  name: z.literal("Azure App Configuration"),
-  connection: z.literal(AppConnection.AzureAppConfiguration),
-  destination: z.literal(SecretSync.AzureAppConfiguration),
-  canImportSecrets: z.literal(true)
-});
+export const AzureAppConfigurationSyncListItemSchema = z
+  .object({
+    name: z.literal("Azure App Configuration"),
+    connection: z.literal(AppConnection.AzureAppConfiguration),
+    destination: z.literal(SecretSync.AzureAppConfiguration),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AzureAppConfiguration] }));

backend/src/services/secret-sync/azure-devops/azure-devops-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 export const AzureDevOpsSyncDestinationConfigSchema = z.object({
   devopsProjectId: z
     .string()
@@ -23,10 +25,12 @@ export const AzureDevOpsSyncDestinationConfigSchema = z.object({
 
 const AzureDevOpsSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const AzureDevOpsSyncSchema = BaseSecretSyncSchema(SecretSync.AzureDevOps, AzureDevOpsSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.AzureDevOps),
-  destinationConfig: AzureDevOpsSyncDestinationConfigSchema
-});
+export const AzureDevOpsSyncSchema = BaseSecretSyncSchema(SecretSync.AzureDevOps, AzureDevOpsSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.AzureDevOps),
+    destinationConfig: AzureDevOpsSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AzureDevOps] }));
 
 export const CreateAzureDevOpsSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.AzureDevOps,
@@ -42,9 +46,11 @@ export const UpdateAzureDevOpsSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: AzureDevOpsSyncDestinationConfigSchema.optional()
 });
 
-export const AzureDevOpsSyncListItemSchema = z.object({
-  name: z.literal("Azure DevOps"),
-  connection: z.literal(AppConnection.AzureDevOps),
-  destination: z.literal(SecretSync.AzureDevOps),
-  canImportSecrets: z.literal(false)
-});
+export const AzureDevOpsSyncListItemSchema = z
+  .object({
+    name: z.literal("Azure DevOps"),
+    connection: z.literal(AppConnection.AzureDevOps),
+    destination: z.literal(SecretSync.AzureDevOps),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AzureDevOps] }));

backend/src/services/secret-sync/azure-key-vault/azure-key-vault-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const AzureKeyVaultSyncDestinationConfigSchema = z.object({
   vaultBaseUrl: z
     .string()
@@ -20,13 +22,12 @@ const AzureKeyVaultSyncDestinationConfigSchema = z.object({
 
 const AzureKeyVaultSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const AzureKeyVaultSyncSchema = BaseSecretSyncSchema(
-  SecretSync.AzureKeyVault,
-  AzureKeyVaultSyncOptionsConfig
-).extend({
-  destination: z.literal(SecretSync.AzureKeyVault),
-  destinationConfig: AzureKeyVaultSyncDestinationConfigSchema
-});
+export const AzureKeyVaultSyncSchema = BaseSecretSyncSchema(SecretSync.AzureKeyVault, AzureKeyVaultSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.AzureKeyVault),
+    destinationConfig: AzureKeyVaultSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AzureKeyVault] }));
 
 export const CreateAzureKeyVaultSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.AzureKeyVault,
@@ -42,9 +43,11 @@ export const UpdateAzureKeyVaultSyncSchema = GenericUpdateSecretSyncFieldsSchema
   destinationConfig: AzureKeyVaultSyncDestinationConfigSchema.optional()
 });
 
-export const AzureKeyVaultSyncListItemSchema = z.object({
-  name: z.literal("Azure Key Vault"),
-  connection: z.literal(AppConnection.AzureKeyVault),
-  destination: z.literal(SecretSync.AzureKeyVault),
-  canImportSecrets: z.literal(true)
-});
+export const AzureKeyVaultSyncListItemSchema = z
+  .object({
+    name: z.literal("Azure Key Vault"),
+    connection: z.literal(AppConnection.AzureKeyVault),
+    destination: z.literal(SecretSync.AzureKeyVault),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.AzureKeyVault] }));

backend/src/services/secret-sync/bitbucket/bitbucket-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const BitbucketSyncDestinationConfigSchema = z.object({
   repositorySlug: z.string().describe(SecretSyncs.DESTINATION_CONFIG.BITBUCKET.repositorySlug),
   environmentId: z.string().optional().describe(SecretSyncs.DESTINATION_CONFIG.BITBUCKET.environmentId),
@@ -18,10 +20,12 @@ const BitbucketSyncDestinationConfigSchema = z.object({
 
 const BitbucketSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const BitbucketSyncSchema = BaseSecretSyncSchema(SecretSync.Bitbucket, BitbucketSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Bitbucket),
-  destinationConfig: BitbucketSyncDestinationConfigSchema
-});
+export const BitbucketSyncSchema = BaseSecretSyncSchema(SecretSync.Bitbucket, BitbucketSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Bitbucket),
+    destinationConfig: BitbucketSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Bitbucket] }));
 
 export const CreateBitbucketSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Bitbucket,
@@ -37,9 +41,11 @@ export const UpdateBitbucketSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: BitbucketSyncDestinationConfigSchema.optional()
 });
 
-export const BitbucketSyncListItemSchema = z.object({
-  name: z.literal("Bitbucket"),
-  connection: z.literal(AppConnection.Bitbucket),
-  destination: z.literal(SecretSync.Bitbucket),
-  canImportSecrets: z.literal(false)
-});
+export const BitbucketSyncListItemSchema = z
+  .object({
+    name: z.literal("Bitbucket"),
+    connection: z.literal(AppConnection.Bitbucket),
+    destination: z.literal(SecretSync.Bitbucket),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Bitbucket] }));

backend/src/services/secret-sync/camunda/camunda-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const CamundaSyncDestinationConfigSchema = z.object({
   scope: z.string().trim().min(1, "Camunda scope required").describe(SecretSyncs.DESTINATION_CONFIG.CAMUNDA.scope),
   clusterUUID: z
@@ -20,10 +22,12 @@ const CamundaSyncDestinationConfigSchema = z.object({
 
 const CamundaSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const CamundaSyncSchema = BaseSecretSyncSchema(SecretSync.Camunda, CamundaSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Camunda),
-  destinationConfig: CamundaSyncDestinationConfigSchema
-});
+export const CamundaSyncSchema = BaseSecretSyncSchema(SecretSync.Camunda, CamundaSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Camunda),
+    destinationConfig: CamundaSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Camunda] }));
 
 export const CreateCamundaSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Camunda,
@@ -39,9 +43,11 @@ export const UpdateCamundaSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: CamundaSyncDestinationConfigSchema.optional()
 });
 
-export const CamundaSyncListItemSchema = z.object({
-  name: z.literal("Camunda"),
-  connection: z.literal(AppConnection.Camunda),
-  destination: z.literal(SecretSync.Camunda),
-  canImportSecrets: z.literal(true)
-});
+export const CamundaSyncListItemSchema = z
+  .object({
+    name: z.literal("Camunda"),
+    connection: z.literal(AppConnection.Camunda),
+    destination: z.literal(SecretSync.Camunda),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Camunda] }));

backend/src/services/secret-sync/checkly/checkly-sync-schemas.ts

@@ -9,6 +9,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const ChecklySyncDestinationConfigSchema = z.object({
   accountId: z.string().min(1, "Account ID is required").max(255, "Account ID must be less than 255 characters"),
   accountName: z
@@ -26,10 +28,12 @@ const ChecklySyncDestinationConfigSchema = z.object({
 
 const ChecklySyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const ChecklySyncSchema = BaseSecretSyncSchema(SecretSync.Checkly, ChecklySyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Checkly),
-  destinationConfig: ChecklySyncDestinationConfigSchema
-});
+export const ChecklySyncSchema = BaseSecretSyncSchema(SecretSync.Checkly, ChecklySyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Checkly),
+    destinationConfig: ChecklySyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Checkly] }));
 
 export const CreateChecklySyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Checkly,
@@ -45,9 +49,11 @@ export const UpdateChecklySyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: ChecklySyncDestinationConfigSchema.optional()
 });
 
-export const ChecklySyncListItemSchema = z.object({
-  name: z.literal("Checkly"),
-  connection: z.literal(AppConnection.Checkly),
-  destination: z.literal(SecretSync.Checkly),
-  canImportSecrets: z.literal(false)
-});
+export const ChecklySyncListItemSchema = z
+  .object({
+    name: z.literal("Checkly"),
+    connection: z.literal(AppConnection.Checkly),
+    destination: z.literal(SecretSync.Checkly),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Checkly] }));

backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-schema.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const CloudflarePagesSyncDestinationConfigSchema = z.object({
   projectName: z
     .string()
@@ -26,10 +28,12 @@ const CloudflarePagesSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets:
 export const CloudflarePagesSyncSchema = BaseSecretSyncSchema(
   SecretSync.CloudflarePages,
   CloudflarePagesSyncOptionsConfig
-).extend({
-  destination: z.literal(SecretSync.CloudflarePages),
-  destinationConfig: CloudflarePagesSyncDestinationConfigSchema
-});
+)
+  .extend({
+    destination: z.literal(SecretSync.CloudflarePages),
+    destinationConfig: CloudflarePagesSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.CloudflarePages] }));
 
 export const CreateCloudflarePagesSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.CloudflarePages,
@@ -45,9 +49,11 @@ export const UpdateCloudflarePagesSyncSchema = GenericUpdateSecretSyncFieldsSche
   destinationConfig: CloudflarePagesSyncDestinationConfigSchema.optional()
 });
 
-export const CloudflarePagesSyncListItemSchema = z.object({
-  name: z.literal("Cloudflare Pages"),
-  connection: z.literal(AppConnection.Cloudflare),
-  destination: z.literal(SecretSync.CloudflarePages),
-  canImportSecrets: z.literal(false)
-});
+export const CloudflarePagesSyncListItemSchema = z
+  .object({
+    name: z.literal("Cloudflare Pages"),
+    connection: z.literal(AppConnection.Cloudflare),
+    destination: z.literal(SecretSync.CloudflarePages),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.CloudflarePages] }));

backend/src/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas.ts

@@ -11,6 +11,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const CloudflareWorkersSyncDestinationConfigSchema = z.object({
   scriptId: z
     .string()
@@ -28,10 +30,12 @@ const CloudflareWorkersSyncOptionsConfig: TSyncOptionsConfig = { canImportSecret
 export const CloudflareWorkersSyncSchema = BaseSecretSyncSchema(
   SecretSync.CloudflareWorkers,
   CloudflareWorkersSyncOptionsConfig
-).extend({
-  destination: z.literal(SecretSync.CloudflareWorkers),
-  destinationConfig: CloudflareWorkersSyncDestinationConfigSchema
-});
+)
+  .extend({
+    destination: z.literal(SecretSync.CloudflareWorkers),
+    destinationConfig: CloudflareWorkersSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.CloudflareWorkers] }));
 
 export const CreateCloudflareWorkersSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.CloudflareWorkers,
@@ -47,9 +51,11 @@ export const UpdateCloudflareWorkersSyncSchema = GenericUpdateSecretSyncFieldsSc
   destinationConfig: CloudflareWorkersSyncDestinationConfigSchema.optional()
 });
 
-export const CloudflareWorkersSyncListItemSchema = z.object({
-  name: z.literal("Cloudflare Workers"),
-  connection: z.literal(AppConnection.Cloudflare),
-  destination: z.literal(SecretSync.CloudflareWorkers),
-  canImportSecrets: z.literal(false)
-});
+export const CloudflareWorkersSyncListItemSchema = z
+  .object({
+    name: z.literal("Cloudflare Workers"),
+    connection: z.literal(AppConnection.Cloudflare),
+    destination: z.literal(SecretSync.CloudflareWorkers),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.CloudflareWorkers] }));

backend/src/services/secret-sync/databricks/databricks-sync-schemas.ts

@@ -10,16 +10,20 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const DatabricksSyncDestinationConfigSchema = z.object({
   scope: z.string().trim().min(1, "Databricks scope required").describe(SecretSyncs.DESTINATION_CONFIG.DATABRICKS.scope)
 });
 
 const DatabricksSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const DatabricksSyncSchema = BaseSecretSyncSchema(SecretSync.Databricks, DatabricksSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Databricks),
-  destinationConfig: DatabricksSyncDestinationConfigSchema
-});
+export const DatabricksSyncSchema = BaseSecretSyncSchema(SecretSync.Databricks, DatabricksSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Databricks),
+    destinationConfig: DatabricksSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Databricks] }));
 
 export const CreateDatabricksSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Databricks,
@@ -35,9 +39,11 @@ export const UpdateDatabricksSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: DatabricksSyncDestinationConfigSchema.optional()
 });
 
-export const DatabricksSyncListItemSchema = z.object({
-  name: z.literal("Databricks"),
-  connection: z.literal(AppConnection.Databricks),
-  destination: z.literal(SecretSync.Databricks),
-  canImportSecrets: z.literal(false)
-});
+export const DatabricksSyncListItemSchema = z
+  .object({
+    name: z.literal("Databricks"),
+    connection: z.literal(AppConnection.Databricks),
+    destination: z.literal(SecretSync.Databricks),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Databricks] }));

backend/src/services/secret-sync/digital-ocean-app-platform/digital-ocean-app-platform-sync-schemas.ts

@@ -9,6 +9,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const DigitalOceanAppPlatformSyncDestinationConfigSchema = z.object({
   appId: z.string().min(1, "Account ID is required").max(255, "Account ID must be less than 255 characters"),
   appName: z.string().min(1, "Account Name is required").max(255, "Account Name must be less than 255 characters")
@@ -19,10 +21,12 @@ const DigitalOceanAppPlatformSyncOptionsConfig: TSyncOptionsConfig = { canImport
 export const DigitalOceanAppPlatformSyncSchema = BaseSecretSyncSchema(
   SecretSync.DigitalOceanAppPlatform,
   DigitalOceanAppPlatformSyncOptionsConfig
-).extend({
-  destination: z.literal(SecretSync.DigitalOceanAppPlatform),
-  destinationConfig: DigitalOceanAppPlatformSyncDestinationConfigSchema
-});
+)
+  .extend({
+    destination: z.literal(SecretSync.DigitalOceanAppPlatform),
+    destinationConfig: DigitalOceanAppPlatformSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.DigitalOceanAppPlatform] }));
 
 export const CreateDigitalOceanAppPlatformSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.DigitalOceanAppPlatform,
@@ -38,9 +42,11 @@ export const UpdateDigitalOceanAppPlatformSyncSchema = GenericUpdateSecretSyncFi
   destinationConfig: DigitalOceanAppPlatformSyncDestinationConfigSchema.optional()
 });
 
-export const DigitalOceanAppPlatformSyncListItemSchema = z.object({
-  name: z.literal("Digital Ocean App Platform"),
-  connection: z.literal(AppConnection.DigitalOcean),
-  destination: z.literal(SecretSync.DigitalOceanAppPlatform),
-  canImportSecrets: z.literal(false)
-});
+export const DigitalOceanAppPlatformSyncListItemSchema = z
+  .object({
+    name: z.literal("Digital Ocean App Platform"),
+    connection: z.literal(AppConnection.DigitalOcean),
+    destination: z.literal(SecretSync.DigitalOceanAppPlatform),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.DigitalOceanAppPlatform] }));

backend/src/services/secret-sync/flyio/flyio-sync-schemas.ts

@@ -10,16 +10,20 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const FlyioSyncDestinationConfigSchema = z.object({
   appId: z.string().trim().min(1, "App required").max(255).describe(SecretSyncs.DESTINATION_CONFIG.FLYIO.appId)
 });
 
 const FlyioSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const FlyioSyncSchema = BaseSecretSyncSchema(SecretSync.Flyio, FlyioSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Flyio),
-  destinationConfig: FlyioSyncDestinationConfigSchema
-});
+export const FlyioSyncSchema = BaseSecretSyncSchema(SecretSync.Flyio, FlyioSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Flyio),
+    destinationConfig: FlyioSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Flyio] }));
 
 export const CreateFlyioSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Flyio,
@@ -35,9 +39,11 @@ export const UpdateFlyioSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: FlyioSyncDestinationConfigSchema.optional()
 });
 
-export const FlyioSyncListItemSchema = z.object({
-  name: z.literal("Fly.io"),
-  connection: z.literal(AppConnection.Flyio),
-  destination: z.literal(SecretSync.Flyio),
-  canImportSecrets: z.literal(false)
-});
+export const FlyioSyncListItemSchema = z
+  .object({
+    name: z.literal("Fly.io"),
+    connection: z.literal(AppConnection.Flyio),
+    destination: z.literal(SecretSync.Flyio),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Flyio] }));

backend/src/services/secret-sync/gcp/gcp-sync-schemas.ts

@@ -10,6 +10,7 @@ import {
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
 import { SecretSync } from "../secret-sync-enums";
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
 import { GCPSecretManagerLocation, GcpSyncScope } from "./gcp-sync-enums";
 
 const GcpSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
@@ -38,10 +39,12 @@ const GcpSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
     )
 ]);
 
-export const GcpSyncSchema = BaseSecretSyncSchema(SecretSync.GCPSecretManager, GcpSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.GCPSecretManager),
-  destinationConfig: GcpSyncDestinationConfigSchema
-});
+export const GcpSyncSchema = BaseSecretSyncSchema(SecretSync.GCPSecretManager, GcpSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.GCPSecretManager),
+    destinationConfig: GcpSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.GCPSecretManager] }));
 
 export const CreateGcpSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.GCPSecretManager,
@@ -57,9 +60,11 @@ export const UpdateGcpSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: GcpSyncDestinationConfigSchema.optional()
 });
 
-export const GcpSyncListItemSchema = z.object({
-  name: z.literal("GCP Secret Manager"),
-  connection: z.literal(AppConnection.GCP),
-  destination: z.literal(SecretSync.GCPSecretManager),
-  canImportSecrets: z.literal(true)
-});
+export const GcpSyncListItemSchema = z
+  .object({
+    name: z.literal("GCP Secret Manager"),
+    connection: z.literal(AppConnection.GCP),
+    destination: z.literal(SecretSync.GCPSecretManager),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.GCPSecretManager] }));

backend/src/services/secret-sync/github/github-sync-schemas.ts

@@ -11,6 +11,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const GitHubSyncDestinationConfigSchema = z
   .discriminatedUnion("scope", [
     z.object({
@@ -55,10 +57,12 @@ const GitHubSyncDestinationConfigSchema = z
 
 const GitHubSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const GitHubSyncSchema = BaseSecretSyncSchema(SecretSync.GitHub, GitHubSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.GitHub),
-  destinationConfig: GitHubSyncDestinationConfigSchema
-});
+export const GitHubSyncSchema = BaseSecretSyncSchema(SecretSync.GitHub, GitHubSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.GitHub),
+    destinationConfig: GitHubSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.GitHub] }));
 
 export const CreateGitHubSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.GitHub,
@@ -74,9 +78,11 @@ export const UpdateGitHubSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: GitHubSyncDestinationConfigSchema.optional()
 });
 
-export const GitHubSyncListItemSchema = z.object({
-  name: z.literal("GitHub"),
-  connection: z.literal(AppConnection.GitHub),
-  destination: z.literal(SecretSync.GitHub),
-  canImportSecrets: z.literal(false)
-});
+export const GitHubSyncListItemSchema = z
+  .object({
+    name: z.literal("GitHub"),
+    connection: z.literal(AppConnection.GitHub),
+    destination: z.literal(SecretSync.GitHub),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.GitHub] }));

backend/src/services/secret-sync/gitlab/gitlab-sync-schemas.ts

@@ -10,6 +10,7 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
 import { GitLabSyncScope } from "./gitlab-sync-enums";
 
 const GitLabSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
@@ -70,10 +71,12 @@ const GitLabSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
 
 const GitLabSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const GitLabSyncSchema = BaseSecretSyncSchema(SecretSync.GitLab, GitLabSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.GitLab),
-  destinationConfig: GitLabSyncDestinationConfigSchema
-});
+export const GitLabSyncSchema = BaseSecretSyncSchema(SecretSync.GitLab, GitLabSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.GitLab),
+    destinationConfig: GitLabSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.GitLab] }));
 
 export const CreateGitLabSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.GitLab,
@@ -89,9 +92,11 @@ export const UpdateGitLabSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: GitLabSyncDestinationConfigSchema.optional()
 });
 
-export const GitLabSyncListItemSchema = z.object({
-  name: z.literal("GitLab"),
-  connection: z.literal(AppConnection.GitLab),
-  destination: z.literal(SecretSync.GitLab),
-  canImportSecrets: z.literal(false)
-});
+export const GitLabSyncListItemSchema = z
+  .object({
+    name: z.literal("GitLab"),
+    connection: z.literal(AppConnection.GitLab),
+    destination: z.literal(SecretSync.GitLab),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.GitLab] }));

backend/src/services/secret-sync/hc-vault/hc-vault-sync-schemas.ts

@@ -11,6 +11,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const HCVaultSyncDestinationConfigSchema = z.object({
   mount: z
     .string()
@@ -33,10 +35,12 @@ const HCVaultSyncDestinationConfigSchema = z.object({
 
 const HCVaultSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const HCVaultSyncSchema = BaseSecretSyncSchema(SecretSync.HCVault, HCVaultSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.HCVault),
-  destinationConfig: HCVaultSyncDestinationConfigSchema
-});
+export const HCVaultSyncSchema = BaseSecretSyncSchema(SecretSync.HCVault, HCVaultSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.HCVault),
+    destinationConfig: HCVaultSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.HCVault] }));
 
 export const CreateHCVaultSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.HCVault,
@@ -52,9 +56,11 @@ export const UpdateHCVaultSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: HCVaultSyncDestinationConfigSchema.optional()
 });
 
-export const HCVaultSyncListItemSchema = z.object({
-  name: z.literal("Hashicorp Vault"),
-  connection: z.literal(AppConnection.HCVault),
-  destination: z.literal(SecretSync.HCVault),
-  canImportSecrets: z.literal(true)
-});
+export const HCVaultSyncListItemSchema = z
+  .object({
+    name: z.literal("Hashicorp Vault"),
+    connection: z.literal(AppConnection.HCVault),
+    destination: z.literal(SecretSync.HCVault),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.HCVault] }));

backend/src/services/secret-sync/heroku/heroku-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const HerokuSyncDestinationConfigSchema = z.object({
   app: z.string().trim().min(1, "App required").describe(SecretSyncs.DESTINATION_CONFIG.HEROKU.app),
   appName: z.string().trim().min(1, "App name required").describe(SecretSyncs.DESTINATION_CONFIG.HEROKU.appName)
@@ -17,10 +19,12 @@ const HerokuSyncDestinationConfigSchema = z.object({
 
 const HerokuSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const HerokuSyncSchema = BaseSecretSyncSchema(SecretSync.Heroku, HerokuSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Heroku),
-  destinationConfig: HerokuSyncDestinationConfigSchema
-});
+export const HerokuSyncSchema = BaseSecretSyncSchema(SecretSync.Heroku, HerokuSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Heroku),
+    destinationConfig: HerokuSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Heroku] }));
 
 export const CreateHerokuSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Heroku,
@@ -36,9 +40,11 @@ export const UpdateHerokuSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: HerokuSyncDestinationConfigSchema.optional()
 });
 
-export const HerokuSyncListItemSchema = z.object({
-  name: z.literal("Heroku"),
-  connection: z.literal(AppConnection.Heroku),
-  destination: z.literal(SecretSync.Heroku),
-  canImportSecrets: z.literal(true)
-});
+export const HerokuSyncListItemSchema = z
+  .object({
+    name: z.literal("Heroku"),
+    connection: z.literal(AppConnection.Heroku),
+    destination: z.literal(SecretSync.Heroku),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Heroku] }));

backend/src/services/secret-sync/humanitec/humanitec-sync-schemas.ts

@@ -11,6 +11,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const HumanitecSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
   z.object({
     scope: z.literal(HumanitecSyncScope.Application).describe(SecretSyncs.DESTINATION_CONFIG.HUMANITEC.scope),
@@ -27,10 +29,12 @@ const HumanitecSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
 
 const HumanitecSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const HumanitecSyncSchema = BaseSecretSyncSchema(SecretSync.Humanitec, HumanitecSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Humanitec),
-  destinationConfig: HumanitecSyncDestinationConfigSchema
-});
+export const HumanitecSyncSchema = BaseSecretSyncSchema(SecretSync.Humanitec, HumanitecSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Humanitec),
+    destinationConfig: HumanitecSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Humanitec] }));
 
 export const CreateHumanitecSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Humanitec,
@@ -46,9 +50,11 @@ export const UpdateHumanitecSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: HumanitecSyncDestinationConfigSchema.optional()
 });
 
-export const HumanitecSyncListItemSchema = z.object({
-  name: z.literal("Humanitec"),
-  connection: z.literal(AppConnection.Humanitec),
-  destination: z.literal(SecretSync.Humanitec),
-  canImportSecrets: z.literal(false)
-});
+export const HumanitecSyncListItemSchema = z
+  .object({
+    name: z.literal("Humanitec"),
+    connection: z.literal(AppConnection.Humanitec),
+    destination: z.literal(SecretSync.Humanitec),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Humanitec] }));

backend/src/services/secret-sync/laravel-forge/laravel-forge-sync-schemas.ts

@@ -11,6 +11,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const slugValidator = (val: string) => {
   return new RE2("^[a-z0-9.-]+$").test(val) && !new RE2(".[-]$").test(val);
 };
@@ -38,13 +40,12 @@ const LaravelForgeSyncDestinationConfigSchema = z.object({
 
 const LaravelForgeSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const LaravelForgeSyncSchema = BaseSecretSyncSchema(
-  SecretSync.LaravelForge,
-  LaravelForgeSyncOptionsConfig
-).extend({
-  destination: z.literal(SecretSync.LaravelForge),
-  destinationConfig: LaravelForgeSyncDestinationConfigSchema
-});
+export const LaravelForgeSyncSchema = BaseSecretSyncSchema(SecretSync.LaravelForge, LaravelForgeSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.LaravelForge),
+    destinationConfig: LaravelForgeSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.LaravelForge] }));
 
 export const CreateLaravelForgeSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.LaravelForge,
@@ -60,9 +61,11 @@ export const UpdateLaravelForgeSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: LaravelForgeSyncDestinationConfigSchema.optional()
 });
 
-export const LaravelForgeSyncListItemSchema = z.object({
-  name: z.literal("Laravel Forge"),
-  connection: z.literal(AppConnection.LaravelForge),
-  destination: z.literal(SecretSync.LaravelForge),
-  canImportSecrets: z.literal(true)
-});
+export const LaravelForgeSyncListItemSchema = z
+  .object({
+    name: z.literal("Laravel Forge"),
+    connection: z.literal(AppConnection.LaravelForge),
+    destination: z.literal(SecretSync.LaravelForge),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.LaravelForge] }));

backend/src/services/secret-sync/netlify/netlify-sync-schemas.ts

@@ -10,6 +10,7 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
 import { NetlifySyncContext } from "./netlify-sync-constants";
 
 const NetlifySyncDestinationConfigSchema = z.object({
@@ -41,10 +42,12 @@ const NetlifySyncDestinationConfigSchema = z.object({
 
 const NetlifySyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const NetlifySyncSchema = BaseSecretSyncSchema(SecretSync.Netlify, NetlifySyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Netlify),
-  destinationConfig: NetlifySyncDestinationConfigSchema
-});
+export const NetlifySyncSchema = BaseSecretSyncSchema(SecretSync.Netlify, NetlifySyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Netlify),
+    destinationConfig: NetlifySyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Netlify] }));
 
 export const CreateNetlifySyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Netlify,
@@ -60,9 +63,11 @@ export const UpdateNetlifySyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: NetlifySyncDestinationConfigSchema.optional()
 });
 
-export const NetlifySyncListItemSchema = z.object({
-  name: z.literal("Netlify"),
-  connection: z.literal(AppConnection.Netlify),
-  destination: z.literal(SecretSync.Netlify),
-  canImportSecrets: z.literal(true)
-});
+export const NetlifySyncListItemSchema = z
+  .object({
+    name: z.literal("Netlify"),
+    connection: z.literal(AppConnection.Netlify),
+    destination: z.literal(SecretSync.Netlify),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Netlify] }));

backend/src/services/secret-sync/northflank/northflank-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const NorthflankSyncDestinationConfigSchema = z.object({
   projectId: z
     .string()
@@ -27,10 +29,12 @@ const NorthflankSyncDestinationConfigSchema = z.object({
 
 const NorthflankSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const NorthflankSyncSchema = BaseSecretSyncSchema(SecretSync.Northflank, NorthflankSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Northflank),
-  destinationConfig: NorthflankSyncDestinationConfigSchema
-});
+export const NorthflankSyncSchema = BaseSecretSyncSchema(SecretSync.Northflank, NorthflankSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Northflank),
+    destinationConfig: NorthflankSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Northflank] }));
 
 export const CreateNorthflankSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Northflank,
@@ -46,9 +50,11 @@ export const UpdateNorthflankSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: NorthflankSyncDestinationConfigSchema.optional()
 });
 
-export const NorthflankSyncListItemSchema = z.object({
-  name: z.literal("Northflank"),
-  connection: z.literal(AppConnection.Northflank),
-  destination: z.literal(SecretSync.Northflank),
-  canImportSecrets: z.literal(true)
-});
+export const NorthflankSyncListItemSchema = z
+  .object({
+    name: z.literal("Northflank"),
+    connection: z.literal(AppConnection.Northflank),
+    destination: z.literal(SecretSync.Northflank),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Northflank] }));

backend/src/services/secret-sync/railway/railway-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const RailwaySyncDestinationConfigSchema = z.object({
   projectId: z
     .string()
@@ -29,10 +31,12 @@ const RailwaySyncDestinationConfigSchema = z.object({
 
 const RailwaySyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const RailwaySyncSchema = BaseSecretSyncSchema(SecretSync.Railway, RailwaySyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Railway),
-  destinationConfig: RailwaySyncDestinationConfigSchema
-});
+export const RailwaySyncSchema = BaseSecretSyncSchema(SecretSync.Railway, RailwaySyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Railway),
+    destinationConfig: RailwaySyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Railway] }));
 
 export const CreateRailwaySyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Railway,
@@ -48,9 +52,11 @@ export const UpdateRailwaySyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: RailwaySyncDestinationConfigSchema.optional()
 });
 
-export const RailwaySyncListItemSchema = z.object({
-  name: z.literal("Railway"),
-  connection: z.literal(AppConnection.Railway),
-  destination: z.literal(SecretSync.Railway),
-  canImportSecrets: z.literal(true)
-});
+export const RailwaySyncListItemSchema = z
+  .object({
+    name: z.literal("Railway"),
+    connection: z.literal(AppConnection.Railway),
+    destination: z.literal(SecretSync.Railway),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Railway] }));

backend/src/services/secret-sync/render/render-sync-schemas.ts

@@ -10,6 +10,7 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
 import { RenderSyncScope, RenderSyncType } from "./render-sync-enums";
 
 const RenderSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
@@ -38,10 +39,12 @@ export const RenderSyncSchema = BaseSecretSyncSchema(
   SecretSync.Render,
   RenderSyncOptionsConfig,
   RenderSyncOptionsSchema
-).extend({
-  destination: z.literal(SecretSync.Render),
-  destinationConfig: RenderSyncDestinationConfigSchema
-});
+)
+  .extend({
+    destination: z.literal(SecretSync.Render),
+    destinationConfig: RenderSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Render] }));
 
 export const CreateRenderSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Render,
@@ -59,9 +62,11 @@ export const UpdateRenderSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: RenderSyncDestinationConfigSchema.optional()
 });
 
-export const RenderSyncListItemSchema = z.object({
-  name: z.literal("Render"),
-  connection: z.literal(AppConnection.Render),
-  destination: z.literal(SecretSync.Render),
-  canImportSecrets: z.literal(true)
-});
+export const RenderSyncListItemSchema = z
+  .object({
+    name: z.literal("Render"),
+    connection: z.literal(AppConnection.Render),
+    destination: z.literal(SecretSync.Render),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Render] }));

backend/src/services/secret-sync/supabase/supabase-sync-schemas.ts

@@ -9,6 +9,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const SupabaseSyncDestinationConfigSchema = z.object({
   projectId: z.string().max(255).min(1, "Project ID is required"),
   projectName: z.string().max(255).min(1, "Project Name is required")
@@ -16,10 +18,12 @@ const SupabaseSyncDestinationConfigSchema = z.object({
 
 const SupabaseSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const SupabaseSyncSchema = BaseSecretSyncSchema(SecretSync.Supabase, SupabaseSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Supabase),
-  destinationConfig: SupabaseSyncDestinationConfigSchema
-});
+export const SupabaseSyncSchema = BaseSecretSyncSchema(SecretSync.Supabase, SupabaseSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Supabase),
+    destinationConfig: SupabaseSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Supabase] }));
 
 export const CreateSupabaseSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Supabase,
@@ -35,9 +39,11 @@ export const UpdateSupabaseSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: SupabaseSyncDestinationConfigSchema.optional()
 });
 
-export const SupabaseSyncListItemSchema = z.object({
-  name: z.literal("Supabase"),
-  connection: z.literal(AppConnection.Supabase),
-  destination: z.literal(SecretSync.Supabase),
-  canImportSecrets: z.literal(false)
-});
+export const SupabaseSyncListItemSchema = z
+  .object({
+    name: z.literal("Supabase"),
+    connection: z.literal(AppConnection.Supabase),
+    destination: z.literal(SecretSync.Supabase),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Supabase] }));

backend/src/services/secret-sync/teamcity/teamcity-sync-schemas.ts

@@ -10,6 +10,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const TeamCitySyncDestinationConfigSchema = z.object({
   project: z.string().trim().min(1, "Project required").describe(SecretSyncs.DESTINATION_CONFIG.TEAMCITY.project),
   buildConfig: z.string().trim().optional().describe(SecretSyncs.DESTINATION_CONFIG.TEAMCITY.buildConfig)
@@ -17,10 +19,12 @@ const TeamCitySyncDestinationConfigSchema = z.object({
 
 const TeamCitySyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const TeamCitySyncSchema = BaseSecretSyncSchema(SecretSync.TeamCity, TeamCitySyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.TeamCity),
-  destinationConfig: TeamCitySyncDestinationConfigSchema
-});
+export const TeamCitySyncSchema = BaseSecretSyncSchema(SecretSync.TeamCity, TeamCitySyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.TeamCity),
+    destinationConfig: TeamCitySyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.TeamCity] }));
 
 export const CreateTeamCitySyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.TeamCity,
@@ -36,9 +40,11 @@ export const UpdateTeamCitySyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: TeamCitySyncDestinationConfigSchema.optional()
 });
 
-export const TeamCitySyncListItemSchema = z.object({
-  name: z.literal("TeamCity"),
-  connection: z.literal(AppConnection.TeamCity),
-  destination: z.literal(SecretSync.TeamCity),
-  canImportSecrets: z.literal(true)
-});
+export const TeamCitySyncListItemSchema = z
+  .object({
+    name: z.literal("TeamCity"),
+    connection: z.literal(AppConnection.TeamCity),
+    destination: z.literal(SecretSync.TeamCity),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.TeamCity] }));

backend/src/services/secret-sync/terraform-cloud/terraform-cloud-sync-schemas.ts

@@ -14,6 +14,8 @@ import {
   TerraformCloudSyncScope
 } from "@app/services/secret-sync/terraform-cloud/terraform-cloud-sync-enums";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const TerraformCloudSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
   z.object({
     scope: z
@@ -47,13 +49,12 @@ const TerraformCloudSyncDestinationConfigSchema = z.discriminatedUnion("scope",
 
 const TerraformCloudSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 
-export const TerraformCloudSyncSchema = BaseSecretSyncSchema(
-  SecretSync.TerraformCloud,
-  TerraformCloudSyncOptionsConfig
-).extend({
-  destination: z.literal(SecretSync.TerraformCloud),
-  destinationConfig: TerraformCloudSyncDestinationConfigSchema
-});
+export const TerraformCloudSyncSchema = BaseSecretSyncSchema(SecretSync.TerraformCloud, TerraformCloudSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.TerraformCloud),
+    destinationConfig: TerraformCloudSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.TerraformCloud] }));
 
 export const CreateTerraformCloudSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.TerraformCloud,
@@ -69,9 +70,11 @@ export const UpdateTerraformCloudSyncSchema = GenericUpdateSecretSyncFieldsSchem
   destinationConfig: TerraformCloudSyncDestinationConfigSchema.optional()
 });
 
-export const TerraformCloudSyncListItemSchema = z.object({
-  name: z.literal("Terraform Cloud"),
-  connection: z.literal(AppConnection.TerraformCloud),
-  destination: z.literal(SecretSync.TerraformCloud),
-  canImportSecrets: z.literal(false)
-});
+export const TerraformCloudSyncListItemSchema = z
+  .object({
+    name: z.literal("Terraform Cloud"),
+    connection: z.literal(AppConnection.TerraformCloud),
+    destination: z.literal(SecretSync.TerraformCloud),
+    canImportSecrets: z.literal(false)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.TerraformCloud] }));

backend/src/services/secret-sync/vercel/vercel-sync-schemas.ts

@@ -10,6 +10,7 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
 import { VercelEnvironmentType } from "./vercel-sync-enums";
 
 const VercelSyncDestinationConfigSchema = z.object({
@@ -22,10 +23,12 @@ const VercelSyncDestinationConfigSchema = z.object({
 
 const VercelSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const VercelSyncSchema = BaseSecretSyncSchema(SecretSync.Vercel, VercelSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Vercel),
-  destinationConfig: VercelSyncDestinationConfigSchema
-});
+export const VercelSyncSchema = BaseSecretSyncSchema(SecretSync.Vercel, VercelSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Vercel),
+    destinationConfig: VercelSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Vercel] }));
 
 export const CreateVercelSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Vercel,
@@ -41,9 +44,11 @@ export const UpdateVercelSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: VercelSyncDestinationConfigSchema.optional()
 });
 
-export const VercelSyncListItemSchema = z.object({
-  name: z.literal("Vercel"),
-  connection: z.literal(AppConnection.Vercel),
-  destination: z.literal(SecretSync.Vercel),
-  canImportSecrets: z.literal(true)
-});
+export const VercelSyncListItemSchema = z
+  .object({
+    name: z.literal("Vercel"),
+    connection: z.literal(AppConnection.Vercel),
+    destination: z.literal(SecretSync.Vercel),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Vercel] }));

backend/src/services/secret-sync/windmill/windmill-sync-schemas.ts

@@ -11,6 +11,8 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
 const pathCharacterValidator = characterValidator([
   CharacterType.AlphaNumeric,
   CharacterType.Underscore,
@@ -39,10 +41,12 @@ const WindmillSyncDestinationConfigSchema = z.object({
 
 const WindmillSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const WindmillSyncSchema = BaseSecretSyncSchema(SecretSync.Windmill, WindmillSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Windmill),
-  destinationConfig: WindmillSyncDestinationConfigSchema
-});
+export const WindmillSyncSchema = BaseSecretSyncSchema(SecretSync.Windmill, WindmillSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Windmill),
+    destinationConfig: WindmillSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Windmill] }));
 
 export const CreateWindmillSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Windmill,
@@ -58,9 +62,11 @@ export const UpdateWindmillSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: WindmillSyncDestinationConfigSchema.optional()
 });
 
-export const WindmillSyncListItemSchema = z.object({
-  name: z.literal("Windmill"),
-  connection: z.literal(AppConnection.Windmill),
-  destination: z.literal(SecretSync.Windmill),
-  canImportSecrets: z.literal(true)
-});
+export const WindmillSyncListItemSchema = z
+  .object({
+    name: z.literal("Windmill"),
+    connection: z.literal(AppConnection.Windmill),
+    destination: z.literal(SecretSync.Windmill),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Windmill] }));

backend/src/services/secret-sync/zabbix/zabbix-sync-schemas.ts

@@ -10,6 +10,7 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
 import { ZabbixSyncScope } from "./zabbix-sync-enums";
 
 const ZabbixSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
@@ -40,10 +41,12 @@ const ZabbixSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
 
 const ZabbixSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-export const ZabbixSyncSchema = BaseSecretSyncSchema(SecretSync.Zabbix, ZabbixSyncOptionsConfig).extend({
-  destination: z.literal(SecretSync.Zabbix),
-  destinationConfig: ZabbixSyncDestinationConfigSchema
-});
+export const ZabbixSyncSchema = BaseSecretSyncSchema(SecretSync.Zabbix, ZabbixSyncOptionsConfig)
+  .extend({
+    destination: z.literal(SecretSync.Zabbix),
+    destinationConfig: ZabbixSyncDestinationConfigSchema
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Zabbix] }));
 
 export const CreateZabbixSyncSchema = GenericCreateSecretSyncFieldsSchema(
   SecretSync.Zabbix,
@@ -59,9 +62,11 @@ export const UpdateZabbixSyncSchema = GenericUpdateSecretSyncFieldsSchema(
   destinationConfig: ZabbixSyncDestinationConfigSchema.optional()
 });
 
-export const ZabbixSyncListItemSchema = z.object({
-  name: z.literal("Zabbix"),
-  connection: z.literal(AppConnection.Zabbix),
-  destination: z.literal(SecretSync.Zabbix),
-  canImportSecrets: z.literal(true)
-});
+export const ZabbixSyncListItemSchema = z
+  .object({
+    name: z.literal("Zabbix"),
+    connection: z.literal(AppConnection.Zabbix),
+    destination: z.literal(SecretSync.Zabbix),
+    canImportSecrets: z.literal(true)
+  })
+  .describe(JSON.stringify({ title: SECRET_SYNC_NAME_MAP[SecretSync.Zabbix] }));

docs/docs.json

@@ -744,6 +744,7 @@
                     "pages": [
                       "documentation/platform/pki/enrollment-methods/overview",
                       "documentation/platform/pki/enrollment-methods/api",
+                      "documentation/platform/pki/enrollment-methods/acme",
                       "documentation/platform/pki/enrollment-methods/est"
                     ]
                   },
@@ -774,6 +775,8 @@
                 "group": "External CA Integrations",
                 "pages": [
                   "documentation/platform/pki/ca/acme-ca",
+                  "documentation/platform/pki/ca/lets-encrypt",
+                  "documentation/platform/pki/ca/digicert",
                   "documentation/platform/pki/ca/azure-adcs"
                 ]
               }

docs/documentation/getting-started/introduction.mdx

@@ -35,7 +35,7 @@ Infisical consists of several tightly integrated products, each designed to solv
 
 - [Secrets Management](/documentation/platform/secrets-mgmt/overview): Securely store, access, and distribute secrets across environments with fine-grained controls, automatic rotation, and audit logging.
 - [Secrets Scanning](/documentation/platform/secret-scanning/overview): Detect hardcoded secrets in code, CI pipelines, and infrastructure—integrated with GitHub, GitLab, Bitbucket, and more.
-- [Infisical PKI](/documentation/platform/pki/overview): Issue and manage X.509 certificates using protocols like EST, with support for internal and external CAs.
+- [Certificate Management](/documentation/platform/pki/overview): Issue and manage X.509 certificates using protocols like EST, with support for internal and external CAs.
 - [Infisical SSH](/documentation/platform/ssh/overview): Provide short-lived SSH access to servers using certificate-based authentication, replacing static keys with policy-driven, time-bound control.
 - [Infisical KMS](/documentation/platform/kms/overview): Encrypt and decrypt data using centrally managed keys with enforced access policies and full audit visibility.
 - [Infisical PAM](/documentation/platform/pam/overview): Manage access to resources like databases, servers, and accounts with policy-based controls and approvals.

docs/documentation/platform/identities/machine-identities.mdx

@@ -16,15 +16,37 @@ Key Features:
 - Role Assignment: Identities must be assigned [roles](/documentation/platform/access-controls/role-based-access-controls). These roles determine the scope of access to resources, either at the organization level or project level.
 - Auth/Token Configuration: Identities must be configured with corresponding authentication methods and access token properties to securely interact with the Infisical API.
 
+## Scopes
+
+Identities can be created either at the organization-level or the project-level. Outside of identity management and scope of operation, organization and project identities are functionally identical.
+
+- Project identities are managed at the project-level and can only operate within their respective project.
+Project-level identities are useful for organizations that delegate responsibility to autonomous teams via projects.
+
+- Organization identities are managed at the organization-level and can be assigned to one or more projects, as well as
+perform organization-level operations. Organization-level identities are useful for organizations that have cross-project operations.
+
 ## Workflow
 
-A typical workflow for using identities consists of four steps:
+<Tabs>
+    <Tab title="Project Identities">
+        A typical workflow for using project identities consists of three steps:
 
-1. Creating the identity with a name and [role](/documentation/platform/access-controls/role-based-access-controls) in Organization Access Control > Machine Identities.
-   This step also involves configuring an authentication method for it.
-2. Adding the identity to the project(s) you want it to have access to.
-3. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.
-4. Authenticating subsequent requests with the Infisical API using the short-lived access token.
+        1. Creating the identity with a name and [role](/documentation/platform/access-controls/role-based-access-controls) in Project > Access Control > Machine Identities.
+        This step also involves configuring an authentication method for it.
+        2. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.
+        3. Authenticating subsequent requests with the Infisical API using the short-lived access token.
+    </Tab>
+    <Tab title="Organization Identities">
+        A typical workflow for using organization identities consists of four steps:
+
+        1. Creating the identity with a name and [role](/documentation/platform/access-controls/role-based-access-controls) in Organization > Access Control > Machine Identities.
+        This step also involves configuring an authentication method for it.
+        2. Adding the identity to the project(s) you want it to have access to.
+        3. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.
+        4. Authenticating subsequent requests with the Infisical API using the short-lived access token.
+    </Tab>
+</Tabs>
 
 ## Authentication Methods
 

docs/documentation/platform/pki/ca/acme-ca.mdx

@@ -1,66 +1,63 @@
 ---
 title: "ACME-compatible CA"
-description: "Learn how to automatically provision and manage TLS certificates using ACME Certificate Authorities like Let's Encrypt with Infisical PKI"
+description: "Learn how to connect Infisical to an ACME-compatible CA to issue certificates."
 ---
 
 ## Concept
 
-The Infisical ACME integration allows you to connect with ACME (Automatic Certificate Management Environment) Certificate Authorities to automatically issue and manage publicly trusted TLS certificates for your [subscribers](/documentation/platform/pki/subscribers). This integration enables you to leverage established public CA infrastructure like Let's Encrypt while centralizing your certificate management within Infisical.
+Infisical can connect to any upstream ACME-compatible CA (e.g. Lets's Encrypt, DigiCert, etc.) supporting the [ACME protocol](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) to issue certificates back to your end-entities. This integration uses the [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) method as part of the ACME domain validation challenge workflow for a requested certificate.
 
-ACME is a protocol that automates the process of certificate issuance and renewal through domain validation challenges. The integration is perfect for obtaining trusted X.509 certificates for public-facing services and is capable of automatically renewing certificates as needed.
+The upstream ACME-compatible CA integration lets you connect Infisical to providers by specifying
+their **ACME Directory URL** such as:
+
+- [Let's Encrypt](/documentation/platform/pki/ca/lets-encrypt): `https://acme-v02.api.letsencrypt.org/directory`.
+- [DigiCert](/documentation/platform/pki/ca/digicert): `https://acme.digicert.com/v2/acme/directory`.
+- Google GTS: `https://dv.acme-v02.api.pki.goog/directory`.
+- Buypass: `https://api.buypass.com/acme/directory`.
+- ZeroSSL: `https://acme.zerossl.com/v2/DV90`.
+- SSL.com: `https://acme.ssl.com/sslcom-dv-rsa`.
+
+When Infisical requests a certificate from an ACME-compatible CA, it creates a TXT record at `_acme-challenge.{your-domain}` in your configured DNS provider (e.g. Route53, Cloudflare, etc.); this TXT record contains the challenge token issued by the ACME-compatible CA to validate domain control for the requested certificate.
+The ACME provider checks for the existence of this TXT record to verify domain control before issuing the certificate back to Infisical.
+
+After validation completes successfully, Infisical automatically removes the TXT record from your DNS provider.
 
 <div align="center">
 
 ```mermaid
 graph TD
-    A[ACME CA Provider<br>e.g., Let's Encrypt] <-->|ACME v2 Protocol| B[Infisical]
-    B -->|Creates TXT Records<br>via Route53/Cloudflare| C[DNS Validation]
-    B -->|Manages Certificates| D[Subscribers]
+    A[ACME-compatible CA] <-->|ACME v2 Protocol| B[Infisical]
+    B -->|Creates TXT Records<br>via DNS Provider| C[DNS Validation]
+    B -->|Manages Certificates| D[End-Entities]
 ```
 
 </div>
 
-As part of the workflow, you configure DNS provider credentials, register an ACME CA provider with Infisical, and create subscribers to represent the certificates you wish to issue. Each issued certificate is automatically managed through its lifecycle, including renewal before expiration.
-
-We recommend reading about [ACME protocol](https://tools.ietf.org/html/rfc8555) and [DNS-01 challenges](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) for a fuller understanding of the underlying technology.
+We recommend reading about [ACME protocol](https://tools.ietf.org/html/rfc8555) and [DNS-01 challenges](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) for a fuller understanding of the underlying workflow.
 
 ## Workflow
 
-A typical workflow for using Infisical with ACME Certificate Authorities consists of the following steps:
+A typical workflow for using Infisical with an external ACME-compatible CA consists of the following steps:
 
-1. Setting up AWS Route53 or Cloudflare credentials with appropriate DNS permissions.
-2. Creating an AWS/Cloudflare connection in Infisical to store the credentials.
-3. Registering an ACME Certificate Authority (like Let's Encrypt) with Infisical.
-4. Creating subscribers that use the ACME CA as their issuing authority.
-5. Managing certificate lifecycle events such as issuance, renewal, and revocation through Infisical.
+1. Setting up your DNS provider (e.g. Route53, Cloudflare, etc.) with appropriate DNS permissions.
+2. Creating an [App Connection](/integrations/app-connections/overview) in Infisical to store credentials for Infisical to connect to your DNS provider and create/remove DNS records as part of the DNS-01 challenge.
+3. Registering an [External CA](/documentation/platform/pki/ca/external-ca) in Infisical with the ACME type and inputting required configuration including the **ACME Directory URL** of the upstream ACME-compatible CA and the **App Connection** for your DNS provider.
 
-## Understanding ACME DNS-01 Challenge
+Once this is complete, you can create a [certificate profile](/documentation/platform/pki/certificates/profiles) linked to the External CA proceed to request a certificate against it.
 
-The DNS-01 challenge is the method used by ACME CA providers to verify that you control a domain before issuing a certificate. Here's how Infisical handles this process:
+## Guide to Connecting Infisical to an ACME-compatible CA
 
-1. **Challenge Request**: When you request a certificate, the ACME provider (like Let's Encrypt) issues a challenge token.
-
-2. **DNS Record Creation**: Infisical creates a TXT record at `_acme-challenge.<YOUR_DOMAIN>` with a value derived from the challenge token.
-
-3. **DNS Propagation**: The TXT record must propagate through the DNS system (usually takes a few minutes, depending on TTL settings).
-
-4. **Validation**: The ACME provider checks for the existence of this TXT record to verify domain control.
-
-5. **Cleanup**: After validation completes successfully, Infisical automatically removes the TXT record from your DNS.
-
-This automated process eliminates the need for manual intervention in domain validation, streamlining certificate issuance.
-
-## Guide
-
-In the following steps, we explore how to set up ACME Certificate Authority integration with Infisical using Let's Encrypt as an example.
+In the following steps, we explore how to connect Infisical to an ACME-compatible CA.
 
 <Steps>
-    <Step title="Create App Connection with Required Permissions">
-        Before proceeding with the ACME CA registration, you need to set up an App Connection with the appropriate permissions for DNS validation:
+    <Step title="Create an App Connection to your DNS provider">
+        Before registering an ACME-compatible CA with Infisical, you need to set up an [App Connection](/integrations/app-connections/overview) with the appropriate permissions for Infisical to perform the DNS-01 challenge with your DNS provider.
+        
+        If you don’t see a specific DNS provider listed below or need a dedicated one, please reach out to sales@infisical.com and we’ll help get that enabled for you.
 
         <Tabs>
             <Tab title="Route53">
-                1. Navigate to your Organization Settings > App Connections and create a new AWS connection.
+                1. Navigate to your Certificate Management Project > App Connections and create a new AWS connection.
 
                 2. Ensure your AWS connection has the following minimum permissions for Route53 DNS validation:
 
@@ -112,7 +109,7 @@ In the following steps, we explore how to set up ACME Certificate Authority inte
                 For detailed instructions on setting up an AWS connection, see the [AWS Connection](/integrations/app-connections/aws) documentation.
             </Tab>
             <Tab title="Cloudflare">
-                1. Navigate to your Organization Settings > App Connections and create a new Cloudflare connection.
+                1. Navigate to your Certificate Management Project > App Connections and create a new Cloudflare connection.
 
                 2. Ensure your Cloudflare token has the following minimum permissions for DNS validation:
 
@@ -125,51 +122,33 @@ In the following steps, we explore how to set up ACME Certificate Authority inte
             </Tab>
         </Tabs>
     </Step>
-    <Step title="Register ACME Certificate Authority">
+    <Step title="Register an ACME-compatible CA">
         <Tabs>
           <Tab title="Infisical UI">
-            <Steps>
-                <Step title="Create ACME CA">
-                    To register an ACME CA, head to your Project > Internal PKI > Certificate Authorities and press the **+** button in the External Certificate Authorities section.
+              To register an ACME-compatible CA, head to your Certificate Management Project > Certificate Authorities > External Certificate Authorities and press **Create CA**.
 
-                    ![pki register external ca](/images/platform/pki/ca/external-ca/create-external-ca-button.png)
+              ![pki register external ca](/images/platform/pki/ca/external-ca/create-external-ca-button.png)
 
-                    Fill out the details for the ACME CA registration:
+              Here, set the **CA Type** to **ACME** and fill out details for it.
 
-                    ![pki register external ca details](/images/platform/pki/ca/external-ca/create-external-ca-form.png)
+              ![pki register external ca details](/images/platform/pki/ca/external-ca/create-external-ca-form.png)
 
-                    Here's guidance on each field:
+              Here's some guidance for each field:
 
-                    - **Type**: Select "ACME" as the External CA type.
-                    - **Name**: Enter a name for the ACME CA (e.g., "lets-encrypt-production").
-                    - **DNS App Connection**: Select from available DNS app connections or configure a new one. This connection provides Infisical with the credentials needed to create and remove DNS records for ACME validation.
-                    - **Zone ID**: Enter the Zone ID for the domain(s) you'll be requesting certificates for.
-                    - **Directory URL**: Enter the ACME v2 directory URL for your chosen CA provider (e.g., `https://acme-v02.api.letsencrypt.org/directory` for Let's Encrypt).
-                    - **Account Email**: Email address to associate with your ACME account. This email will receive important notifications about your certificates.
-                    - **Enable Direct Issuance**: Toggle on to allow direct certificate issuance without requiring subscribers.
-                    - **EAB Key Identifier (KID)**: (Optional) The Key Identifier (KID) provided by your ACME CA for External Account Binding (EAB). This is required by some ACME providers (e.g., ZeroSSL, DigiCert) to link your ACME account to an external account you've pre-registered with them.
-                    - **EAB HMAC Key**: (Optional) The HMAC Key provided by your ACME CA for External Account Binding (EAB). This key is used in conjunction with the KID to prove ownership of the external account during ACME account registration.
+              - Name: A slug-friendly name for the ACME-compatible CA such as `lets-encrypt-production`.
+              - DNS App Connection: The App Connection from Step 1 used for Infisical to connect to your DNS provider and create/remove DNS records as part of the DNS-01 challenge in ACME.
+              - Zone / Zone ID: Enter the Zone / Zone ID for the domain(s) you'll be requesting certificates for.
+              - Directory URL: Enter the **ACME Directory URL** for your desired upstream ACME-compatible CA such as `https://acme-v02.api.letsencrypt.org/directory` for Let's Encrypt.
+              - Account Email: The email address to associate with your ACME account. This email will receive important notifications about your certificates.
+              - EAB Key Identifier (KID): (Optional) The Key Identifier (KID) provided by your ACME CA for External Account Binding (EAB). This is required by some ACME providers (e.g., ZeroSSL, DigiCert) to link your ACME account to an external account you've pre-registered with them.
+              - EAB HMAC Key: (Optional) The HMAC Key provided by your ACME CA for External Account Binding (EAB). This key is used in conjunction with the KID to prove ownership of the external account during ACME account registration.
 
-                    Finally, press **Create** to register the ACME CA with Infisical.
-                </Step>
-                <Step title="Verify ACME CA Registration">
-                    Once registered, your ACME CA will appear in the External Certificate Authorities section.
+              Finally, press **Create** to register the ACME-compatible CA with Infisical.
 
-                    ![pki external ca list](/images/platform/pki/ca/external-ca/external-ca-list.png)
-
-                    From here, you can:
-
-                    - View the status of the ACME CA registration
-                    - Edit the configuration settings
-                    - Disable or re-enable the ACME CA
-                    - Delete the ACME CA registration if no longer needed
-
-                    You can now use this ACME CA to issue certificates for your subscribers.
-                </Step>
-            </Steps>
+              Great! You’ve successfully registered an external ACME-compatible CA with Infisical. Now check out the [Certificates](/documentation/platform/pki/certificates/overview) section to learn more about how to issue X.509 certificates using the ACME-compatible CA.
           </Tab>
           <Tab title="API">
-            To register an ACME CA with Infisical using the API, make a request to the Create External CA endpoint:
+            To register an ACME CA with Infisical using the API, make a request to the [Create External CA](https://infisical.com/docs/api-reference/endpoints/certificate-authorities/acme/create) endpoint:
 
             ### Sample request
 
@@ -227,78 +206,9 @@ In the following steps, we explore how to set up ACME Certificate Authority inte
           </Tab>
         </Tabs>
     </Step>
-    <Step title="Create Subscriber for ACME CA">
-        Next, create a subscriber that uses your ACME CA for certificate issuance. Navigate to your Project > Subscribers and create a new subscriber.
-
-        Configure the subscriber with:
-        - **Issuing CA**: Select your registered ACME CA
-        - **Common Name**: The domain for which you want to issue certificates (e.g., `example.com`)
-        - **Alternative Names**: Additional domains to include in the certificate
-
-        Check out the [Subscribers](/documentation/platform/pki/subscribers) page for detailed instructions on creating and managing subscribers.
-    </Step>
-    <Step title="Issue Certificate">
-        Once your subscriber is configured, you can issue certificates either through the Infisical UI or programmatically via the API.
-
-        When you request a certificate:
-        1. Infisical generates a key pair for the certificate
-        2. Sends a Certificate Signing Request (CSR) to the ACME CA
-        3. Receives a DNS-01 challenge from the ACME provider
-        4. Creates a TXT record in Route53/Cloudflare to satisfy the challenge
-        5. Notifies the ACME provider that the challenge is ready for validation
-        6. Once validated, the ACME provider issues the certificate
-        7. Infisical stores and manages the certificate for your subscriber
-
-        The certificate will be automatically renewed before expiration according to your subscriber configuration.
-    </Step>
-    <Step title="Use Certificate in Your Applications">
-        The issued certificate and private key are now available through Infisical and can be:
-
-        - Downloaded directly from the Infisical UI
-        - Retrieved via the Infisical API for programmatic access using the [latest certificate bundle endpoint](/api-reference/endpoints/certificate-profiles/get-latest-active-bundle)
-    </Step>
 
 </Steps>
 
-## Example: Let's Encrypt Integration
-
-Let's Encrypt is a free, automated, and open Certificate Authority that provides domain-validated SSL/TLS certificates. Here's how the integration works with Infisical:
-
-### Production Environment
-
-- **Directory URL**: `https://acme-v02.api.letsencrypt.org/directory`
-- **Rate Limits**: 50 certificates per registered domain per week
-- **Certificate Validity**: 90 days with automatic renewal
-- **Trusted By**: All major browsers and operating systems
-
-### Staging Environment (for testing)
-
-- **Directory URL**: `https://acme-staging-v02.api.letsencrypt.org/directory`
-- **Rate Limits**: Much higher limits for testing
-- **Certificate Validity**: 90 days (not trusted by browsers)
-- **Use Case**: Testing your ACME integration without hitting production rate limits
-
-<Note>
-  Always test your ACME integration using Let's Encrypt's staging environment
-  first. This allows you to verify your DNS configuration and certificate
-  issuance process without consuming your production rate limits.
-</Note>
-
-## Example: DigiCert Integration
-
-DigiCert is a leading commercial Certificate Authority providing a wide range of trusted SSL/TLS certificates. Infisical can integrate with [DigiCert's ACME](https://docs.digicert.com/en/certcentral/certificate-tools/certificate-lifecycle-automation-guides/third-party-acme-integration/request-and-manage-certificates-with-acme.html) service to automate the provisioning and management of these certificates.
-
-- **Directory URL**: `https://acme.digicert.com/v2/acme/directory`
-- **External Account Binding (EAB)**: Required. You will need a Key Identifier (KID) and HMAC Key from your DigiCert account to register the ACME CA in Infisical.
-- **Certificate Validity**: Typically 90 days, with automatic renewal through Infisical.
-- **Trusted By**: All major browsers and operating systems.
-
-<Note>
-  When integrating with DigiCert ACME, ensure you have obtained the necessary
-  External Account Binding (EAB) Key Identifier (KID) and HMAC Key from your
-  DigiCert account.
-</Note>
-
 ## FAQ
 
 <AccordionGroup>
@@ -325,17 +235,8 @@ DigiCert is a leading commercial Certificate Authority providing a wide range of
     - Reduce the impact of compromised certificates
     - Ensure systems stay up-to-date with certificate management practices
 
-    When configured, Infisical automatically handles certificate renewal for subscribers.
-
   </Accordion>
   <Accordion title="Can I use multiple ACME providers?">
-    Yes! You can register multiple ACME CAs in the same project:
-
-    - Different providers for different domains or use cases
-    - Staging and production environments for the same provider
-    - Backup providers for redundancy
-
-    Each subscriber can be configured to use a specific ACME CA based on your requirements.
-
+    Yes. You can register multiple ACME CAs in the same project.
   </Accordion>
 </AccordionGroup>

docs/documentation/platform/pki/ca/digicert.mdx

@@ -0,0 +1,16 @@
+---
+title: "DigiCert"
+description: "Learn how to connect Infisical to DigiCert to issue certificates."
+---
+
+## Concept
+
+Infisical can connect to [DigiCert](https://www.digicert.com/) using the [ACME-compatible CA integration](/documentation/platform/pki/ca/acme-ca) to issue certificates back to your end-entities.
+
+## Guide to Connecting Infisical to DigiCert CA
+
+To connect Infisical to DigiCert, follow the steps in the [ACME-compatible CA integration](/documentation/platform/pki/ca/acme-ca) guide but use the DigiCert **ACME Directory URL**: `https://acme.digicert.com/v2/acme/directory`.
+
+DigiCert requires **External Account Binding (EAB)** for all ACME registrations. You will need to obtain both a Key Identifier (KID) and an HMAC Key from your DigiCert account before registering the ACME CA in Infisical.
+
+DigiCert typically issues certificates with a 90-day validity period.

docs/documentation/platform/pki/ca/external-ca.mdx

@@ -6,7 +6,7 @@ description: "Learn how to connect External Certificate Authorities with Infisic
 
 ## Concept
 
-Infisical lets you integrate with External Certificate Authorities (CAs), allowing you to use existing PKI infrastructure or connect to public CAs to issue digital certificates for your end-entities.
+Infisical lets you integrate with External Certificate Authorities (CAs), allowing you to use existing PKI infrastructure or connect to public CAs to issue certificates for your end-entities.
 
 <div align="center">
 
@@ -23,7 +23,7 @@ As shown above, these CAs commonly fall under two categories:
 - External Private CAs: CAs like AWS Private CA, HashiCorp Vault PKI, Azure ADCS, etc. that are privately owned and are used to issue certificates for internal services; these are often either cloud-hosted private CAs or on-prem / enterprise CAs.
 - External Public CAs: CAs like Let's Encrypt, DigiCert, GlobalSign, etc. that are publicly trusted and are used to issue certificates for public-facing services.
 
-Note that Infisical can also act as an _ACME client_, allowing you to integrate upstream with any ACME-compatible CA to automate certificate issuance and renewal.
+Note that Infisical can act as an _ACME client_, allowing you to integrate upstream with any [ACME-compatible CA](/documentation/platform/pki/ca/acme-ca) to automate certificate issuance and renewal.
 
 ## Workflow
 

docs/documentation/platform/pki/ca/lets-encrypt.mdx

@@ -0,0 +1,16 @@
+---
+title: "Let's Encrypt"
+description: "Learn how to connect Infisical to Let's Encrypt to issue certificates."
+---
+
+## Concept
+
+Infisical can connect to [Let's Encrypt](https://letsencrypt.org/) using the [ACME-compatible CA integration](/documentation/platform/pki/ca/acme-ca) to issue certificates back to your end-entities.
+
+## Guide to Connecting Infisical to Let's Encrypt CA
+
+To connect Infisical to Let's Encrypt, follow the steps in the [ACME-compatible CA integration](/documentation/platform/pki/ca/acme-ca) guide but use the Let's Encrypt **ACME Directory URL**: `https://acme-v02.api.letsencrypt.org/directory`.
+
+Note that Let’s Encrypt issues 90-day certificates and enforces a limit of 50 certificates per registered domain per week.
+
+We strongly recommend testing your setup against the Let's Encrypt staging environment first at the **ACME Directory URL** `https://acme-staging-v02.api.letsencrypt.org/directory` prior to switching to the production environment. This allows you to verify your DNS configuration and certificate issuance process without consuming production rate limits.

docs/documentation/platform/pki/certificates/certificates.mdx

@@ -22,10 +22,7 @@ where you can manage various aspects of its lifecycle including deployment to cl
 To issue a certificate, you must first create a [certificate profile](/documentation/platform/pki/certificates/profiles) and a [certificate template](/documentation/platform/pki/certificates/templates) to go along with it.
 
 The [enrollment method](/documentation/platform/pki/enrollment-methods/overview) configured on the certificate profile determines how a certificate is issued for it.
-Refer to the documentation for each enrollment method below to learn more about how to issue certificates using it.
-
-- [API](/documentation/platform/pki/enrollment-methods/api): Issue a certificate over UI or by making an API request to Infisical.
-- [EST](/documentation/platform/pki/enrollment-methods/est): Issue a certificate over the EST protocol.
+Refer to the documentation for each enrollment method to learn more about how to issue certificates using it.
 
 ## Guide to Renewing Certificates
 
@@ -49,24 +46,33 @@ Note that server-driven certificate renewal is only available for certificates i
 A certificate can be considered for auto-renewal at time of issuance if the **Enable Auto-Renewal By Default** option is selected on its [certificate profile](/documentation/platform/pki/certificates/profiles) or after issuance by toggling this option manually.
 
 <Info>
-  For server-driven certificate renewal workflows, you can programmatically fetch the latest active certificate bundle for a certificate profile using the [Get Latest Active Certificate Bundle](/api-reference/endpoints/certificate-profiles/get-latest-active-bundle) API endpoint. 
-  
-  This ensures you always retrieve the most current valid certificate, including any that have been automatically renewed, making it particularly useful for deployment pipelines and automation workflows where you don't want to track individual serial numbers.
+  For server-driven certificate renewal workflows, you can programmatically
+  fetch the latest active certificate bundle for a certificate profile using the
+  [Get Latest Active Certificate
+  Bundle](/api-reference/endpoints/certificate-profiles/get-latest-active-bundle)
+  API endpoint. This ensures you always retrieve the most current valid
+  certificate, including any that have been automatically renewed, making it
+  particularly useful for deployment pipelines and automation workflows where
+  you don't want to track individual serial numbers.
 </Info>
 
 The following examples demonstrate different approaches to certificate renewal:
 
-- Using the ACME enrollment method, you may connect an ACME client like [certbot](https://certbot.eff.org/) to fetch back and renew certificates for Apache, Nginx, or other server. The ACME client will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to the server's configuration.
-- Using the ACME enrollment method, you may use [cert-manager](https://cert-manager.io/) with Infisical to issue and renew certificates for Kubernetes workloads; cert-manager will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to Kubernetes secrets.
-- Using the API enrollment method, you may push and auto-renew certificates to AWS and Azure using [certificate syncs](/documentation/platform/pki/certificate-syncs/overview). Certificates issued over the API enrollment method, where key pairs are generated server-side, are also eligible for server-side auto-renewal; once renewed, certificates are automatically pushed back to their sync destination.
+- Using the [ACME enrollment method](/documentation/platform/pki/enrollment-methods/acme), you may connect an ACME client like [certbot](https://certbot.eff.org/) to fetch back and renew certificates for [Apache](/documentation/platform/pki/integration-guides/apache-certbot), [Nginx](/documentation/platform/pki/integration-guides/nginx-certbot), or other server. The ACME client will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to the server's configuration.
+- Using the [ACME enrollment method](/documentation/platform/pki/enrollment-methods/acme), you may use [cert-manager](https://cert-manager.io/) with Infisical to issue and renew certificates for Kubernetes workloads; cert-manager will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to Kubernetes secrets.
+- Using the [API enrollment method](/documentation/platform/pki/enrollment-methods/api), you may push and auto-renew certificates to AWS and Azure using [certificate syncs](/documentation/platform/pki/certificate-syncs/overview). Certificates issued over the API enrollment method, where key pairs are generated server-side, are also eligible for server-side auto-renewal; once renewed, certificates are automatically pushed back to their sync destination.
 
-## Guide to Exporting Certificates
+## Guide to Downloading Certificates
 
-In the following steps, we explore how to export certificates from Infisical in different formats for use in your applications and infrastructure.
+In the following steps, we explore different options for exporting already-issued certificates from Infisical in different formats for use in your applications and infrastructure.
 
-### Accessing the Export Certificate Modal
+### Download Latest Profile Certificate
 
-To export any certificate, first navigate to your project's certificate inventory and locate the certificate you want to export. Click on the **Export Certificate** option from the certificate's action menu.
+You can download the latest certificate issued against a [certificate profile](/documentation/platform/pki/certificates/profiles) using the [latest certificate bundle](/api-reference/endpoints/certificate-profiles/get-latest-active-bundle) endpoint.
+
+### Download Specific Certificate
+
+To export a specific certificate, first navigate to your project's certificate inventory and locate the certificate you want to export. Click on the **Export Certificate** option from the certificate's action menu.
 
 ![pki export certificate option](/images/platform/pki/certificate/cert-export-option.png)
 
@@ -108,6 +114,7 @@ To export any certificate, first navigate to your project's certificate inventor
         ```
       </Step>
     </Steps>
+
   </Tab>
   <Tab title="PKCS12 Format">
     <Steps>
@@ -158,6 +165,7 @@ To export any certificate, first navigate to your project's certificate inventor
         </Info>
       </Step>
     </Steps>
+
   </Tab>
 </Tabs>
 

docs/documentation/platform/pki/certificates/templates.mdx

@@ -7,7 +7,7 @@ sidebarTitle: "Templates"
 
 A certificate template is a policy structure specifying permitted attributes for requested certificates. This includes constraints around subject naming conventions, SAN fields, key usages, and extended key usages.
 
-Each certificate requested against a profile is validated against the template bound to that profile. If the request fails any criteria included in the template, the certificate is not issued. This helps administrators enforce uniformity and security standards across all issued certificates.
+Each certificate requested against a [certificate profile](/documentation/platform/pki/certificates/profiles) is validated against the template bound to that profile. If the request fails any criteria included in the template, the certificate is not issued. This helps administrators enforce uniformity and security standards across all issued certificates.
 
 ## Guide to Creating a Certificate Template
 

docs/documentation/platform/pki/enrollment-methods/acme.mdx

@@ -3,6 +3,62 @@ title: "Certificate Enrollment via ACME"
 sidebarTitle: "ACME"
 ---
 
-<Info>
-  ACME-based certificate enrollment is currently under development and will be included in a future release.
-</Info>
+## Concept
+
+The ACME enrollment method allows you to issue and manage certificates against a specific [certificate profile](/documentation/platform/pki/certificates/profiles) using the [ACME protocol](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment).
+This method is suitable for web servers, load balancers, and other general-purpose servers that can run an [ACME client](https://letsencrypt.org/docs/client-options/) for automated certificate management.
+
+Infisical's ACME enrollment method is based on [RFC 8555](https://datatracker.ietf.org/doc/html/rfc8555/).
+
+## Prerequisites
+
+Install an [ACME client](https://letsencrypt.org/docs/client-options/) onto your server. This client will handle [ACME challenges](https://letsencrypt.org/docs/challenge-types/) and request/renew certificates from Infisical.
+
+## Guide to Certificate Enrollment via ACME
+
+In the following steps, we explore how to issue a X.509 certificate using the ACME enrollment method.
+
+<Steps>
+  <Step title="Create a certificate profile in Infisical">
+    Create a [certificate
+    profile](/documentation/platform/pki/certificates/profiles) with **ACME**
+    selected as the enrollment method.
+
+    ![pki acme config](/images/platform/pki/enrollment-methods/acme/acme-config.png)
+
+  </Step>
+  <Step title="Obtain the ACME configuration">
+    Once you've created the certificate profile, you can obtain its ACME configuration details by clicking the **Reveal ACME EAB** option on the profile.
+    
+    ![pki acme eab config](/images/platform/pki/enrollment-methods/acme/acme-eab.png)
+
+    From the ACME configuration, gather the following values:
+
+    - ACME Directory URL: The URL that the ACME client will use to communicate with Infisical's ACME server.
+    - EAB Key Identifier (KID): A unique identifier that tells Infisical which ACME account is making the request.
+    - EAB Secret: A secret key that authenticates your ACME client with Infisical.
+
+  </Step>
+  <Step title="Configure your ACME client">
+    Provide the **ACME Directory URL**, **EAB KID**, and **EAB Secret** from Step 2 to your ACME client to authenticate with Infisical and request a certificate.
+    
+    For example, if using [Certbot](https://certbot.eff.org/) as an ACME client, you can configure and start requesting certificates with the following command:
+
+    ```bash
+    sudo certbot certonly \
+      --standalone \
+      --server "https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory" \
+      --eab-kid "your-eab-kid" \
+      --eab-hmac-key "your-eab-secret" \
+      -d example.infisical.com \
+      --email admin@example.com \
+      --agree-tos \
+      --non-interactive
+    ```
+
+    Certbot stores the private key and resulting leaf certificate and full certificate chain in `/etc/letsencrypt/live/{domain-name}/`.
+
+    For client-specific setup and usage instructions, refer to the documentation for your ACME client.
+
+  </Step>
+</Steps>

docs/documentation/platform/pki/enrollment-methods/api.mdx

@@ -5,7 +5,7 @@ sidebarTitle: "API"
 
 ## Concept
 
-The API enrollment method allows you to issue certificates against a specific certificate profile over Web UI or by making an API request to Infisical.
+The API enrollment method allows you to issue certificates against a specific [certificate profile](/documentation/platform/pki/certificates/profiles) over Web UI or by making an API request to Infisical.
 
 ## Guide to Certificate Enrollment via API
 
@@ -15,7 +15,7 @@ In the following steps, we explore how to issue a X.509 certificate using the AP
   <Tab title="Infisical UI">
 
 <Steps>
-  <Step title="Create a certificate profile">
+  <Step title="Create a certificate profile in Infisical">
   Create a [certificate
     profile](/documentation/platform/pki/certificates/profiles) with **API**
     selected as the enrollment method.
@@ -54,7 +54,7 @@ Here, select the certificate profile from step 1 that will be used to issue the
   <Tab title="API">
 
 <Steps>
-  <Step title="Create a certificate profile">
+  <Step title="Create a certificate profile in Infisical">
 
     To create a certificate [profile](/documentation/platform/pki/certificates/profiles), make an API request to the [Create Certificate Profile](/api-reference/endpoints/certificate-profiles/create) API endpoint.