From 02dd4be603908da462ccabede5849bd6f67d08e3 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:06:54 +0530
Subject: [PATCH 001/117] feat: add DynamicSecret and DynamicSecretLease models
 with related fields and events

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 ...namicsecret_dynamicsecretlease_and_more.py |  59 ++++++
 ...dynamicsecretlease_credentials_and_more.py |  76 +++++++
 ...amicsecretlease_cleanup_job_id_and_more.py |  24 +++
 backend/api/models.py                         | 186 ++++++++++++++++--
 4 files changed, 332 insertions(+), 13 deletions(-)
 create mode 100644 backend/api/migrations/0106_dynamicsecret_dynamicsecretlease_and_more.py
 create mode 100644 backend/api/migrations/0107_dynamicsecret_key_map_dynamicsecretlease_credentials_and_more.py
 create mode 100644 backend/api/migrations/0108_dynamicsecretlease_cleanup_job_id_and_more.py

diff --git a/backend/api/migrations/0106_dynamicsecret_dynamicsecretlease_and_more.py b/backend/api/migrations/0106_dynamicsecret_dynamicsecretlease_and_more.py
new file mode 100644
index 000000000..afa21edf2
--- /dev/null
+++ b/backend/api/migrations/0106_dynamicsecret_dynamicsecretlease_and_more.py
@@ -0,0 +1,59 @@
+# Generated by Django 4.2.22 on 2025-08-20 08:11
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0105_environmentkey_unique_envkey_user_and_more'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='DynamicSecret',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.TextField()),
+                ('description', models.TextField(blank=True)),
+                ('path', models.TextField(default='/')),
+                ('default_ttl', models.DurationField(help_text='Default TTL for leases (must be <= max_ttl).')),
+                ('max_ttl', models.DurationField(help_text='Maximum allowed TTL for leases.')),
+                ('provider', models.CharField(choices=[('aws', 'AWS')], help_text='Which provider this secret is associated with.', max_length=50)),
+                ('config', models.JSONField()),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('authentication', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='api.providercredentials')),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('folder', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='api.secretfolder')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='DynamicSecretLease',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.TextField()),
+                ('description', models.TextField(blank=True)),
+                ('ttl', models.DurationField()),
+                ('status', models.CharField(choices=[('active', 'Active'), ('renewed', 'Renewed'), ('revoked', 'Revoked'), ('expired', 'Expired')], default='active', help_text='Current status of the lease', max_length=50)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('renewed_at', models.DateTimeField(null=True)),
+                ('expires_at', models.DateTimeField(null=True)),
+                ('revoked_at', models.DateTimeField(null=True)),
+                ('deleted_at', models.DateTimeField(null=True)),
+                ('organisation_member', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='api.organisationmember')),
+                ('secret', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='leases', to='api.dynamicsecret')),
+                ('service_account', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='api.serviceaccount')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='DynamicSecretLeaseEvent',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('lease', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.dynamicsecretlease')),
+            ],
+        ),
+    ]
diff --git a/backend/api/migrations/0107_dynamicsecret_key_map_dynamicsecretlease_credentials_and_more.py b/backend/api/migrations/0107_dynamicsecret_key_map_dynamicsecretlease_credentials_and_more.py
new file mode 100644
index 000000000..f2647489a
--- /dev/null
+++ b/backend/api/migrations/0107_dynamicsecret_key_map_dynamicsecretlease_credentials_and_more.py
@@ -0,0 +1,76 @@
+# Generated by Django 4.2.22 on 2025-08-26 09:16
+
+from django.db import migrations, models
+import django.db.models.deletion
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0106_dynamicsecret_dynamicsecretlease_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='dynamicsecret',
+            name='key_map',
+            field=models.JSONField(default=list, help_text="Provider-agnostic mapping of keys: [{'id': '<key_id>', 'name': '<key_name>'}, ...]"),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretlease',
+            name='credentials',
+            field=models.JSONField(default=list),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='created_at',
+            field=models.DateTimeField(auto_now_add=True, default=django.utils.timezone.now),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='event_type',
+            field=models.CharField(choices=[('created', 'Created'), ('active', 'Active'), ('renewed', 'Renewed'), ('revoked', 'Revoked'), ('expired', 'Expired')], default='created', max_length=50),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='ip_address',
+            field=models.GenericIPAddressField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='metadata',
+            field=models.JSONField(blank=True, default=dict),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='organisation_member',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='lease_events', to='api.organisationmember'),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='service_account',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='lease_events', to='api.serviceaccount'),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='user_agent',
+            field=models.TextField(blank=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretlease',
+            name='status',
+            field=models.CharField(choices=[('created', 'Created'), ('active', 'Active'), ('renewed', 'Renewed'), ('revoked', 'Revoked'), ('expired', 'Expired')], default='active', help_text='Current status of the lease', max_length=50),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretleaseevent',
+            name='id',
+            field=models.BigAutoField(primary_key=True, serialize=False),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretleaseevent',
+            name='lease',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='events', to='api.dynamicsecretlease'),
+        ),
+    ]
diff --git a/backend/api/migrations/0108_dynamicsecretlease_cleanup_job_id_and_more.py b/backend/api/migrations/0108_dynamicsecretlease_cleanup_job_id_and_more.py
new file mode 100644
index 000000000..76b0c149e
--- /dev/null
+++ b/backend/api/migrations/0108_dynamicsecretlease_cleanup_job_id_and_more.py
@@ -0,0 +1,24 @@
+# Generated by Django 4.2.22 on 2025-08-28 08:49
+
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0107_dynamicsecret_key_map_dynamicsecretlease_credentials_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='dynamicsecretlease',
+            name='cleanup_job_id',
+            field=models.TextField(default=uuid.uuid4),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretlease',
+            name='credentials',
+            field=models.JSONField(default=dict),
+        ),
+    ]
diff --git a/backend/api/models.py b/backend/api/models.py
index e71b18ac8..1b3a5eb86 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -17,7 +17,7 @@
     can_add_environment,
     can_add_service_token,
 )
-
+from django.core.exceptions import ValidationError
 
 CLOUD_HOSTED = settings.APP_HOST == "cloud"
 
@@ -609,12 +609,12 @@ class Meta:
         ]
 
     def delete(self, *args, **kwargs):
-      env = self.environment
-      super().delete(*args, **kwargs)
-      # Update the 'updated_at' timestamp of the associated Environment
-      if env:
-          env.updated_at = timezone.now()
-          env.save()
+        env = self.environment
+        super().delete(*args, **kwargs)
+        # Update the 'updated_at' timestamp of the associated Environment
+        if env:
+            env.updated_at = timezone.now()
+            env.save()
 
 
 class SecretTag(models.Model):
@@ -651,15 +651,175 @@ def save(self, *args, **kwargs):
             self.environment.updated_at = timezone.now()
             self.environment.save()
 
+    def delete(self, *args, **kwargs):
+        env = self.environment
+        super().delete(*args, **kwargs)
+        # Update the 'updated_at' timestamp of the associated Environment
+        if env:
+            env.updated_at = timezone.now()
+            env.save()
+
+
+class DynamicSecret(models.Model):
+
+    PROVIDER_CHOICES = [("aws", "AWS")]
+
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    name = models.TextField()
+    description = models.TextField(blank=True)
+    environment = models.ForeignKey(Environment, on_delete=models.CASCADE)
+    folder = models.ForeignKey(SecretFolder, on_delete=models.CASCADE, null=True)
+    path = models.TextField(default="/")
+    default_ttl = models.DurationField(
+        help_text="Default TTL for leases (must be <= max_ttl)."
+    )
+    max_ttl = models.DurationField(help_text="Maximum allowed TTL for leases.")
+    authentication = models.ForeignKey(
+        ProviderCredentials, on_delete=models.SET_NULL, null=True
+    )
+    provider = models.CharField(
+        max_length=50,
+        choices=PROVIDER_CHOICES,
+        help_text="Which provider this secret is associated with.",
+    )
+    config = models.JSONField()
+    key_map = models.JSONField(
+        help_text="Provider-agnostic mapping of keys: "
+        "[{'id': '<key_id>', 'name': '<key_name>'}, ...]",
+        default=list,
+    )
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+    updated_at = models.DateTimeField(auto_now=True)
+    deleted_at = models.DateTimeField(blank=True, null=True)
+
+    def save(self, *args, **kwargs):
+        # Call the "real" save() method to save the Secret
+        super().save(*args, **kwargs)
+
+        # Update the 'updated_at' timestamp of the associated Environment
+        if self.environment:
+            self.environment.updated_at = timezone.now()
+            self.environment.save()
 
     def delete(self, *args, **kwargs):
-      env = self.environment
-      super().delete(*args, **kwargs)
-      # Update the 'updated_at' timestamp of the associated Environment
-      if env:
-          env.updated_at = timezone.now()
-          env.save()
+        env = self.environment
+        super().delete(*args, **kwargs)
+        # Update the 'updated_at' timestamp of the associated Environment
+        if env:
+            env.updated_at = timezone.now()
+            env.save()
+
+
+class DynamicSecretLease(models.Model):
+
+    CREATED = "created"
+    ACTIVE = "active"
+    RENEWED = "renewed"
+    REVOKED = "revoked"
+    EXPIRED = "expired"
+
+    STATUS_OPTIONS = [
+        (CREATED, "Created"),
+        (ACTIVE, "Active"),
+        (RENEWED, "Renewed"),
+        (REVOKED, "Revoked"),
+        (EXPIRED, "Expired"),
+    ]
+
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    name = models.TextField()
+    description = models.TextField(blank=True)
+    secret = models.ForeignKey(
+        DynamicSecret, on_delete=models.CASCADE, related_name="leases"
+    )
+    organisation_member = models.ForeignKey(
+        OrganisationMember, null=True, blank=True, on_delete=models.CASCADE
+    )
+    service_account = models.ForeignKey(
+        ServiceAccount, null=True, blank=True, on_delete=models.CASCADE
+    )
+    ttl = models.DurationField()
+    status = models.CharField(
+        max_length=50,
+        choices=STATUS_OPTIONS,
+        default=ACTIVE,
+        help_text="Current status of the lease",
+    )
+    credentials = models.JSONField(
+        default=dict,
+    )
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+    renewed_at = models.DateTimeField(null=True)
+    expires_at = models.DateTimeField(null=True)
+    revoked_at = models.DateTimeField(null=True)
+    deleted_at = models.DateTimeField(null=True)
+    cleanup_job_id = models.TextField(default=uuid4)
+
+    def clean(self):
+        """
+        Ensure only one of organisation_member or service_account is set.
+        """
+        if not (self.organisation_member or self.service_account):
+            raise ValidationError(
+                "Must set either organisation_member or service_account"
+            )
+        if self.organisation_member and self.service_account:
+            raise ValidationError(
+                "Only one of organisation_member or service_account may be set"
+            )
+
+    def get_account(self):
+        """
+        Return whichever account is associated with this lease.
+        """
+        return self.organisation_member or self.service_account
+
+
+class DynamicSecretLeaseEvent(models.Model):
+
+    EVENT_TYPES = DynamicSecretLease.STATUS_OPTIONS
+
+    id = models.BigAutoField(primary_key=True)
+    lease = models.ForeignKey(
+        DynamicSecretLease, on_delete=models.CASCADE, related_name="events"
+    )
+    event_type = models.CharField(
+        max_length=50, choices=EVENT_TYPES, default=DynamicSecretLease.CREATED
+    )
+    organisation_member = models.ForeignKey(
+        OrganisationMember,
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="lease_events",
+    )
+    service_account = models.ForeignKey(
+        ServiceAccount,
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="lease_events",
+    )
+    ip_address = models.GenericIPAddressField(null=True, blank=True)
+    user_agent = models.TextField(blank=True, null=True)
+    metadata = models.JSONField(default=dict, blank=True)
+    created_at = models.DateTimeField(auto_now_add=True)
+
+    def clean(self):
+        """
+        Ensure only one of organisation_member or service_account is set.
+        """
+        if not (self.organisation_member or self.service_account):
+            raise ValidationError(
+                "Must set either organisation_member or service_account"
+            )
+        if self.organisation_member and self.service_account:
+            raise ValidationError(
+                "Only one of organisation_member or service_account may be set"
+            )
 
+    def get_actor(self):
+        return self.organisation_member or self.service_account
 
 
 class SecretEvent(models.Model):

From 7dbe60d04c6599c7b4aeef6afdbf7f40827aab39 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:28:33 +0530
Subject: [PATCH 002/117] feat: backend utils, resolvers and types

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/schema.py                     |  45 +-
 .../secrets/dynamic/aws/graphene/mutations.py | 212 ++++++
 .../secrets/dynamic/aws/graphene/types.py     |  18 +
 .../integrations/secrets/dynamic/aws/utils.py | 601 ++++++++++++++++++
 .../secrets/dynamic/graphene/mutations.py     | 228 +++++++
 .../secrets/dynamic/graphene/queries.py       |  85 +++
 .../secrets/dynamic/graphene/types.py         |  90 +++
 .../integrations/secrets/dynamic/providers.py |  65 ++
 .../ee/integrations/secrets/dynamic/utils.py  |  48 ++
 9 files changed, 1390 insertions(+), 2 deletions(-)
 create mode 100644 backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/aws/graphene/types.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/aws/utils.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/graphene/mutations.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/graphene/queries.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/graphene/types.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/providers.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/utils.py

diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index 66a34f6f1..8bd2e4943 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -5,6 +5,24 @@
 from api.utils.syncing.gitlab.main import GitLabGroupType, GitLabProjectType
 from api.utils.syncing.railway.main import RailwayProjectType
 from api.utils.syncing.render.main import RenderEnvGroupType, RenderServiceType
+from ee.integrations.secrets.dynamic.graphene.mutations import (
+    DeleteDynamicSecretMutation,
+    LeaseDynamicSecret,
+    RenewLeaseMutation,
+    RevokeLeaseMutation,
+)
+from ee.integrations.secrets.dynamic.graphene.types import (
+    DynamicSecretProviderType,
+    DynamicSecretType,
+)
+from ee.integrations.secrets.dynamic.aws.graphene.mutations import (
+    CreateAWSDynamicSecretMutation,
+    UpdateAWSDynamicSecretMutation,
+)
+from ee.integrations.secrets.dynamic.graphene.queries import (
+    resolve_dynamic_secret_providers,
+    resolve_dynamic_secrets,
+)
 from backend.graphene.mutations.service_accounts import (
     CreateServiceAccountMutation,
     CreateServiceAccountTokenMutation,
@@ -33,7 +51,7 @@
     StripeSubscriptionDetails,
     resolve_stripe_checkout_details,
     resolve_stripe_subscription_details,
-    resolve_stripe_customer_portal_url
+    resolve_stripe_customer_portal_url,
 )
 from ee.billing.graphene.mutations.stripe import (
     CancelSubscriptionMutation,
@@ -389,7 +407,19 @@ class Query(graphene.ObjectType):
         StripeSubscriptionDetails, organisation_id=graphene.ID()
     )
 
-    stripe_customer_portal_url = graphene.String(organisation_id=graphene.ID(required=True))
+    stripe_customer_portal_url = graphene.String(
+        organisation_id=graphene.ID(required=True)
+    )
+
+    # Dynamic secrets
+    dynamic_secret_providers = graphene.List(DynamicSecretProviderType)
+    dynamic_secrets = graphene.List(
+        DynamicSecretType,
+        secret_id=graphene.ID(required=False),
+        app_id=graphene.ID(required=False),
+        env_id=graphene.ID(required=False),
+        org_id=graphene.ID(),
+    )
 
     # --------------------------------------------------------------------
 
@@ -437,6 +467,9 @@ class Query(graphene.ObjectType):
         resolve_validate_aws_assume_role_credentials
     )
 
+    resolve_dynamic_secret_providers = resolve_dynamic_secret_providers
+    resolve_dynamic_secrets = resolve_dynamic_secrets
+
     def resolve_organisations(root, info):
         memberships = OrganisationMember.objects.filter(
             user=info.context.user, deleted_at=None
@@ -1015,5 +1048,13 @@ class Mutation(graphene.ObjectType):
     create_setup_intent = CreateSetupIntentMutation.Field()
     set_default_payment_method = SetDefaultPaymentMethodMutation.Field()
 
+    # Dynamic Secrets
+    create_aws_dynamic_secret = CreateAWSDynamicSecretMutation.Field()
+    update_aws_dynamic_secret = UpdateAWSDynamicSecretMutation.Field()
+    delete_dynamic_secret = DeleteDynamicSecretMutation.Field()
+    create_dynamic_secret_lease = LeaseDynamicSecret.Field()
+    renew_dynamic_secret_lease = RenewLeaseMutation.Field()
+    revoke_dynamic_secret_lease = RevokeLeaseMutation.Field()
+
 
 schema = graphene.Schema(query=Query, mutation=Mutation)
diff --git a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
new file mode 100644
index 000000000..80bffe505
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
@@ -0,0 +1,212 @@
+from api.utils.access.permissions import (
+    user_can_access_environment,
+    user_has_permission,
+    user_is_org_member,
+)
+from api.utils.secrets import create_environment_folder_structure
+from ee.integrations.secrets.dynamic.aws.graphene.types import (
+    AwsCredentialsType,
+)
+from ee.integrations.secrets.dynamic.graphene.types import (
+    DynamicSecretLeaseType,
+    DynamicSecretType,
+    KeyMapInput,
+)
+from ee.integrations.secrets.dynamic.aws.utils import (
+    create_dynamic_secret,
+    create_aws_dynamic_secret_lease,
+)
+from datetime import timedelta
+import graphene
+from graphql import GraphQLError
+from django.core.exceptions import ValidationError
+from api.models import (
+    DynamicSecret,
+    Organisation,
+    Environment,
+    OrganisationMember,
+    ProviderCredentials,
+)
+from graphene.types.generic import GenericScalar
+
+
+class AWSConfigInput(graphene.InputObjectType):
+    username_template = graphene.String(required=True)
+    iam_path = graphene.String(required=False, default_value="/")
+    permission_boundary_arn = graphene.String(required=False)
+    groups = graphene.List(graphene.String)
+    policy_arns = graphene.List(graphene.String)
+    policy_document = GenericScalar(required=False)
+
+
+class CreateAWSDynamicSecretMutation(graphene.Mutation):
+    class Arguments:
+        organisation_id = graphene.ID(required=True)
+        environment_id = graphene.ID(required=True)
+        name = graphene.String(required=True)
+        description = graphene.String(required=False)
+        path = graphene.String(required=False)
+        default_ttl = graphene.Int()  # seconds
+        max_ttl = graphene.Int()  # seconds
+        authentication_id = graphene.ID(required=False)
+        config = AWSConfigInput(required=True)
+        key_map = graphene.List(KeyMapInput, required=True)
+
+    dynamic_secret = graphene.Field(DynamicSecretType)
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        organisation_id,
+        environment_id,
+        name,
+        config,
+        key_map,
+        description="",
+        path="/",
+        default_ttl=None,
+        max_ttl=None,
+        authentication_id=None,
+    ):
+        user = info.context.user
+
+        # --- permission checks ---
+        if not user_is_org_member(user.userId, organisation_id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        org = Organisation.objects.get(id=organisation_id)
+
+        if not user_has_permission(user, "create", "Secrets", org, True):
+            raise GraphQLError("You don't have permission to create Dynamic Secrets")
+
+        if not user_can_access_environment(user.userId, environment_id):
+            raise GraphQLError("You don't have access to this environment")
+
+        env = Environment.objects.get(id=environment_id)
+
+        if not env.app.sse_enabled:
+            raise GraphQLError("SSE is not enabled!")
+
+        folder = None
+        if path and path != "/":
+            folder = create_environment_folder_structure(path, environment_id)
+
+        authentication = None
+        if authentication_id:
+            try:
+                authentication = ProviderCredentials.objects.get(
+                    id=authentication_id, organisation=org
+                )
+            except ProviderCredentials.DoesNotExist:
+                raise GraphQLError("Invalid authentication credentials")
+
+        # --- create secret ---
+
+        try:
+            dynamic_secret = create_dynamic_secret(
+                environment=Environment.objects.get(id=environment_id),
+                folder=folder,
+                name=name,
+                description=description,
+                default_ttl=timedelta(seconds=default_ttl),
+                max_ttl=timedelta(seconds=max_ttl),
+                authentication=authentication,
+                provider="aws",
+                config=config,
+                key_map=key_map,
+            )
+        except ValidationError as e:
+            raise GraphQLError(e.message)
+
+        return CreateAWSDynamicSecretMutation(dynamic_secret=dynamic_secret)
+
+
+class UpdateAWSDynamicSecretMutation(graphene.Mutation):
+    class Arguments:
+        dynamic_secret_id = graphene.ID(required=True)
+        organisation_id = graphene.ID(required=True)
+        name = graphene.String(required=True)
+        description = graphene.String(required=False)
+        path = graphene.String(required=False)
+        default_ttl = graphene.Int()  # seconds
+        max_ttl = graphene.Int()  # seconds
+        authentication_id = graphene.ID(required=False)
+        config = AWSConfigInput(required=True)
+        key_map = graphene.List(KeyMapInput, required=True)
+
+    dynamic_secret = graphene.Field(DynamicSecretType)
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        dynamic_secret_id,
+        organisation_id,
+        name,
+        config,
+        key_map,
+        description="",
+        path=None,
+        default_ttl=None,
+        max_ttl=None,
+        authentication_id=None,
+    ):
+        user = info.context.user
+
+        # --- permission checks ---
+        if not user_is_org_member(user.userId, organisation_id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        org = Organisation.objects.get(id=organisation_id)
+
+        dynamic_secret = DynamicSecret.objects.get(id=dynamic_secret_id)
+
+        env = Environment.objects.get(id=dynamic_secret.environment.id)
+
+        if not user_has_permission(user, "update", "Secrets", org, True):
+            raise GraphQLError("You don't have permission to update Dynamic Secrets")
+
+        if not user_can_access_environment(user.userId, dynamic_secret.environment.id):
+            raise GraphQLError("You don't have access to this environment")
+
+        if not env.app.sse_enabled:
+            raise GraphQLError("SSE is not enabled!")
+
+        folder = None
+        if path is not None and path != "/":
+            folder = create_environment_folder_structure(
+                path, dynamic_secret.environment.id
+            )
+
+        authentication = None
+        if authentication_id:
+            try:
+                authentication = ProviderCredentials.objects.get(
+                    id=authentication_id, organisation=org
+                )
+            except ProviderCredentials.DoesNotExist:
+                raise GraphQLError("Invalid authentication credentials")
+
+        # --- update secret fields ---
+        dynamic_secret.name = name
+        dynamic_secret.description = description
+        if folder is not None:
+            dynamic_secret.folder = folder
+        dynamic_secret.default_ttl = (
+            timedelta(seconds=default_ttl) if default_ttl else None
+        )
+        dynamic_secret.max_ttl = timedelta(seconds=max_ttl) if max_ttl else None
+        dynamic_secret.authentication = authentication
+        dynamic_secret.config = config
+        dynamic_secret.key_map = key_map
+
+        try:
+            # dynamic_secret.full_clean()
+            dynamic_secret.save()
+        except ValidationError as e:
+            raise GraphQLError(f"Validation error:{e}")
+
+        return UpdateAWSDynamicSecretMutation(dynamic_secret=dynamic_secret)
diff --git a/backend/ee/integrations/secrets/dynamic/aws/graphene/types.py b/backend/ee/integrations/secrets/dynamic/aws/graphene/types.py
new file mode 100644
index 000000000..81146a824
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/aws/graphene/types.py
@@ -0,0 +1,18 @@
+import graphene
+
+from graphene.types.generic import GenericScalar  # JSON-safe scalar
+
+
+class AWSConfigType(graphene.ObjectType):
+    username_template = graphene.String(required=True)
+    iam_path = graphene.String(required=False, default_value="/")
+    permission_boundary_arn = graphene.String(required=False)
+    groups = graphene.List(graphene.String, required=False)
+    policy_arns = graphene.List(graphene.String, required=False)
+    policy_document = GenericScalar(required=False)  # JSON object
+
+
+class AwsCredentialsType(graphene.ObjectType):
+    access_key_id = graphene.String()
+    secret_access_key = graphene.String()
+    username = graphene.String()
diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
new file mode 100644
index 000000000..7b53cdb4e
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -0,0 +1,601 @@
+from django.utils import timezone
+from django.core.exceptions import ValidationError
+from uuid import uuid4
+from api.models import DynamicSecret
+from api.utils.crypto import decrypt_asymmetric, encrypt_asymmetric, get_server_keypair
+from api.utils.syncing.aws.auth import get_aws_sts_session
+from api.utils.secrets import get_environment_keys
+from backend.utils.secrets import get_secret
+from ee.integrations.secrets.dynamic.providers import DynamicSecretProviders
+import logging
+from datetime import datetime, timedelta
+import boto3
+from botocore.exceptions import ClientError, BotoCoreError
+from api.models import DynamicSecret, DynamicSecretLease
+import string
+import random
+import re
+import django_rq
+
+
+logger = logging.getLogger(__name__)
+
+
+def generate_random_string(length=8):
+    """Generate random alphanumeric suffix."""
+    return "".join(random.choices(string.ascii_lowercase + string.digits, k=length))
+
+
+def render_username_template(template: str) -> str:
+    """
+    Render a username template by replacing {{ random }} placeholders.
+
+    Examples:
+        'prefix-{{ random }}' -> 'prefix-x8f2k9'
+        '{{ random }}-suffix' -> 'q1z9xk-suffix'
+        'plain-username'      -> 'plain-username'
+    """
+
+    def replace_placeholder(match):
+        return generate_random_string(
+            random.randint(6, 18)
+        )  # random length between 6–18
+
+    return re.sub(r"\{\{\s*random\s*\}\}", replace_placeholder, template)
+
+
+def get_aws_access_key_credentials(provider_credentials):
+    """
+    Get AWS integration Access Key credentials from ProviderCredentials object.
+
+    Args:
+        provider_credentials: ProviderCredentials object with access key credentials
+
+    Returns:
+        dict: Decrypted credentials containing access_key_id, secret_access_key, and region
+    """
+    pk, sk = get_server_keypair()
+
+    access_key_id = decrypt_asymmetric(
+        provider_credentials.credentials["access_key_id"], sk.hex(), pk.hex()
+    )
+    secret_access_key = decrypt_asymmetric(
+        provider_credentials.credentials["secret_access_key"],
+        sk.hex(),
+        pk.hex(),
+    )
+    region = decrypt_asymmetric(
+        provider_credentials.credentials["region"], sk.hex(), pk.hex()
+    )
+
+    return {
+        "access_key_id": access_key_id,
+        "secret_access_key": secret_access_key,
+        "region": region,
+    }
+
+
+def get_aws_assume_role_credentials(provider_credentials):
+    """
+    Get AWS integratio Assume Role credentials from ProviderCredentials object.
+
+    Args:
+        provider_credentials: ProviderCredentials object with assume role credentials
+
+    Returns:
+        dict: Decrypted credentials containing role_arn, region, and external_id
+    """
+    pk, sk = get_server_keypair()
+
+    role_arn = decrypt_asymmetric(
+        provider_credentials.credentials["role_arn"], sk.hex(), pk.hex()
+    )
+
+    region = None
+    if "region" in provider_credentials.credentials:
+        region = decrypt_asymmetric(
+            provider_credentials.credentials["region"], sk.hex(), pk.hex()
+        )
+
+    external_id = None
+    if "external_id" in provider_credentials.credentials:
+        external_id = decrypt_asymmetric(
+            provider_credentials.credentials["external_id"], sk.hex(), pk.hex()
+        )
+
+    return {
+        "role_arn": role_arn,
+        "region": region,
+        "external_id": external_id,
+    }
+
+
+def build_dynamic_secret_config(provider: str, user_config: dict) -> dict:
+    """
+    Merge user-supplied config with provider defaults for key_map.
+    - All non-key_map fields are preserved exactly as user provided.
+    - key_map is filled with defaults where user did not specify.
+    """
+    # --- find provider definition ---
+    provider_def = None
+    for prov in DynamicSecretProviders.__dict__.values():
+        if isinstance(prov, dict) and prov.get("id") == provider:
+            provider_def = prov
+            break
+    if not provider_def:
+        raise ValidationError(f"Unsupported provider: {provider}")
+
+    # --- start with user config ---
+    merged_config = dict(user_config or {})
+
+    # --- build key_map ---
+    key_map = merged_config.get("key_map", {})
+    merged_key_map = {}
+    for cred in provider_def.get("credentials", []):
+        cid = cred["id"]
+        default_key = cred.get("default_key_name")
+        merged_key_map[cid] = key_map.get(cid, default_key)
+
+    merged_config["key_map"] = merged_key_map
+    return merged_config
+
+
+def create_dynamic_secret(
+    *,
+    environment,
+    folder,
+    name: str,
+    description="",
+    default_ttl,
+    max_ttl,
+    authentication=None,
+    provider: str,
+    config: dict,
+    key_map: list,
+) -> DynamicSecret:
+    """
+    Create a DynamicSecret with validated provider config.
+    Used by both GraphQL resolvers and REST API.
+    """
+
+    # --- validate provider ---
+    provider_def = None
+    for prov in DynamicSecretProviders.__dict__.values():
+        if isinstance(prov, dict) and prov.get("id") == provider:
+            provider_def = prov
+            break
+    if not provider_def:
+        raise ValidationError(f"Unsupported provider: {provider}")
+
+    # --- validate required config fields ---
+    validated_config = {}
+    for field in provider_def.get("config_map", []):
+        fid = field["id"]
+        required = field.get("required", False)
+        default = field.get("default")
+
+        if fid in config:
+            validated_config[fid] = config[fid]
+        elif required and default is None:
+            raise ValidationError(f"Missing required config field: {fid}")
+        elif default is not None:
+            validated_config[fid] = default
+
+    # --- validate key_map ---
+    valid_creds = {c["id"]: c for c in provider_def.get("credentials", [])}
+    validated_key_map = []
+
+    for entry in key_map:
+        if not isinstance(entry, dict):
+            raise ValidationError(f"Invalid key_map entry (must be dict): {entry}")
+
+        key_id = entry.get("id")
+        key_name = entry.get("key_name")
+
+        if key_id not in valid_creds:
+            raise ValidationError(
+                f"Invalid key id '{key_id}' for provider '{provider}'"
+            )
+
+        # fallback to provider default_key_name
+        if not key_name:
+            key_name = valid_creds[key_id].get("default_key_name")
+
+        if not key_name:
+            raise ValidationError(
+                f"No key name provided for key id '{key_id}', and no default defined"
+            )
+
+        validated_key_map.append({"id": key_id, "key_name": key_name})
+
+    # --- construct DynamicSecret ---
+    dynamic_secret = DynamicSecret.objects.create(
+        id=uuid4(),
+        environment=environment,
+        folder=folder,
+        path="/",
+        name=name,
+        description=description,
+        default_ttl=default_ttl,
+        max_ttl=max_ttl,
+        authentication=authentication,
+        provider=provider,
+        config=validated_config,
+        key_map=validated_key_map,
+    )
+
+    # Update environment timestamp
+    environment.updated_at = timezone.now()
+    environment.save(update_fields=["updated_at"])
+
+    return dynamic_secret
+
+
+def create_temporary_user(user_config, iam_client):
+    """
+    Create a temporary IAM user with specified configuration.
+
+    Args:
+        user_config (dict): Configuration for user creation
+            - username_template (str): Base name for user
+            - groups (list of str, optional): Comma separated list of groups to add user to
+            - policy_arns (list of str, optional): Policy ARN to attach
+            - iam_user_path (str, optional): User path
+            - permission_boundary_arn (str, optional): Permission boundary ARN
+            - ttl_seconds (int): Time to live in seconds
+
+    Returns:
+        dict: User creation result with username and metadata
+    """
+    try:
+        # Generate unique username
+        base_template = user_config.get(
+            "username_template", "phase-dynamic-{{ random }}"
+        )
+        username = render_username_template(base_template)
+
+        # Prepare user creation parameters
+        path = user_config.get("iam_user_path", "/") or "/"
+
+        # ensure leading slash
+        if not path.startswith("/"):
+            path = "/" + path
+
+        # ensure trailing slash
+        if not path.endswith("/"):
+            path = path + "/"
+
+        create_params = {
+            "UserName": username,
+            "Path": path,
+        }
+
+        # Add permission boundary if specified
+        if user_config.get("permission_boundary_arn"):
+            create_params["PermissionsBoundary"] = user_config[
+                "permission_boundary_arn"
+            ]
+
+        # Create IAM user
+        response = iam_client.create_user(**create_params)
+
+        # Add tags to track the user
+        creation_time = datetime.utcnow()
+        expiry_time = creation_time + timedelta(
+            seconds=user_config.get("ttl_seconds", 60)
+        )
+
+        iam_client.tag_user(
+            UserName=username,
+            Tags=[
+                {"Key": "CreatedBy", "Value": "phase-dynamic-secrets"},
+                {"Key": "CreationTime", "Value": creation_time.isoformat()},
+                {"Key": "ExpiryTime", "Value": expiry_time.isoformat()},
+                {"Key": "TTL", "Value": str(user_config.get("ttl_seconds", 60))},
+            ],
+        )
+
+        # Attach policies if specified
+        policy_arns = user_config.get("policy_arns")
+        if policy_arns:
+            # Support both comma-separated string and list
+            if isinstance(policy_arns, str):
+                policy_arns = [p.strip() for p in policy_arns.split(",") if p.strip()]
+            for policy_arn in policy_arns:
+                try:
+                    iam_client.attach_user_policy(
+                        UserName=username, PolicyArn=policy_arn
+                    )
+                    logger.info(f"Attached policy {policy_arn} to user {username}")
+                except ClientError as e:
+                    logger.error(
+                        f"Failed to attach policy {policy_arn} to user {username}: {str(e)}"
+                    )
+                    raise
+
+        # Add user to specified groups
+        groups = user_config.get("groups")
+        if groups:
+            # If groups is a string (legacy), split by comma
+            if isinstance(groups, str):
+                groups = [g.strip() for g in groups.split(",") if g.strip()]
+            for group_name in groups:
+                try:
+                    iam_client.add_user_to_group(
+                        GroupName=group_name, UserName=username
+                    )
+                    logger.info(f"Added user {username} to group {group_name}")
+                except ClientError as e:
+                    logger.error(
+                        f"Failed to add user {username} to group {group_name}: {str(e)}"
+                    )
+                    raise
+
+        logger.info(f"Successfully created temporary IAM user: {username}")
+
+        return {
+            "username": username,
+            "arn": response["User"]["Arn"],
+            "creation_time": creation_time.isoformat(),
+            "expiry_time": expiry_time.isoformat(),
+        }
+
+    except ClientError as e:
+        logger.error(f"AWS client error creating user: {str(e)}")
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected error creating user: {str(e)}")
+        raise
+
+
+def create_access_key(username, iam_client):
+    """
+    Create access key for IAM user.
+
+    Args:
+        username (str): IAM username
+
+    Returns:
+        dict: Access key details
+    """
+    try:
+        response = iam_client.create_access_key(UserName=username)
+        access_key = response["AccessKey"]
+
+        logger.info(f"Successfully created access key for user: {username}")
+
+        return {
+            "access_key_id": access_key["AccessKeyId"],
+            "secret_access_key": access_key["SecretAccessKey"],
+            "status": access_key["Status"],
+        }
+
+    except ClientError as e:
+        logger.error(f"AWS client error creating access key: {str(e)}")
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected error creating access key: {str(e)}")
+        raise
+
+
+def get_sts_client(region="us-east-1"):
+
+    aws_access_key_id = get_secret("AWS_INTEGRATION_ACCESS_KEY_ID")
+    aws_secret_access_key = get_secret("AWS_INTEGRATION_SECRET_ACCESS_KEY")
+
+    sts_client = boto3.client(
+        "sts",
+        region_name=region,
+        aws_access_key_id=aws_access_key_id,
+        aws_secret_access_key=aws_secret_access_key,
+    )
+
+    return sts_client
+
+
+import boto3
+
+
+def get_iam_client(secret: DynamicSecret) -> tuple[boto3.client, dict]:
+    """
+    Construct an IAM client using the given DynamicSecret's authentication config.
+    Returns (iam_client, aws_credentials).
+    """
+    sts_client = get_sts_client()
+
+    # Determine authentication method
+    has_role_arn = "role_arn" in secret.authentication.credentials
+    aws_credentials = {}
+
+    if has_role_arn:
+        integration_credentials = get_aws_assume_role_credentials(secret.authentication)
+        role_arn = integration_credentials.get("role_arn")
+        assumed_role = sts_client.assume_role(
+            RoleArn=role_arn, RoleSessionName="phase-dynamic-secret-session"
+        )
+        aws_credentials = assumed_role["Credentials"]
+    else:
+        integration_credentials = get_aws_access_key_credentials(secret.authentication)
+        aws_credentials["AccessKeyId"] = integration_credentials.get("access_key_id")
+        aws_credentials["SecretAccessKey"] = integration_credentials.get(
+            "secret_access_key"
+        )
+
+    region = integration_credentials.get("region")
+
+    # Construct IAM client kwargs
+    iam_client_kwargs = {
+        "service_name": "iam",
+        "region_name": region,
+        "aws_access_key_id": aws_credentials["AccessKeyId"],
+        "aws_secret_access_key": aws_credentials["SecretAccessKey"],
+    }
+    if "SessionToken" in aws_credentials:
+        iam_client_kwargs["aws_session_token"] = aws_credentials["SessionToken"]
+
+    return boto3.client(**iam_client_kwargs), aws_credentials
+
+
+def create_aws_dynamic_secret_lease(
+    *,
+    secret: DynamicSecret,
+    lease_name,
+    organisation_member=None,
+    service_account=None,
+    ttl_seconds,
+) -> dict:
+    """
+    Create a new lease for dynamic AWS credentials.
+    """
+
+    lease_config = secret.config
+
+    if not organisation_member and not service_account:
+        raise ValidationError("Must set either organisation_member or service_account")
+    if organisation_member and service_account:
+        raise ValidationError(
+            "Only one of organisation_member or service_account may be set"
+        )
+
+    iam_client, _ = get_iam_client(secret)
+
+    # Build config for user creation
+    user_config = {
+        "username_template": lease_config.get("username_template"),
+        "groups": lease_config.get("groups"),
+        "policy_arns": lease_config.get("policy_arns"),
+        "iam_user_path": lease_config.get("iam_path", "/"),
+        "permission_boundary_arn": lease_config.get("permission_boundary_arn"),
+        "ttl_seconds": ttl_seconds,
+    }
+
+    user_result = create_temporary_user(user_config, iam_client)
+    username = user_result["username"]
+
+    # Create access key for the user
+    access_key_result = create_access_key(username, iam_client)
+
+    lease_data = {
+        "username": username,
+        "user_arn": user_result["arn"],
+        "access_key_id": access_key_result["access_key_id"],
+        "secret_access_key": access_key_result["secret_access_key"],
+        "creation_time": user_result["creation_time"],
+        "expiry_time": user_result["expiry_time"],
+        "ttl_seconds": user_config.get("ttl_seconds", 60),
+    }
+
+    env_pubkey, _ = get_environment_keys(secret.environment.id)
+
+    encrypted_credentials = {
+        "access_key_id": encrypt_asymmetric(
+            access_key_result["access_key_id"], env_pubkey
+        ),
+        "secret_access_key": encrypt_asymmetric(
+            access_key_result["secret_access_key"], env_pubkey
+        ),
+        "username": encrypt_asymmetric(username, env_pubkey),
+    }
+
+    lease = DynamicSecretLease.objects.create(
+        secret=secret,
+        name=lease_name,
+        organisation_member=organisation_member,
+        service_account=service_account,
+        ttl=timedelta(seconds=ttl_seconds),
+        expires_at=timezone.now() + timedelta(seconds=ttl_seconds),
+        credentials=encrypted_credentials,
+    )
+
+    # --- Schedule revocation ---
+    scheduler = django_rq.get_scheduler("scheduled-jobs")
+    job = scheduler.enqueue_at(
+        lease.expires_at,
+        revoke_aws_dynamic_secret_lease,
+        lease.id,
+    )
+
+    lease.cleanup_job_id = job.id
+    lease.save()
+
+    return lease, lease_data
+
+
+def revoke_aws_dynamic_secret_lease(lease_id, manual=False):
+    """
+    Delete IAM user and all associated credentials.
+
+    Args:
+        lease_id (DynamicSecretLease): id for the lease containing IAM username to delete
+        manual (boolean): Whether this is a manual revoke or automatically scheduled expiry. Defaults to false
+
+    Returns:
+        bool: True if successful, False otherwise
+    """
+    lease = DynamicSecretLease.objects.get(id=lease_id)
+
+    if lease.revoked_at is not None:
+        logger.info(f"Lease {lease.id} already revoked at {lease.revoked_at}")
+        return
+
+    iam_client, _ = get_iam_client(lease.secret)
+
+    try:
+        # Decrypt username
+        env_pubkey, env_privkey = get_environment_keys(lease.secret.environment.id)
+        encrypted_username = lease.credentials.get("username")
+        username = decrypt_asymmetric(encrypted_username, env_privkey, env_pubkey)
+
+        # List and delete all access keys for the user
+        access_keys = iam_client.list_access_keys(UserName=username)
+        for key in access_keys["AccessKeyMetadata"]:
+            iam_client.delete_access_key(
+                UserName=username, AccessKeyId=key["AccessKeyId"]
+            )
+            logger.info(f"Deleted access key {key['AccessKeyId']} for user {username}")
+
+        # Detach all managed policies
+        attached_policies = iam_client.list_attached_user_policies(UserName=username)
+        for policy in attached_policies["AttachedPolicies"]:
+            iam_client.detach_user_policy(
+                UserName=username, PolicyArn=policy["PolicyArn"]
+            )
+            logger.info(f"Detached policy {policy['PolicyArn']} from user {username}")
+
+        # Delete all inline policies
+        inline_policies = iam_client.list_user_policies(UserName=username)
+        for policy_name in inline_policies["PolicyNames"]:
+            iam_client.delete_user_policy(UserName=username, PolicyName=policy_name)
+            logger.info(f"Deleted inline policy {policy_name} from user {username}")
+
+        # Remove user from all groups
+        groups_resp = iam_client.list_groups_for_user(UserName=username)
+        for group in groups_resp["Groups"]:
+            iam_client.remove_user_from_group(
+                UserName=username, GroupName=group["GroupName"]
+            )
+            logger.info(f"Removed user {username} from group {group['GroupName']}")
+
+        # Finally, delete the user
+        iam_client.delete_user(UserName=username)
+        logger.info(f"Successfully deleted IAM user: {username}")
+
+        if manual:
+            lease.status = DynamicSecretLease.REVOKED
+        else:
+            lease.status = DynamicSecretLease.EXPIRED
+        lease.credentials = {}
+        lease.revoked_at = timezone.now()
+        lease.save()
+
+        return True
+
+    except iam_client.exceptions.NoSuchEntityException:
+        logger.warning(f"User {username} does not exist, treating as already revoked")
+        return True
+    except ClientError as e:
+        logger.error(f"AWS client error deleting user: {str(e)}")
+        raise ValidationError(f"AWS client error deleting user: {str(e)}")
+    except Exception as e:
+        logger.error(f"Unexpected error deleting user: {str(e)}")
+        raise Exception(f"Unexpected error deleting user: {str(e)}")
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
new file mode 100644
index 000000000..ed123d7a7
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
@@ -0,0 +1,228 @@
+from datetime import timedelta
+from api.utils.access.permissions import (
+    user_can_access_environment,
+    user_has_permission,
+    user_is_org_member,
+)
+from ee.integrations.secrets.dynamic.utils import renew_dynamic_secret_lease
+from ee.integrations.secrets.dynamic.aws.graphene.types import (
+    AwsCredentialsType,
+)
+from ee.integrations.secrets.dynamic.aws.utils import (
+    create_aws_dynamic_secret_lease,
+    revoke_aws_dynamic_secret_lease,
+)
+from ee.integrations.secrets.dynamic.graphene.types import DynamicSecretLeaseType
+import graphene
+from graphql import GraphQLError
+from api.models import (
+    DynamicSecret,
+    DynamicSecretLease,
+    OrganisationMember,
+)
+from django.utils import timezone
+from django.core.exceptions import ValidationError
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class DeleteDynamicSecretMutation(graphene.Mutation):
+    class Arguments:
+        secret_id = graphene.ID(required=True)
+
+    ok = graphene.Boolean()
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        secret_id,
+    ):
+        user = info.context.user
+
+        secret = DynamicSecret.objects.get(id=secret_id, deleted_at=None)
+        org = secret.environment.app.organisation
+
+        # --- permission checks ---
+        if not user_has_permission(user, "delete", "Secrets", org, True):
+            raise GraphQLError(
+                "You don't have permission to delete secrets in this organisation"
+            )
+
+        secret.updated_at = timezone.now()
+        secret.deleted_at = timezone.now()
+        secret.save()
+
+        return DeleteDynamicSecretMutation(ok=True)
+
+
+class LeaseDynamicSecret(graphene.Mutation):
+    class Arguments:
+        secret_id = graphene.ID(required=True)
+        name = graphene.String(required=False)
+        ttl = graphene.Int()  # seconds
+
+    lease = graphene.Field(DynamicSecretLeaseType)
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        secret_id,
+        name=None,
+        ttl=3600,
+    ):
+        user = info.context.user
+
+        secret = DynamicSecret.objects.get(id=secret_id, deleted_at=None)
+        org = secret.environment.app.organisation
+
+        # --- permission checks ---
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "create", "Secrets", org, True):
+            raise GraphQLError("You don't have permission to create Dynamic Secrets")
+
+        if not user_can_access_environment(user.userId, secret.environment.id):
+            raise GraphQLError("You don't have access to this environment")
+
+        org_member = OrganisationMember.objects.get(organisation=org, user=user)
+
+        # create lease
+        lease_name = secret.name if name is None else name
+        try:
+            if secret.provider == "aws":
+                lease, lease_data = create_aws_dynamic_secret_lease(
+                    secret=secret,
+                    lease_name=lease_name,
+                    organisation_member=org_member,
+                    ttl_seconds=ttl,
+                )
+
+                lease._credentials = AwsCredentialsType(
+                    access_key_id=lease_data["access_key_id"],
+                    secret_access_key=lease_data["secret_access_key"],
+                    username=lease_data["username"],
+                )
+
+        except ValidationError as e:
+            logger.error(f"Error creating dynamic secret lease: {e}")
+            raise GraphQLError(e.message)
+
+        return LeaseDynamicSecret(lease=lease)
+
+
+class RenewLeaseMutation(graphene.Mutation):
+    class Arguments:
+        lease_id = graphene.ID(required=True)
+        ttl = graphene.Int()  # seconds
+
+    lease = graphene.Field(DynamicSecretLeaseType)
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        lease_id,
+        ttl=3600,
+    ):
+
+        user = info.context.user
+
+        lease = DynamicSecretLease.objects.get(id=lease_id)
+        org = lease.secret.environment.app.organisation
+        org_member = OrganisationMember.objects.get(organisation=org, user=user)
+
+        # --- permission checks ---
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "create", "Secrets", org, True):
+            raise GraphQLError("You don't have permission to create Dynamic Secrets")
+
+        if not user_can_access_environment(user.userId, lease.secret.environment.id):
+            raise GraphQLError("You don't have access to this environment")
+
+        # if timedelta(seconds=ttl) > lease.secret.max_ttl:
+        #     raise GraphQLError(
+        #         "The specified TTL exceeds the maximum TTL for this dynamic secret."
+        #     )
+
+        # if lease.expires_at <= timezone.now():
+        #     raise GraphQLError("This lease has expired and cannot be renewed")
+
+        # else:
+        #     lease.expires_at = timezone.now() + timedelta(seconds=ttl)
+        #     lease.updated_at = timezone.now()
+
+        # # --- reschedule cleanup job ---
+        # scheduler = django_rq.get_scheduler("scheduled-jobs")
+
+        # # cancel the old job if it exists
+        # if lease.cleanup_job_id:
+        #     try:
+        #         old_job = Job.fetch(lease.cleanup_job_id, connection=scheduler.connection)
+        #         old_job.cancel()
+        #     except Exception:
+        #         # job might already have run or been deleted
+        #         pass
+
+        # # enqueue a new revocation job
+        # job = scheduler.enqueue_at(
+        #     lease.expires_at,
+        #     revoke_aws_dynamic_secret_lease,
+        #     lease.id,
+        # )
+        # lease.cleanup_job_id = job.id
+        # lease.save()
+
+        lease = renew_dynamic_secret_lease(lease, ttl)
+
+        return RenewLeaseMutation(lease=lease)
+
+
+class RevokeLeaseMutation(graphene.Mutation):
+    class Arguments:
+        lease_id = graphene.ID(required=True)
+
+    lease = graphene.Field(DynamicSecretLeaseType)
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        lease_id,
+    ):
+
+        user = info.context.user
+
+        lease = DynamicSecretLease.objects.get(id=lease_id)
+        org = lease.secret.environment.app.organisation
+        org_member = OrganisationMember.objects.get(organisation=org, user=user)
+
+        # --- permission checks ---
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "create", "Secrets", org, True):
+            raise GraphQLError("You don't have permission to create Dynamic Secrets")
+
+        if not user_can_access_environment(user.userId, lease.secret.environment.id):
+            raise GraphQLError("You don't have access to this environment")
+
+        if lease.organisation_member.id != org_member.id:
+            raise GraphQLError(
+                "You cannot revoke this lease as it wasn't created by you"
+            )
+
+        else:
+            if lease.secret.provider == "aws":
+                revoke_aws_dynamic_secret_lease(lease.id, manual=True)
+
+        return RevokeLeaseMutation(lease=lease)
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/queries.py b/backend/ee/integrations/secrets/dynamic/graphene/queries.py
new file mode 100644
index 000000000..aad308d68
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/graphene/queries.py
@@ -0,0 +1,85 @@
+from ee.integrations.secrets.dynamic.graphene.types import DynamicSecretProviderType
+from ee.integrations.secrets.dynamic.providers import DynamicSecretProviders
+from graphql import GraphQLError
+from api.models import DynamicSecret, App, Environment, Organisation
+from api.utils.access.permissions import (
+    user_has_permission,
+    user_can_access_app,
+    user_can_access_environment,
+)
+
+
+def resolve_dynamic_secret_providers(self, info):
+    providers = [
+        DynamicSecretProviderType(
+            id=provider["id"],
+            name=provider["name"],
+            credentials=provider["credentials"],
+            config_map=provider["config_map"],
+        )
+        for provider in DynamicSecretProviders.__dict__.values()
+        if isinstance(provider, dict)
+    ]
+    return providers
+
+
+def resolve_dynamic_secrets(
+    root, info, secret_id=None, app_id=None, env_id=None, org_id=None
+):
+    user = info.context.user
+    filters = {"deleted_at": None}
+
+    if secret_id:
+        filters["id"] = secret_id
+
+    org = None
+
+    # Figure out which org to use
+    if app_id:
+        app = App.objects.get(id=app_id)
+        org = app.organisation
+    elif env_id:
+        env = Environment.objects.get(id=env_id)
+        org = env.app.organisation
+    elif org_id:
+        org = Organisation.objects.get(id=org_id)
+    else:
+        raise GraphQLError(
+            "You must provide an app ID, an environment ID, or an organisation ID"
+        )
+
+    # Permission check (common to all cases)
+    if not user_has_permission(user, "read", "Secrets", org, True):
+        return []
+
+    # Build filters + access checks
+    if app_id and env_id:
+        if not user_can_access_app(user.userId, app_id):
+            raise GraphQLError("You don't have access to this app")
+        if not user_can_access_environment(user.userId, env_id):
+            raise GraphQLError("You don't have access to this environment")
+
+        filters.update({"environment__app__id": app_id, "environment_id": env_id})
+        return DynamicSecret.objects.filter(**filters)
+
+    if app_id:
+        if not user_can_access_app(user.userId, app_id):
+            raise GraphQLError("You don't have access to this app")
+
+        filters.update({"environment__app__id": app_id})
+        return DynamicSecret.objects.filter(**filters)
+
+    if env_id:
+        if not user_can_access_environment(user.userId, env_id):
+            raise GraphQLError("You don't have access to this environment")
+
+        filters.update({"environment_id": env_id})
+        return DynamicSecret.objects.filter(**filters)
+
+    if org_id:
+        filters.update({"environment__app__organisation_id": org_id})
+        return [
+            ds
+            for ds in DynamicSecret.objects.filter(**filters)
+            if user_can_access_app(user.userId, ds.environment.app.id)
+        ]
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/types.py b/backend/ee/integrations/secrets/dynamic/graphene/types.py
new file mode 100644
index 000000000..5539614f4
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/graphene/types.py
@@ -0,0 +1,90 @@
+from api.models import DynamicSecret, DynamicSecretLease
+import graphene
+from graphene_django import DjangoObjectType
+from graphene.types.generic import GenericScalar
+from ee.integrations.secrets.dynamic.aws.graphene.types import (
+    AWSConfigType,
+    AwsCredentialsType,
+)
+
+
+class KeyMap(graphene.ObjectType):
+    id = graphene.String()
+    key_name = graphene.String()
+
+
+class KeyMapInput(graphene.InputObjectType):
+    id = graphene.String(required=True)
+    key_name = graphene.String(required=True)
+
+
+class DynamicSecretProviderType(graphene.ObjectType):
+    id = graphene.String(required=True)
+    name = graphene.String(required=True)
+    credentials = GenericScalar(required=True)
+    config_map = GenericScalar(required=True)
+
+
+class DynamicSecretConfigUnion(graphene.Union):
+    class Meta:
+        types = (AWSConfigType,)
+
+
+class LeaseCredentialsUnion(graphene.Union):
+    class Meta:
+        types = (AwsCredentialsType,)
+
+
+class DynamicSecretType(DjangoObjectType):
+    # Expose JSON config safely
+    config = graphene.Field(DynamicSecretConfigUnion)
+    key_map = graphene.List(KeyMap)
+
+    # Convenience fields for TTLs
+    default_ttl_seconds = graphene.Int()
+    max_ttl_seconds = graphene.Int()
+
+    class Meta:
+        model = DynamicSecret
+        fields = (
+            "id",
+            "name",
+            "description",
+            "environment",
+            "folder",
+            "path",
+            "authentication",
+            "provider",
+            "config",
+            "key_map",
+            "leases",
+            "created_at",
+            "updated_at",
+            "deleted_at",
+        )
+
+    def resolve_config(self, info):
+        if self.provider == "aws":
+            return AWSConfigType(**self.config)
+        return None
+
+    def resolve_default_ttl_seconds(self, info):
+        return int(self.default_ttl.total_seconds()) if self.default_ttl else None
+
+    def resolve_max_ttl_seconds(self, info):
+        return int(self.max_ttl.total_seconds()) if self.max_ttl else None
+
+    def resolve_leases(self, info):
+        return self.leases.order_by("-created_at")
+
+
+class DynamicSecretLeaseType(DjangoObjectType):
+
+    credentials = graphene.Field(LeaseCredentialsUnion)
+
+    class Meta:
+        model = DynamicSecretLease
+        fields = "__all__"
+
+    def resolve_credentials(self, info):
+        return getattr(self, "_credentials", None)
diff --git a/backend/ee/integrations/secrets/dynamic/providers.py b/backend/ee/integrations/secrets/dynamic/providers.py
new file mode 100644
index 000000000..888de58d7
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/providers.py
@@ -0,0 +1,65 @@
+class DynamicSecretProviders:
+    AWS = {
+        "id": "aws",
+        "name": "AWS IAM",
+        "credentials": [
+            {"id": "username", "type": "string", "default_key_name": "AWS_USERNAME"},
+            {
+                "id": "access_key_id",
+                "type": "string",
+                "default_key_name": "AWS_ACCESS_KEY_ID",
+            },
+            {
+                "id": "secret_access_key",
+                "type": "string",
+                "default_key_name": "AWS_SECRET_ACCESS_KEY",
+            },
+        ],
+        "config_map": [
+            {
+                "id": "username_template",
+                "label": "Username template",
+                "input_type": "string",
+                "required": True,
+                "default": "{{ random }}",
+                "help_text": "A template for usernames created per credential",
+            },
+            {
+                "id": "iam_path",
+                "label": "AWS IAM Path",
+                "input_type": "string",
+                "required": False,
+                "default": "/",
+                "help_text": "Optional IAM user path. Defaults to '/'.",
+            },
+            {
+                "id": "policy_arns",
+                "label": "AWS Policy ARNs",
+                "input_type": "list",
+                "required": False,
+                "help_text": "Generated users will be attached to the specified policy ARNs.",
+            },
+            {
+                "id": "groups",
+                "label": "AWS IAM Groups",
+                "input_type": "list",  # accept comma-separated or array
+                "required": False,
+                "help_text": "Generated users will be attached to the specified IAM groups.",
+            },
+            {
+                "id": "permission_boundary_arn",
+                "label": "IAM User Permission Boundary ARN",
+                "input_type": "string",
+                "required": False,
+                "help_text": "ARN attached to the generated user for AWS Permission Boundary.",
+            },
+        ],
+    }
+
+    @classmethod
+    def get_service_choices(cls):
+        return [
+            (provider["id"], provider["name"])
+            for provider in cls.__dict__.values()
+            if isinstance(provider, dict)
+        ]
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
new file mode 100644
index 000000000..493c53374
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -0,0 +1,48 @@
+from datetime import timedelta
+from ee.integrations.secrets.dynamic.aws.utils import (
+    revoke_aws_dynamic_secret_lease,
+)
+from graphql import GraphQLError
+from django.utils import timezone
+import django_rq
+from rq.job import Job
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def renew_dynamic_secret_lease(lease, ttl):
+    if timedelta(seconds=ttl) > lease.secret.max_ttl:
+        raise GraphQLError(
+            "The specified TTL exceeds the maximum TTL for this dynamic secret."
+        )
+
+    if lease.expires_at <= timezone.now():
+        raise GraphQLError("This lease has expired and cannot be renewed")
+
+    else:
+        lease.expires_at = timezone.now() + timedelta(seconds=ttl)
+        lease.updated_at = timezone.now()
+
+    # --- reschedule cleanup job ---
+    scheduler = django_rq.get_scheduler("scheduled-jobs")
+
+    # cancel the old job if it exists
+    if lease.cleanup_job_id:
+        try:
+            old_job = Job.fetch(lease.cleanup_job_id, connection=scheduler.connection)
+            old_job.cancel()
+        except Exception as e:
+            logger.info(f"Failed to delete job: {e}")
+            pass
+
+    # enqueue a new revocation job
+    job = scheduler.enqueue_at(
+        lease.expires_at,
+        revoke_aws_dynamic_secret_lease,
+        lease.id,
+    )
+    lease.cleanup_job_id = job.id
+    lease.save()
+
+    return lease

From fbb40b31e35aee9146c15dabfe07d085e5315968 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:28:48 +0530
Subject: [PATCH 003/117] feat: generate schema and types

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/apollo/client.ts      |   8 +-
 frontend/apollo/gql.ts         |  49 +++++-
 frontend/apollo/graphql.ts     | 309 ++++++++++++++++++++++++++++++++-
 frontend/apollo/schema.graphql | 147 ++++++++++++++++
 4 files changed, 508 insertions(+), 5 deletions(-)

diff --git a/frontend/apollo/client.ts b/frontend/apollo/client.ts
index fb5c426f5..78fd6491e 100644
--- a/frontend/apollo/client.ts
+++ b/frontend/apollo/client.ts
@@ -51,7 +51,13 @@ const errorLink = onError(({ graphQLErrors, networkError }) => {
 
 export const graphQlClient = new ApolloClient({
   link: from([errorLink, httpLink]),
-  cache: new InMemoryCache(),
+  cache: new InMemoryCache({
+  typePolicies: {
+    KeyMap: {
+      keyFields: ["id", "keyName"], // composite key
+    },
+  },
+}),
   defaultOptions: {
     watchQuery: {
       skipPollAttempt: () => document.hidden,
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 601d00997..0c62d6b7e 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -53,6 +53,12 @@ const documents = {
     "mutation LogSecretReads($ids: [ID]!) {\n  readSecret(ids: $ids) {\n    ok\n  }\n}": types.LogSecretReadsDocument,
     "mutation RemovePersonalSecret($secretId: ID!) {\n  removeOverride(secretId: $secretId) {\n    ok\n  }\n}": types.RemovePersonalSecretDocument,
     "mutation RenameEnv($environmentId: ID!, $name: String!) {\n  renameEnvironment(environmentId: $environmentId, name: $name) {\n    environment {\n      id\n      name\n      updatedAt\n    }\n  }\n}": types.RenameEnvDocument,
+    "mutation CreateNewAWSDynamicSecret($organisationId: ID!, $environmentId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  createAwsDynamicSecret(\n    organisationId: $organisationId\n    environmentId: $environmentId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}": types.CreateNewAwsDynamicSecretDocument,
+    "mutation CreateDynamicSecretLease($secretId: ID!, $ttl: Int!, $name: String!) {\n  createDynamicSecretLease(secretId: $secretId, ttl: $ttl, name: $name) {\n    lease {\n      id\n      name\n      credentials {\n        ... on AwsCredentialsType {\n          accessKeyId\n          secretAccessKey\n          username\n        }\n      }\n      expiresAt\n    }\n  }\n}": types.CreateDynamicSecretLeaseDocument,
+    "mutation DeleteDynamicSecretOP($secretId: ID!) {\n  deleteDynamicSecret(secretId: $secretId) {\n    ok\n  }\n}": types.DeleteDynamicSecretOpDocument,
+    "mutation RenewDynamicSecretLeaseOP($leaseId: ID!, $ttl: Int!) {\n  renewDynamicSecretLease(leaseId: $leaseId, ttl: $ttl) {\n    lease {\n      id\n      name\n      expiresAt\n      status\n    }\n  }\n}": types.RenewDynamicSecretLeaseOpDocument,
+    "mutation RevokeDynamicSecretLeaseOP($leaseId: ID!) {\n  revokeDynamicSecretLease(leaseId: $leaseId) {\n    lease {\n      id\n      name\n      expiresAt\n      revokedAt\n      status\n    }\n  }\n}": types.RevokeDynamicSecretLeaseOpDocument,
+    "mutation UpdateDynamicSecret($dynamicSecretId: ID!, $organisationId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  updateAwsDynamicSecret(\n    organisationId: $organisationId\n    dynamicSecretId: $dynamicSecretId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}": types.UpdateDynamicSecretDocument,
     "mutation CreateSharedSecret($input: LockboxInput!) {\n  createLockbox(input: $input) {\n    lockbox {\n      id\n      allowedViews\n      expiresAt\n    }\n  }\n}": types.CreateSharedSecretDocument,
     "mutation SwapEnvOrder($environment1Id: ID!, $environment2Id: ID!) {\n  swapEnvironmentOrder(\n    environment1Id: $environment1Id\n    environment2Id: $environment2Id\n  ) {\n    ok\n  }\n}": types.SwapEnvOrderDocument,
     "mutation AcceptOrganisationInvite($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!, $inviteId: ID!) {\n  createOrganisationMember(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n    inviteId: $inviteId\n  ) {\n    orgMember {\n      id\n      email\n      createdAt\n      role {\n        name\n      }\n    }\n  }\n}": types.AcceptOrganisationInviteDocument,
@@ -111,6 +117,9 @@ const documents = {
     "query GetOrganisationPlan($organisationId: ID!) {\n  organisationPlan(organisationId: $organisationId) {\n    name\n    maxUsers\n    maxApps\n    maxEnvsPerApp\n    seatsUsed {\n      users\n      serviceAccounts\n      total\n    }\n    seatLimit\n    appCount\n  }\n}": types.GetOrganisationPlanDocument,
     "query GetRoles($orgId: ID!) {\n  roles(orgId: $orgId) {\n    id\n    name\n    description\n    color\n    permissions\n    isDefault\n  }\n}": types.GetRolesDocument,
     "query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}": types.VerifyInviteDocument,
+    "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetDynamicSecretsDocument,
+    "query GetDynamicSecretProviders {\n  dynamicSecretProviders {\n    id\n    name\n    credentials\n    configMap\n  }\n}": types.GetDynamicSecretProvidersDocument,
+    "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n    }\n  }\n}": types.GetDynamicSecretLeasesDocument,
     "query GetAppEnvironments($appId: ID!, $memberId: ID, $memberType: MemberType) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppEnvironmentsDocument,
     "query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppSecretsDocument,
     "query GetAppSecretsLogs($appId: ID!, $start: BigInt, $end: BigInt, $eventTypes: [String], $memberId: ID, $memberType: MemberType, $environmentId: ID) {\n  secretLogs(\n    appId: $appId\n    start: $start\n    end: $end\n    eventTypes: $eventTypes\n    memberId: $memberId\n    memberType: $memberType\n    environmentId: $environmentId\n  ) {\n    logs {\n      id\n      path\n      key\n      value\n      tags {\n        id\n        name\n        color\n      }\n      version\n      comment\n      timestamp\n      ipAddress\n      userAgent\n      user {\n        email\n        username\n        fullName\n        avatarUrl\n      }\n      serviceToken {\n        id\n        name\n      }\n      serviceAccount {\n        id\n        name\n        deletedAt\n      }\n      serviceAccountToken {\n        id\n        name\n        deletedAt\n      }\n      eventType\n      environment {\n        id\n        envType\n        name\n      }\n      secret {\n        id\n        path\n      }\n    }\n    count\n  }\n  environmentKeys(appId: $appId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    environment {\n      id\n    }\n  }\n}": types.GetAppSecretsLogsDocument,
@@ -121,7 +130,7 @@ const documents = {
     "query GetSecretHistory($appId: ID!, $envId: ID!, $id: ID!) {\n  secrets(envId: $envId, id: $id) {\n    id\n    history {\n      id\n      key\n      value\n      path\n      tags {\n        id\n        name\n        color\n      }\n      version\n      comment\n      timestamp\n      ipAddress\n      userAgent\n      user {\n        email\n        username\n        fullName\n        avatarUrl\n      }\n      serviceToken {\n        id\n        name\n      }\n      serviceAccount {\n        id\n        name\n        deletedAt\n      }\n      eventType\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n}": types.GetSecretHistoryDocument,
     "query GetEnvSecretsKV($envId: ID!) {\n  folders(envId: $envId, path: \"/\") {\n    id\n    name\n  }\n  secrets(envId: $envId, path: \"/\") {\n    id\n    key\n    value\n    comment\n    path\n  }\n  environmentKeys(environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n}": types.GetEnvSecretsKvDocument,
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
-    "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      name\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n}": types.GetSecretsDocument,
+    "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
     "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
@@ -323,6 +332,30 @@ export function graphql(source: "mutation RemovePersonalSecret($secretId: ID!) {
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation RenameEnv($environmentId: ID!, $name: String!) {\n  renameEnvironment(environmentId: $environmentId, name: $name) {\n    environment {\n      id\n      name\n      updatedAt\n    }\n  }\n}"): (typeof documents)["mutation RenameEnv($environmentId: ID!, $name: String!) {\n  renameEnvironment(environmentId: $environmentId, name: $name) {\n    environment {\n      id\n      name\n      updatedAt\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation CreateNewAWSDynamicSecret($organisationId: ID!, $environmentId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  createAwsDynamicSecret(\n    organisationId: $organisationId\n    environmentId: $environmentId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}"): (typeof documents)["mutation CreateNewAWSDynamicSecret($organisationId: ID!, $environmentId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  createAwsDynamicSecret(\n    organisationId: $organisationId\n    environmentId: $environmentId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation CreateDynamicSecretLease($secretId: ID!, $ttl: Int!, $name: String!) {\n  createDynamicSecretLease(secretId: $secretId, ttl: $ttl, name: $name) {\n    lease {\n      id\n      name\n      credentials {\n        ... on AwsCredentialsType {\n          accessKeyId\n          secretAccessKey\n          username\n        }\n      }\n      expiresAt\n    }\n  }\n}"): (typeof documents)["mutation CreateDynamicSecretLease($secretId: ID!, $ttl: Int!, $name: String!) {\n  createDynamicSecretLease(secretId: $secretId, ttl: $ttl, name: $name) {\n    lease {\n      id\n      name\n      credentials {\n        ... on AwsCredentialsType {\n          accessKeyId\n          secretAccessKey\n          username\n        }\n      }\n      expiresAt\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation DeleteDynamicSecretOP($secretId: ID!) {\n  deleteDynamicSecret(secretId: $secretId) {\n    ok\n  }\n}"): (typeof documents)["mutation DeleteDynamicSecretOP($secretId: ID!) {\n  deleteDynamicSecret(secretId: $secretId) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation RenewDynamicSecretLeaseOP($leaseId: ID!, $ttl: Int!) {\n  renewDynamicSecretLease(leaseId: $leaseId, ttl: $ttl) {\n    lease {\n      id\n      name\n      expiresAt\n      status\n    }\n  }\n}"): (typeof documents)["mutation RenewDynamicSecretLeaseOP($leaseId: ID!, $ttl: Int!) {\n  renewDynamicSecretLease(leaseId: $leaseId, ttl: $ttl) {\n    lease {\n      id\n      name\n      expiresAt\n      status\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation RevokeDynamicSecretLeaseOP($leaseId: ID!) {\n  revokeDynamicSecretLease(leaseId: $leaseId) {\n    lease {\n      id\n      name\n      expiresAt\n      revokedAt\n      status\n    }\n  }\n}"): (typeof documents)["mutation RevokeDynamicSecretLeaseOP($leaseId: ID!) {\n  revokeDynamicSecretLease(leaseId: $leaseId) {\n    lease {\n      id\n      name\n      expiresAt\n      revokedAt\n      status\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation UpdateDynamicSecret($dynamicSecretId: ID!, $organisationId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  updateAwsDynamicSecret(\n    organisationId: $organisationId\n    dynamicSecretId: $dynamicSecretId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}"): (typeof documents)["mutation UpdateDynamicSecret($dynamicSecretId: ID!, $organisationId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  updateAwsDynamicSecret(\n    organisationId: $organisationId\n    dynamicSecretId: $dynamicSecretId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -555,6 +588,18 @@ export function graphql(source: "query GetRoles($orgId: ID!) {\n  roles(orgId: $
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}"): (typeof documents)["query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetDynamicSecretProviders {\n  dynamicSecretProviders {\n    id\n    name\n    credentials\n    configMap\n  }\n}"): (typeof documents)["query GetDynamicSecretProviders {\n  dynamicSecretProviders {\n    id\n    name\n    credentials\n    configMap\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -598,7 +643,7 @@ export function graphql(source: "query GetSecretTags($orgId: ID!) {\n  secretTag
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      name\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n}"): (typeof documents)["query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      name\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 41d614bca..3e72aeac9 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -32,6 +32,12 @@ export type Scalars = {
    * [iso8601](https://en.wikipedia.org/wiki/ISO_8601).
    */
   DateTime: { input: any; output: any; }
+  /**
+   * The `GenericScalar` scalar type represents a generic
+   * GraphQL scalar value that could be:
+   * String, Boolean, Int, Float, List or Object.
+   */
+  GenericScalar: { input: any; output: any; }
   /**
    * Allows use of a JSON String for input / output from the GraphQL schema.
    *
@@ -41,6 +47,25 @@ export type Scalars = {
   JSONString: { input: any; output: any; }
 };
 
+export type AwsConfigInput = {
+  groups?: InputMaybe<Array<InputMaybe<Scalars['String']['input']>>>;
+  iamPath?: InputMaybe<Scalars['String']['input']>;
+  permissionBoundaryArn?: InputMaybe<Scalars['String']['input']>;
+  policyArns?: InputMaybe<Array<InputMaybe<Scalars['String']['input']>>>;
+  policyDocument?: InputMaybe<Scalars['GenericScalar']['input']>;
+  usernameTemplate: Scalars['String']['input'];
+};
+
+export type AwsConfigType = {
+  __typename?: 'AWSConfigType';
+  groups?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
+  iamPath?: Maybe<Scalars['String']['output']>;
+  permissionBoundaryArn?: Maybe<Scalars['String']['output']>;
+  policyArns?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
+  policyDocument?: Maybe<Scalars['GenericScalar']['output']>;
+  usernameTemplate: Scalars['String']['output'];
+};
+
 export type AwsSecretType = {
   __typename?: 'AWSSecretType';
   arn?: Maybe<Scalars['String']['output']>;
@@ -99,6 +124,24 @@ export enum ApiActivatedPhaseLicensePlanChoices {
   Pr = 'PR'
 }
 
+export enum ApiDynamicSecretLeaseStatusChoices {
+  /** Active */
+  Active = 'ACTIVE',
+  /** Created */
+  Created = 'CREATED',
+  /** Expired */
+  Expired = 'EXPIRED',
+  /** Renewed */
+  Renewed = 'RENEWED',
+  /** Revoked */
+  Revoked = 'REVOKED'
+}
+
+export enum ApiDynamicSecretProviderChoices {
+  /** AWS */
+  Aws = 'AWS'
+}
+
 export enum ApiEnvironmentEnvTypeChoices {
   /** Custom */
   Custom = 'CUSTOM',
@@ -187,6 +230,13 @@ export type AppType = {
   wrappedKeyShare: Scalars['String']['output'];
 };
 
+export type AwsCredentialsType = {
+  __typename?: 'AwsCredentialsType';
+  accessKeyId?: Maybe<Scalars['String']['output']>;
+  secretAccessKey?: Maybe<Scalars['String']['output']>;
+  username?: Maybe<Scalars['String']['output']>;
+};
+
 export enum BillingPeriodEnum {
   Monthly = 'MONTHLY',
   Yearly = 'YEARLY'
@@ -237,6 +287,11 @@ export type CloudflareWorkerType = {
   scriptId?: Maybe<Scalars['String']['output']>;
 };
 
+export type CreateAwsDynamicSecretMutation = {
+  __typename?: 'CreateAWSDynamicSecretMutation';
+  dynamicSecret?: Maybe<DynamicSecretType>;
+};
+
 export type CreateAwsSecretsManagerSync = {
   __typename?: 'CreateAWSSecretsManagerSync';
   sync?: Maybe<EnvironmentSyncType>;
@@ -398,6 +453,11 @@ export type DeleteCustomRoleMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
+export type DeleteDynamicSecretMutation = {
+  __typename?: 'DeleteDynamicSecretMutation';
+  ok?: Maybe<Scalars['Boolean']['output']>;
+};
+
 export type DeleteEnvironmentMutation = {
   __typename?: 'DeleteEnvironmentMutation';
   ok?: Maybe<Scalars['Boolean']['output']>;
@@ -468,6 +528,57 @@ export type DeleteUserTokenMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
+export type DynamicSecretConfigUnion = AwsConfigType;
+
+export type DynamicSecretLeaseType = {
+  __typename?: 'DynamicSecretLeaseType';
+  cleanupJobId: Scalars['String']['output'];
+  createdAt?: Maybe<Scalars['DateTime']['output']>;
+  credentials?: Maybe<LeaseCredentialsUnion>;
+  deletedAt?: Maybe<Scalars['DateTime']['output']>;
+  description: Scalars['String']['output'];
+  expiresAt?: Maybe<Scalars['DateTime']['output']>;
+  id: Scalars['String']['output'];
+  name: Scalars['String']['output'];
+  organisationMember?: Maybe<OrganisationMemberType>;
+  renewedAt?: Maybe<Scalars['DateTime']['output']>;
+  revokedAt?: Maybe<Scalars['DateTime']['output']>;
+  secret: DynamicSecretType;
+  serviceAccount?: Maybe<ServiceAccountType>;
+  /** Current status of the lease */
+  status: ApiDynamicSecretLeaseStatusChoices;
+  ttl: Scalars['Float']['output'];
+};
+
+export type DynamicSecretProviderType = {
+  __typename?: 'DynamicSecretProviderType';
+  configMap: Scalars['GenericScalar']['output'];
+  credentials: Scalars['GenericScalar']['output'];
+  id: Scalars['String']['output'];
+  name: Scalars['String']['output'];
+};
+
+export type DynamicSecretType = {
+  __typename?: 'DynamicSecretType';
+  authentication?: Maybe<ProviderCredentialsType>;
+  config?: Maybe<DynamicSecretConfigUnion>;
+  createdAt?: Maybe<Scalars['DateTime']['output']>;
+  defaultTtlSeconds?: Maybe<Scalars['Int']['output']>;
+  deletedAt?: Maybe<Scalars['DateTime']['output']>;
+  description: Scalars['String']['output'];
+  environment: EnvironmentType;
+  folder?: Maybe<SecretFolderType>;
+  id: Scalars['String']['output'];
+  keyMap?: Maybe<Array<Maybe<KeyMap>>>;
+  leases: Array<DynamicSecretLeaseType>;
+  maxTtlSeconds?: Maybe<Scalars['Int']['output']>;
+  name: Scalars['String']['output'];
+  path: Scalars['String']['output'];
+  /** Which provider this secret is associated with. */
+  provider: ApiDynamicSecretProviderChoices;
+  updatedAt: Scalars['DateTime']['output'];
+};
+
 export type EditSecretMutation = {
   __typename?: 'EditSecretMutation';
   secret?: Maybe<SecretType>;
@@ -659,6 +770,24 @@ export type KmsLogsResponseType = {
   logs?: Maybe<Array<Maybe<KmsLogType>>>;
 };
 
+export type KeyMap = {
+  __typename?: 'KeyMap';
+  id?: Maybe<Scalars['String']['output']>;
+  keyName?: Maybe<Scalars['String']['output']>;
+};
+
+export type KeyMapInput = {
+  id: Scalars['String']['input'];
+  keyName: Scalars['String']['input'];
+};
+
+export type LeaseCredentialsUnion = AwsCredentialsType;
+
+export type LeaseDynamicSecret = {
+  __typename?: 'LeaseDynamicSecret';
+  lease?: Maybe<DynamicSecretLeaseType>;
+};
+
 export type LockboxInput = {
   allowedViews?: InputMaybe<Scalars['Int']['input']>;
   data?: InputMaybe<Scalars['JSONString']['input']>;
@@ -687,10 +816,12 @@ export type Mutation = {
   bulkInviteOrganisationMembers?: Maybe<BulkInviteOrganisationMembersMutation>;
   cancelSubscription?: Maybe<UpdateSubscriptionResponse>;
   createApp?: Maybe<CreateAppMutation>;
+  createAwsDynamicSecret?: Maybe<CreateAwsDynamicSecretMutation>;
   createAwsSecretSync?: Maybe<CreateAwsSecretsManagerSync>;
   createCloudflarePagesSync?: Maybe<CreateCloudflarePagesSync>;
   createCloudflareWorkersSync?: Maybe<CreateCloudflareWorkersSync>;
   createCustomRole?: Maybe<CreateCustomRoleMutation>;
+  createDynamicSecretLease?: Maybe<LeaseDynamicSecret>;
   createEnvironment?: Maybe<CreateEnvironmentMutation>;
   createEnvironmentKey?: Maybe<CreateEnvironmentKeyMutation>;
   createEnvironmentToken?: Maybe<CreateEnvironmentTokenMutation>;
@@ -719,6 +850,7 @@ export type Mutation = {
   createVercelSync?: Maybe<CreateVercelSync>;
   deleteApp?: Maybe<DeleteAppMutation>;
   deleteCustomRole?: Maybe<DeleteCustomRoleMutation>;
+  deleteDynamicSecret?: Maybe<DeleteDynamicSecretMutation>;
   deleteEnvSync?: Maybe<DeleteSync>;
   deleteEnvironment?: Maybe<DeleteEnvironmentMutation>;
   deleteInvitation?: Maybe<DeleteInviteMutation>;
@@ -742,7 +874,9 @@ export type Mutation = {
   removeAppMember?: Maybe<RemoveAppMemberMutation>;
   removeOverride?: Maybe<DeletePersonalSecretMutation>;
   renameEnvironment?: Maybe<RenameEnvironmentMutation>;
+  renewDynamicSecretLease?: Maybe<RenewLeaseMutation>;
   resumeSubscription?: Maybe<UpdateSubscriptionResponse>;
+  revokeDynamicSecretLease?: Maybe<RevokeLeaseMutation>;
   rotateAppKeys?: Maybe<RotateAppKeysMutation>;
   setDefaultPaymentMethod?: Maybe<SetDefaultPaymentMethodMutation>;
   swapEnvironmentOrder?: Maybe<SwapEnvironmentOrderMutation>;
@@ -750,6 +884,7 @@ export type Mutation = {
   triggerSync?: Maybe<TriggerSync>;
   updateAccountNetworkAccessPolicies?: Maybe<UpdateAccountNetworkAccessPolicies>;
   updateAppName?: Maybe<UpdateAppNameMutation>;
+  updateAwsDynamicSecret?: Maybe<UpdateAwsDynamicSecretMutation>;
   updateCustomRole?: Maybe<UpdateCustomRoleMutation>;
   updateMemberEnvironmentScope?: Maybe<UpdateMemberEnvScopeMutation>;
   updateMemberWrappedSecrets?: Maybe<UpdateUserWrappedSecretsMutation>;
@@ -800,6 +935,20 @@ export type MutationCreateAppArgs = {
 };
 
 
+export type MutationCreateAwsDynamicSecretArgs = {
+  authenticationId?: InputMaybe<Scalars['ID']['input']>;
+  config: AwsConfigInput;
+  defaultTtl?: InputMaybe<Scalars['Int']['input']>;
+  description?: InputMaybe<Scalars['String']['input']>;
+  environmentId: Scalars['ID']['input'];
+  keyMap: Array<InputMaybe<KeyMapInput>>;
+  maxTtl?: InputMaybe<Scalars['Int']['input']>;
+  name: Scalars['String']['input'];
+  organisationId: Scalars['ID']['input'];
+  path?: InputMaybe<Scalars['String']['input']>;
+};
+
+
 export type MutationCreateAwsSecretSyncArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
   envId?: InputMaybe<Scalars['ID']['input']>;
@@ -836,6 +985,13 @@ export type MutationCreateCustomRoleArgs = {
 };
 
 
+export type MutationCreateDynamicSecretLeaseArgs = {
+  name?: InputMaybe<Scalars['String']['input']>;
+  secretId: Scalars['ID']['input'];
+  ttl?: InputMaybe<Scalars['Int']['input']>;
+};
+
+
 export type MutationCreateEnvironmentArgs = {
   adminKeys?: InputMaybe<Array<InputMaybe<EnvironmentKeyInput>>>;
   environmentData: EnvironmentInput;
@@ -1067,6 +1223,11 @@ export type MutationDeleteCustomRoleArgs = {
 };
 
 
+export type MutationDeleteDynamicSecretArgs = {
+  secretId: Scalars['ID']['input'];
+};
+
+
 export type MutationDeleteEnvSyncArgs = {
   syncId?: InputMaybe<Scalars['ID']['input']>;
 };
@@ -1193,12 +1354,23 @@ export type MutationRenameEnvironmentArgs = {
 };
 
 
+export type MutationRenewDynamicSecretLeaseArgs = {
+  leaseId: Scalars['ID']['input'];
+  ttl?: InputMaybe<Scalars['Int']['input']>;
+};
+
+
 export type MutationResumeSubscriptionArgs = {
   organisationId?: InputMaybe<Scalars['ID']['input']>;
   subscriptionId: Scalars['String']['input'];
 };
 
 
+export type MutationRevokeDynamicSecretLeaseArgs = {
+  leaseId: Scalars['ID']['input'];
+};
+
+
 export type MutationRotateAppKeysArgs = {
   appToken: Scalars['String']['input'];
   id: Scalars['ID']['input'];
@@ -1240,6 +1412,20 @@ export type MutationUpdateAppNameArgs = {
 };
 
 
+export type MutationUpdateAwsDynamicSecretArgs = {
+  authenticationId?: InputMaybe<Scalars['ID']['input']>;
+  config: AwsConfigInput;
+  defaultTtl?: InputMaybe<Scalars['Int']['input']>;
+  description?: InputMaybe<Scalars['String']['input']>;
+  dynamicSecretId: Scalars['ID']['input'];
+  keyMap: Array<InputMaybe<KeyMapInput>>;
+  maxTtl?: InputMaybe<Scalars['Int']['input']>;
+  name: Scalars['String']['input'];
+  organisationId: Scalars['ID']['input'];
+  path?: InputMaybe<Scalars['String']['input']>;
+};
+
+
 export type MutationUpdateCustomRoleArgs = {
   color?: InputMaybe<Scalars['String']['input']>;
   description?: InputMaybe<Scalars['String']['input']>;
@@ -1475,6 +1661,8 @@ export type Query = {
   clientIp?: Maybe<Scalars['String']['output']>;
   cloudflarePagesProjects?: Maybe<Array<Maybe<CloudFlarePagesType>>>;
   cloudflareWorkers?: Maybe<Array<Maybe<CloudflareWorkerType>>>;
+  dynamicSecretProviders?: Maybe<Array<Maybe<DynamicSecretProviderType>>>;
+  dynamicSecrets?: Maybe<Array<Maybe<DynamicSecretType>>>;
   envSyncs?: Maybe<Array<Maybe<EnvironmentSyncType>>>;
   environmentKeys?: Maybe<Array<Maybe<EnvironmentKeyType>>>;
   environmentTokens?: Maybe<Array<Maybe<EnvironmentTokenType>>>;
@@ -1568,6 +1756,14 @@ export type QueryCloudflareWorkersArgs = {
 };
 
 
+export type QueryDynamicSecretsArgs = {
+  appId?: InputMaybe<Scalars['ID']['input']>;
+  envId?: InputMaybe<Scalars['ID']['input']>;
+  orgId?: InputMaybe<Scalars['ID']['input']>;
+  secretId?: InputMaybe<Scalars['ID']['input']>;
+};
+
+
 export type QueryEnvSyncsArgs = {
   envId?: InputMaybe<Scalars['ID']['input']>;
 };
@@ -1846,6 +2042,16 @@ export type RenderServiceType = {
   updatedAt?: Maybe<Scalars['String']['output']>;
 };
 
+export type RenewLeaseMutation = {
+  __typename?: 'RenewLeaseMutation';
+  lease?: Maybe<DynamicSecretLeaseType>;
+};
+
+export type RevokeLeaseMutation = {
+  __typename?: 'RevokeLeaseMutation';
+  lease?: Maybe<DynamicSecretLeaseType>;
+};
+
 export type RoleType = {
   __typename?: 'RoleType';
   color?: Maybe<Scalars['String']['output']>;
@@ -2081,6 +2287,11 @@ export type TriggerSync = {
   sync?: Maybe<EnvironmentSyncType>;
 };
 
+export type UpdateAwsDynamicSecretMutation = {
+  __typename?: 'UpdateAWSDynamicSecretMutation';
+  dynamicSecret?: Maybe<DynamicSecretType>;
+};
+
 export type UpdateAccountNetworkAccessPolicies = {
   __typename?: 'UpdateAccountNetworkAccessPolicies';
   ok?: Maybe<Scalars['Boolean']['output']>;
@@ -2530,6 +2741,69 @@ export type RenameEnvMutationVariables = Exact<{
 
 export type RenameEnvMutation = { __typename?: 'Mutation', renameEnvironment?: { __typename?: 'RenameEnvironmentMutation', environment?: { __typename?: 'EnvironmentType', id: string, name: string, updatedAt: any } | null } | null };
 
+export type CreateNewAwsDynamicSecretMutationVariables = Exact<{
+  organisationId: Scalars['ID']['input'];
+  environmentId: Scalars['ID']['input'];
+  path?: InputMaybe<Scalars['String']['input']>;
+  name: Scalars['String']['input'];
+  description?: InputMaybe<Scalars['String']['input']>;
+  defaultTtl?: InputMaybe<Scalars['Int']['input']>;
+  maxTtl?: InputMaybe<Scalars['Int']['input']>;
+  authenticationId?: InputMaybe<Scalars['ID']['input']>;
+  config: AwsConfigInput;
+  keyMap: Array<InputMaybe<KeyMapInput>> | InputMaybe<KeyMapInput>;
+}>;
+
+
+export type CreateNewAwsDynamicSecretMutation = { __typename?: 'Mutation', createAwsDynamicSecret?: { __typename?: 'CreateAWSDynamicSecretMutation', dynamicSecret?: { __typename?: 'DynamicSecretType', id: string, name: string, description: string, provider: ApiDynamicSecretProviderChoices, createdAt?: any | null, updatedAt: any } | null } | null };
+
+export type CreateDynamicSecretLeaseMutationVariables = Exact<{
+  secretId: Scalars['ID']['input'];
+  ttl: Scalars['Int']['input'];
+  name: Scalars['String']['input'];
+}>;
+
+
+export type CreateDynamicSecretLeaseMutation = { __typename?: 'Mutation', createDynamicSecretLease?: { __typename?: 'LeaseDynamicSecret', lease?: { __typename?: 'DynamicSecretLeaseType', id: string, name: string, expiresAt?: any | null, credentials?: { __typename?: 'AwsCredentialsType', accessKeyId?: string | null, secretAccessKey?: string | null, username?: string | null } | null } | null } | null };
+
+export type DeleteDynamicSecretOpMutationVariables = Exact<{
+  secretId: Scalars['ID']['input'];
+}>;
+
+
+export type DeleteDynamicSecretOpMutation = { __typename?: 'Mutation', deleteDynamicSecret?: { __typename?: 'DeleteDynamicSecretMutation', ok?: boolean | null } | null };
+
+export type RenewDynamicSecretLeaseOpMutationVariables = Exact<{
+  leaseId: Scalars['ID']['input'];
+  ttl: Scalars['Int']['input'];
+}>;
+
+
+export type RenewDynamicSecretLeaseOpMutation = { __typename?: 'Mutation', renewDynamicSecretLease?: { __typename?: 'RenewLeaseMutation', lease?: { __typename?: 'DynamicSecretLeaseType', id: string, name: string, expiresAt?: any | null, status: ApiDynamicSecretLeaseStatusChoices } | null } | null };
+
+export type RevokeDynamicSecretLeaseOpMutationVariables = Exact<{
+  leaseId: Scalars['ID']['input'];
+}>;
+
+
+export type RevokeDynamicSecretLeaseOpMutation = { __typename?: 'Mutation', revokeDynamicSecretLease?: { __typename?: 'RevokeLeaseMutation', lease?: { __typename?: 'DynamicSecretLeaseType', id: string, name: string, expiresAt?: any | null, revokedAt?: any | null, status: ApiDynamicSecretLeaseStatusChoices } | null } | null };
+
+export type UpdateDynamicSecretMutationVariables = Exact<{
+  dynamicSecretId: Scalars['ID']['input'];
+  organisationId: Scalars['ID']['input'];
+  path?: InputMaybe<Scalars['String']['input']>;
+  name: Scalars['String']['input'];
+  description?: InputMaybe<Scalars['String']['input']>;
+  defaultTtl?: InputMaybe<Scalars['Int']['input']>;
+  maxTtl?: InputMaybe<Scalars['Int']['input']>;
+  authenticationId?: InputMaybe<Scalars['ID']['input']>;
+  config: AwsConfigInput;
+  keyMap: Array<InputMaybe<KeyMapInput>> | InputMaybe<KeyMapInput>;
+}>;
+
+
+export type UpdateDynamicSecretMutation = { __typename?: 'Mutation', updateAwsDynamicSecret?: { __typename?: 'UpdateAWSDynamicSecretMutation', dynamicSecret?: { __typename?: 'DynamicSecretType', id: string, name: string, description: string, provider: ApiDynamicSecretProviderChoices, createdAt?: any | null, updatedAt: any } | null } | null };
+
 export type CreateSharedSecretMutationVariables = Exact<{
   input: LockboxInput;
 }>;
@@ -3023,6 +3297,28 @@ export type VerifyInviteQueryVariables = Exact<{
 
 export type VerifyInviteQuery = { __typename?: 'Query', validateInvite?: { __typename?: 'OrganisationMemberInviteType', id: string, inviteeEmail: string, organisation: { __typename?: 'OrganisationType', id: string, name: string }, invitedBy: { __typename?: 'OrganisationMemberType', fullName?: string | null, email?: string | null }, apps: Array<{ __typename?: 'AppMembershipType', id: string, name: string }> } | null };
 
+export type GetDynamicSecretsQueryVariables = Exact<{
+  orgId: Scalars['ID']['input'];
+  appId?: InputMaybe<Scalars['ID']['input']>;
+  envId?: InputMaybe<Scalars['ID']['input']>;
+}>;
+
+
+export type GetDynamicSecretsQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, name: string, path: string, description: string, provider: ApiDynamicSecretProviderChoices, defaultTtlSeconds?: number | null, maxTtlSeconds?: number | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, index: number, app: { __typename?: 'AppMembershipType', id: string, name: string } }, config?: { __typename?: 'AWSConfigType', usernameTemplate: string, iamPath?: string | null } | null, keyMap?: Array<{ __typename?: 'KeyMap', id?: string | null, keyName?: string | null } | null> | null, authentication?: { __typename?: 'ProviderCredentialsType', id: string, name: string } | null } | null> | null };
+
+export type GetDynamicSecretProvidersQueryVariables = Exact<{ [key: string]: never; }>;
+
+
+export type GetDynamicSecretProvidersQuery = { __typename?: 'Query', dynamicSecretProviders?: Array<{ __typename?: 'DynamicSecretProviderType', id: string, name: string, credentials: any, configMap: any } | null> | null };
+
+export type GetDynamicSecretLeasesQueryVariables = Exact<{
+  secretId: Scalars['ID']['input'];
+  orgId: Scalars['ID']['input'];
+}>;
+
+
+export type GetDynamicSecretLeasesQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, leases: Array<{ __typename?: 'DynamicSecretLeaseType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null, revokedAt?: any | null, status: ApiDynamicSecretLeaseStatusChoices, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null }> } | null> | null };
+
 export type GetAppEnvironmentsQueryVariables = Exact<{
   appId: Scalars['ID']['input'];
   memberId?: InputMaybe<Scalars['ID']['input']>;
@@ -3115,7 +3411,7 @@ export type GetSecretsQueryVariables = Exact<{
 }>;
 
 
-export type GetSecretsQuery = { __typename?: 'Query', secrets?: Array<{ __typename?: 'SecretType', id: string, key: string, value: string, path: string, comment: string, createdAt?: any | null, updatedAt: any, tags: Array<{ __typename?: 'SecretTagType', id: string, name: string, color: string }>, override?: { __typename?: 'PersonalSecretType', value?: string | null, isActive: boolean } | null, environment: { __typename?: 'EnvironmentType', id: string, app: { __typename?: 'AppMembershipType', id: string } } } | null> | null, folders?: Array<{ __typename?: 'SecretFolderType', id: string, name: string, path: string, createdAt?: any | null, folderCount?: number | null, secretCount?: number | null } | null> | null, appEnvironments?: Array<{ __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices, identityKey: string, app: { __typename?: 'AppMembershipType', name: string } } | null> | null, environmentKeys?: Array<{ __typename?: 'EnvironmentKeyType', id: string, identityKey: string, wrappedSeed: string, wrappedSalt: string } | null> | null, envSyncs?: Array<{ __typename?: 'EnvironmentSyncType', id: string, options: any, isActive: boolean, status: ApiEnvironmentSyncStatusChoices, lastSync?: any | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices }, serviceInfo?: { __typename?: 'ServiceType', id?: string | null, name?: string | null } | null } | null> | null };
+export type GetSecretsQuery = { __typename?: 'Query', secrets?: Array<{ __typename?: 'SecretType', id: string, key: string, value: string, path: string, comment: string, createdAt?: any | null, updatedAt: any, tags: Array<{ __typename?: 'SecretTagType', id: string, name: string, color: string }>, override?: { __typename?: 'PersonalSecretType', value?: string | null, isActive: boolean } | null, environment: { __typename?: 'EnvironmentType', id: string, app: { __typename?: 'AppMembershipType', id: string } } } | null> | null, folders?: Array<{ __typename?: 'SecretFolderType', id: string, name: string, path: string, createdAt?: any | null, folderCount?: number | null, secretCount?: number | null } | null> | null, appEnvironments?: Array<{ __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices, identityKey: string, app: { __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean } } | null> | null, environmentKeys?: Array<{ __typename?: 'EnvironmentKeyType', id: string, identityKey: string, wrappedSeed: string, wrappedSalt: string } | null> | null, envSyncs?: Array<{ __typename?: 'EnvironmentSyncType', id: string, options: any, isActive: boolean, status: ApiEnvironmentSyncStatusChoices, lastSync?: any | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices }, serviceInfo?: { __typename?: 'ServiceType', id?: string | null, name?: string | null } | null } | null> | null, dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, name: string, description: string, provider: ApiDynamicSecretProviderChoices, defaultTtlSeconds?: number | null, maxTtlSeconds?: number | null, createdAt?: any | null, keyMap?: Array<{ __typename?: 'KeyMap', id?: string | null, keyName?: string | null } | null> | null, config?: { __typename?: 'AWSConfigType', usernameTemplate: string, groups?: Array<string | null> | null, iamPath?: string | null, permissionBoundaryArn?: string | null, policyArns?: Array<string | null> | null, policyDocument?: any | null } | null, authentication?: { __typename?: 'ProviderCredentialsType', id: string, name: string } | null } | null> | null };
 
 export type GetServiceTokensQueryVariables = Exact<{
   appId: Scalars['ID']['input'];
@@ -3331,6 +3627,12 @@ export const InitAppEnvironmentsDocument = {"kind":"Document","definitions":[{"k
 export const LogSecretReadsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"LogSecretReads"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"ids"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"readSecret"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"ids"},"value":{"kind":"Variable","name":{"kind":"Name","value":"ids"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<LogSecretReadsMutation, LogSecretReadsMutationVariables>;
 export const RemovePersonalSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemovePersonalSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeOverride"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<RemovePersonalSecretMutation, RemovePersonalSecretMutationVariables>;
 export const RenameEnvDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RenameEnv"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"renameEnvironment"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}}]}}]}}]}}]} as unknown as DocumentNode<RenameEnvMutation, RenameEnvMutationVariables>;
+export const CreateNewAwsDynamicSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSDynamicSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtl"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtl"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"authenticationId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"config"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"keyMap"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"KeyMapInput"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsDynamicSecret"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtl"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtl"}}},{"kind":"Argument","name":{"kind":"Name","value":"authenticationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"authenticationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"config"},"value":{"kind":"Variable","name":{"kind":"Name","value":"config"}}},{"kind":"Argument","name":{"kind":"Name","value":"keyMap"},"value":{"kind":"Variable","name":{"kind":"Name","value":"keyMap"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecret"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsDynamicSecretMutation, CreateNewAwsDynamicSecretMutationVariables>;
+export const CreateDynamicSecretLeaseDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateDynamicSecretLease"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"ttl"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createDynamicSecretLease"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"ttl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"ttl"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"lease"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsCredentialsType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"accessKeyId"}},{"kind":"Field","name":{"kind":"Name","value":"secretAccessKey"}},{"kind":"Field","name":{"kind":"Name","value":"username"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateDynamicSecretLeaseMutation, CreateDynamicSecretLeaseMutationVariables>;
+export const DeleteDynamicSecretOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteDynamicSecretOP"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteDynamicSecret"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteDynamicSecretOpMutation, DeleteDynamicSecretOpMutationVariables>;
+export const RenewDynamicSecretLeaseOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RenewDynamicSecretLeaseOP"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"leaseId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"ttl"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"renewDynamicSecretLease"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"leaseId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"leaseId"}}},{"kind":"Argument","name":{"kind":"Name","value":"ttl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"ttl"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"lease"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]} as unknown as DocumentNode<RenewDynamicSecretLeaseOpMutation, RenewDynamicSecretLeaseOpMutationVariables>;
+export const RevokeDynamicSecretLeaseOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RevokeDynamicSecretLeaseOP"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"leaseId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"revokeDynamicSecretLease"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"leaseId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"leaseId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"lease"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]} as unknown as DocumentNode<RevokeDynamicSecretLeaseOpMutation, RevokeDynamicSecretLeaseOpMutationVariables>;
+export const UpdateDynamicSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateDynamicSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"dynamicSecretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtl"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtl"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"authenticationId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"config"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"keyMap"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"KeyMapInput"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateAwsDynamicSecret"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"dynamicSecretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"dynamicSecretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtl"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtl"}}},{"kind":"Argument","name":{"kind":"Name","value":"authenticationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"authenticationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"config"},"value":{"kind":"Variable","name":{"kind":"Name","value":"config"}}},{"kind":"Argument","name":{"kind":"Name","value":"keyMap"},"value":{"kind":"Variable","name":{"kind":"Name","value":"keyMap"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecret"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateDynamicSecretMutation, UpdateDynamicSecretMutationVariables>;
 export const CreateSharedSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSharedSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"input"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"LockboxInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createLockbox"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"input"},"value":{"kind":"Variable","name":{"kind":"Name","value":"input"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"lockbox"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"allowedViews"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSharedSecretMutation, CreateSharedSecretMutationVariables>;
 export const SwapEnvOrderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"SwapEnvOrder"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environment1Id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environment2Id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"swapEnvironmentOrder"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environment1Id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environment1Id"}}},{"kind":"Argument","name":{"kind":"Name","value":"environment2Id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environment2Id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<SwapEnvOrderMutation, SwapEnvOrderMutationVariables>;
 export const AcceptOrganisationInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"AcceptOrganisationInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createOrganisationMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}},{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<AcceptOrganisationInviteMutation, AcceptOrganisationInviteMutationVariables>;
@@ -3389,6 +3691,9 @@ export const GetOrganisationMembersDocument = {"kind":"Document","definitions":[
 export const GetOrganisationPlanDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationPlan"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationPlan"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"seatLimit"}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationPlanQuery, GetOrganisationPlanQueryVariables>;
 export const GetRolesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetRoles"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"roles"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"isDefault"}}]}}]}}]} as unknown as DocumentNode<GetRolesQuery, GetRolesQueryVariables>;
 export const VerifyInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"VerifyInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateInvite"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"organisation"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"invitedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<VerifyInviteQuery, VerifyInviteQueryVariables>;
+export const GetDynamicSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretsQuery, GetDynamicSecretsQueryVariables>;
+export const GetDynamicSecretProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"configMap"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretProvidersQuery, GetDynamicSecretProvidersQueryVariables>;
+export const GetDynamicSecretLeasesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretLeases"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"leases"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretLeasesQuery, GetDynamicSecretLeasesQueryVariables>;
 export const GetAppEnvironmentsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppEnvironments"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppEnvironmentsQuery, GetAppEnvironmentsQueryVariables>;
 export const GetAppSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppSecretsQuery, GetAppSecretsQueryVariables>;
 export const GetAppSecretsLogsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecretsLogs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretLogs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}},{"kind":"Argument","name":{"kind":"Name","value":"eventTypes"},"value":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"logs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"version"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"username"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secret"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppSecretsLogsQuery, GetAppSecretsLogsQueryVariables>;
@@ -3399,7 +3704,7 @@ export const GetOrgSecretKeysDocument = {"kind":"Document","definitions":[{"kind
 export const GetSecretHistoryDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretHistory"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"version"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"username"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}}]}}]} as unknown as DocumentNode<GetSecretHistoryQuery, GetSecretHistoryQueryVariables>;
 export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetEnvSecretsKV"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"StringValue","value":"/","block":false}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"StringValue","value":"/","block":false}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}}]}}]} as unknown as DocumentNode<GetEnvSecretsKvQuery, GetEnvSecretsKvQueryVariables>;
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
-export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
+export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
 export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index e726ab1c0..0ebf2732b 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -53,6 +53,8 @@ type Query {
   stripeCheckoutDetails(stripeSessionId: String!): StripeCheckoutDetails
   stripeSubscriptionDetails(organisationId: ID): StripeSubscriptionDetails
   stripeCustomerPortalUrl(organisationId: ID!): String
+  dynamicSecretProviders: [DynamicSecretProviderType]
+  dynamicSecrets(secretId: ID, appId: ID, envId: ID, orgId: ID): [DynamicSecretType]
 }
 
 type OrganisationType {
@@ -771,6 +773,107 @@ enum PlanTypeEnum {
   ENTERPRISE
 }
 
+type DynamicSecretProviderType {
+  id: String!
+  name: String!
+  credentials: GenericScalar!
+  configMap: GenericScalar!
+}
+
+"""
+The `GenericScalar` scalar type represents a generic
+GraphQL scalar value that could be:
+String, Boolean, Int, Float, List or Object.
+"""
+scalar GenericScalar
+
+type DynamicSecretType {
+  id: String!
+  name: String!
+  description: String!
+  environment: EnvironmentType!
+  folder: SecretFolderType
+  path: String!
+  authentication: ProviderCredentialsType
+
+  """Which provider this secret is associated with."""
+  provider: ApiDynamicSecretProviderChoices!
+  config: DynamicSecretConfigUnion
+  keyMap: [KeyMap]
+  createdAt: DateTime
+  updatedAt: DateTime!
+  deletedAt: DateTime
+  leases: [DynamicSecretLeaseType!]!
+  defaultTtlSeconds: Int
+  maxTtlSeconds: Int
+}
+
+enum ApiDynamicSecretProviderChoices {
+  """AWS"""
+  AWS
+}
+
+union DynamicSecretConfigUnion = AWSConfigType
+
+type AWSConfigType {
+  usernameTemplate: String!
+  iamPath: String
+  permissionBoundaryArn: String
+  groups: [String]
+  policyArns: [String]
+  policyDocument: GenericScalar
+}
+
+type KeyMap {
+  id: String
+  keyName: String
+}
+
+type DynamicSecretLeaseType {
+  id: String!
+  name: String!
+  description: String!
+  secret: DynamicSecretType!
+  organisationMember: OrganisationMemberType
+  serviceAccount: ServiceAccountType
+  ttl: Float!
+
+  """Current status of the lease"""
+  status: ApiDynamicSecretLeaseStatusChoices!
+  credentials: LeaseCredentialsUnion
+  createdAt: DateTime
+  renewedAt: DateTime
+  expiresAt: DateTime
+  revokedAt: DateTime
+  deletedAt: DateTime
+  cleanupJobId: String!
+}
+
+enum ApiDynamicSecretLeaseStatusChoices {
+  """Created"""
+  CREATED
+
+  """Active"""
+  ACTIVE
+
+  """Renewed"""
+  RENEWED
+
+  """Revoked"""
+  REVOKED
+
+  """Expired"""
+  EXPIRED
+}
+
+union LeaseCredentialsUnion = AwsCredentialsType
+
+type AwsCredentialsType {
+  accessKeyId: String
+  secretAccessKey: String
+  username: String
+}
+
 type Mutation {
   createOrganisation(id: ID!, identityKey: String!, name: String!, wrappedKeyring: String!, wrappedRecovery: String!): CreateOrganisationMutation
   bulkInviteOrganisationMembers(invites: [InviteInput]!, orgId: ID!): BulkInviteOrganisationMembersMutation
@@ -854,6 +957,12 @@ type Mutation {
     """Payment Method ID to set as default"""
     paymentMethodId: String!
   ): SetDefaultPaymentMethodMutation
+  createAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, environmentId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): CreateAWSDynamicSecretMutation
+  updateAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, dynamicSecretId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): UpdateAWSDynamicSecretMutation
+  deleteDynamicSecret(secretId: ID!): DeleteDynamicSecretMutation
+  createDynamicSecretLease(name: String, secretId: ID!, ttl: Int): LeaseDynamicSecret
+  renewDynamicSecretLease(leaseId: ID!, ttl: Int): RenewLeaseMutation
+  revokeDynamicSecretLease(leaseId: ID!): RevokeLeaseMutation
 }
 
 type CreateOrganisationMutation {
@@ -1254,4 +1363,42 @@ type CreateSetupIntentMutation {
 
 type SetDefaultPaymentMethodMutation {
   ok: Boolean
+}
+
+type CreateAWSDynamicSecretMutation {
+  dynamicSecret: DynamicSecretType
+}
+
+input AWSConfigInput {
+  usernameTemplate: String!
+  iamPath: String = "/"
+  permissionBoundaryArn: String
+  groups: [String]
+  policyArns: [String]
+  policyDocument: GenericScalar
+}
+
+input KeyMapInput {
+  id: String!
+  keyName: String!
+}
+
+type UpdateAWSDynamicSecretMutation {
+  dynamicSecret: DynamicSecretType
+}
+
+type DeleteDynamicSecretMutation {
+  ok: Boolean
+}
+
+type LeaseDynamicSecret {
+  lease: DynamicSecretLeaseType
+}
+
+type RenewLeaseMutation {
+  lease: DynamicSecretLeaseType
+}
+
+type RevokeLeaseMutation {
+  lease: DynamicSecretLeaseType
 }
\ No newline at end of file

From c9cc5ddf42bdbd6232d0f3404d6d21440bf5d2b0 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:29:31 +0530
Subject: [PATCH 004/117] feat: add misc frontend utils

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/utils/dynamicSecrets.ts | 30 ++++++++++++++++++++++++++++++
 frontend/utils/secrets.ts        | 26 ++++++++++++++++++++++----
 2 files changed, 52 insertions(+), 4 deletions(-)
 create mode 100644 frontend/utils/dynamicSecrets.ts

diff --git a/frontend/utils/dynamicSecrets.ts b/frontend/utils/dynamicSecrets.ts
new file mode 100644
index 000000000..190d9e419
--- /dev/null
+++ b/frontend/utils/dynamicSecrets.ts
@@ -0,0 +1,30 @@
+export const MINIMUM_LEASE_TTL = 60 // 1 minute
+
+export const leaseTtlButtons = [
+    {
+      label: '15min',
+      seconds: '900',
+    },
+    {
+      label: '1h',
+      seconds: '3600',
+    },
+    {
+      label: '3h',
+      seconds: '10800',
+    },
+    {
+      label: '6h',
+      seconds: '21600',
+    },
+    {
+      label: '12h',
+      seconds: '43200',
+    },
+    {
+      label: '24h',
+      seconds: '86400',
+    },
+  ]
+
+
diff --git a/frontend/utils/secrets.ts b/frontend/utils/secrets.ts
index 579ef4ac2..869cea1ba 100644
--- a/frontend/utils/secrets.ts
+++ b/frontend/utils/secrets.ts
@@ -1,4 +1,4 @@
-import { EnvironmentType, SecretType } from '@/apollo/graphql'
+import { DynamicSecretType, EnvironmentType, SecretType } from '@/apollo/graphql'
 import { AppSecret } from '@/app/[team]/apps/[app]/types'
 
 export type SortOption =
@@ -142,19 +142,37 @@ export const processEnvFile = (
   return newSecrets
 }
 
-export const duplicateKeysExist = (secrets: SecretType[] | AppSecret[]) => {
+export const duplicateKeysExist = (
+  secrets: SecretType[] | AppSecret[],
+  dynamicSecrets: DynamicSecretType[] = []
+): boolean => {
   const keySet = new Set<string>()
 
+  // Check regular secrets
   for (const secret of secrets) {
     if (keySet.has(secret.key)) {
-      return true // Duplicate key found
+      return true // Duplicate found
     }
     keySet.add(secret.key)
   }
 
-  return false // No duplicate keys found
+  // Check dynamic secrets' keyMap
+  for (const ds of dynamicSecrets) {
+    if (!ds.keyMap) continue
+
+    for (const km of ds.keyMap) {
+      if (!km?.keyName) continue
+      if (keySet.has(km.keyName)) {
+        return true // Duplicate found
+      }
+      keySet.add(km.keyName)
+    }
+  }
+
+  return false // No duplicates
 }
 
+
 export const envFilePlaceholder = `# Paste your .env here
 
 # Comments before a key-value pair will be parsed

From 8daa7e21965f7cd7c371165ba69fe521a38efcc2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:29:50 +0530
Subject: [PATCH 005/117] feat: misc improvements to stepper styling

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/onboarding/Stepper.tsx | 31 ++++++++++++----------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/frontend/components/onboarding/Stepper.tsx b/frontend/components/onboarding/Stepper.tsx
index 5b95d0105..b8cb472df 100644
--- a/frontend/components/onboarding/Stepper.tsx
+++ b/frontend/components/onboarding/Stepper.tsx
@@ -11,9 +11,10 @@ export type Step = {
 interface StepperProps {
   steps: Step[]
   activeStep: number
+  align?: 'center' | 'left'
 }
 
-export const Stepper = (props: StepperProps) => {
+export const Stepper = ({ steps, activeStep, align = 'center' }: StepperProps) => {
   const ICON_WRAPPER_BASE =
     'rounded-full transition duration-500 ease-in-out h-10 w-10 py-3 border text-center flex justify-center items-center'
   const LABEL_BASE =
@@ -21,18 +22,18 @@ export const Stepper = (props: StepperProps) => {
   const THREAD_BASE = 'flex-auto border-t transition duration-500 ease-in-out'
 
   const stepIsComplete = (step: Step) => {
-    return step.index < props.activeStep
+    return step.index < activeStep
   }
 
   const stepIsActive = (step: Step) => {
-    return step.index === props.activeStep
+    return step.index === activeStep
   }
 
   return (
-    <div className="p-5 space-y-20">
+    <div className="space-y-16">
       <div className="mx-4 p-4">
         <div className="flex items-center">
-          {props.steps.map((step: Step, index: number) => (
+          {steps.map((step: Step, index: number) => (
             <>
               <div className="flex items-center text-emerald-500 relative">
                 <div
@@ -59,12 +60,11 @@ export const Stepper = (props: StepperProps) => {
                   {step.name}
                 </div>
               </div>
-              {index !== props.steps.length - 1 && (
+              {index !== steps.length - 1 && (
                 <div
                   className={clsx(
                     THREAD_BASE,
-                    stepIsActive(props.steps[step.index + 1]) ||
-                      stepIsComplete(props.steps[step.index + 1])
+                    stepIsActive(steps[step.index + 1]) || stepIsComplete(steps[step.index + 1])
                       ? 'border-emerald-500'
                       : 'border-zinc-500'
                   )}
@@ -74,13 +74,16 @@ export const Stepper = (props: StepperProps) => {
           ))}
         </div>
       </div>
-      <div className="space-y-1">
-        <div className="text-3xl text-black dark:text-white font-bold text-center">
-          {props.steps[props.activeStep].title}
-        </div>
-        <div className="text-black/30 dark:text-white/40 text-center text-lg">
-          {props.steps[props.activeStep].description}
+      <div
+        className={clsx(
+          'border-b border-neutral-500/40 pb-2',
+          align === 'center' && 'text-center px-4'
+        )}
+      >
+        <div className="text-xl text-zinc-900 dark:text-zinc-100 font-semibold">
+          {steps[activeStep].title}
         </div>
+        <div className="text-neutral-500  text-sm">{steps[activeStep].description}</div>
       </div>
     </div>
   )

From 428217cf08e726a30d6b9f764b510ea73232940f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:30:19 +0530
Subject: [PATCH 006/117] feat: add support for custom classes to input and
 label

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/Input.tsx | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/frontend/components/common/Input.tsx b/frontend/components/common/Input.tsx
index 7a3a01d64..60667247b 100644
--- a/frontend/components/common/Input.tsx
+++ b/frontend/components/common/Input.tsx
@@ -8,18 +8,22 @@ interface InputProps extends React.InputHTMLAttributes<HTMLInputElement> {
   label?: string
   placeholder?: string
   secret?: boolean
+  labelClassName?: string
 }
 
 // Use forwardRef to allow refs to be passed to the component
 export const Input = forwardRef<HTMLInputElement, InputProps>((props, ref) => {
-  const { value, setValue, label, secret } = props
+  const { value, setValue, label, secret, labelClassName } = props
 
   const [showValue, setShowValue] = useState<boolean>(false)
 
   return (
     <div className="space-y-2 w-full">
       {label && (
-        <label className="block text-neutral-500 text-sm mb-2" htmlFor={props.id}>
+        <label
+          className={clsx('block text-neutral-500 text-sm mb-2', labelClassName)}
+          htmlFor={props.id}
+        >
           {label}
           {props.required && <span className="text-red-500 ml-1">*</span>}
         </label>
@@ -34,7 +38,8 @@ export const Input = forwardRef<HTMLInputElement, InputProps>((props, ref) => {
           className={clsx(
             'custom w-full text-zinc-800 dark:text-white bg-zinc-100 dark:bg-zinc-800 rounded-md',
             secret ? 'ph-no-capture' : '',
-            props.readOnly || props.disabled ? 'opacity-60 cursor-not-allowed' : ''
+            props.readOnly || props.disabled ? 'opacity-60 cursor-not-allowed' : '',
+            props.className
           )}
         />
         {secret && (

From 79bb77f306afaf5558d013531a457466f9da0acb Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:30:37 +0530
Subject: [PATCH 007/117] fix: textarea label spacing

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/TextArea.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/components/common/TextArea.tsx b/frontend/components/common/TextArea.tsx
index 87c2abe1e..23671e0e5 100644
--- a/frontend/components/common/TextArea.tsx
+++ b/frontend/components/common/TextArea.tsx
@@ -13,7 +13,7 @@ export const Textarea = forwardRef<HTMLTextAreaElement, TextareaProps>((props, r
   const { value, setValue, label } = props
 
   return (
-    <div className="space-y-2 w-full">
+    <div className="w-full">
       {label && (
         <label className="block text-neutral-500 text-sm mb-2" htmlFor={props.id}>
           {label}

From c687a86463f7cb735b193c7aea400f3f1b1db126 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:30:49 +0530
Subject: [PATCH 008/117] fix: ghost button spinner color

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/Button.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/frontend/components/common/Button.tsx b/frontend/components/common/Button.tsx
index a52f991af..1980c0913 100644
--- a/frontend/components/common/Button.tsx
+++ b/frontend/components/common/Button.tsx
@@ -64,6 +64,7 @@ export const Button = forwardRef<HTMLButtonElement, ButtonProps>(function Button
         return 'amber'
       case 'secondary':
       case 'outline':
+      case 'ghost':
         return 'neutral'
       default:
         return 'emerald'

From 2a2efb879805c6e92c58284076f9fba2b322cd03 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:31:30 +0530
Subject: [PATCH 009/117] feat: add client side queries for providers, secrets
 and leases

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/getDynamicSecrets.gql     | 35 +++++++++++++++++++
 .../queries/secrets/dynamic/getProviders.gql  |  8 +++++
 .../secrets/dynamic/getSecretLeases.gql       | 24 +++++++++++++
 .../graphql/queries/secrets/getSecrets.gql    | 29 +++++++++++++++
 4 files changed, 96 insertions(+)
 create mode 100644 frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql
 create mode 100644 frontend/graphql/queries/secrets/dynamic/getProviders.gql
 create mode 100644 frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql

diff --git a/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql b/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql
new file mode 100644
index 000000000..160b076ce
--- /dev/null
+++ b/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql
@@ -0,0 +1,35 @@
+query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID) {
+  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId) {
+    id
+    name
+    environment {
+      id
+      name
+      index
+      app {
+        id
+        name
+      }
+    }
+    path
+    description
+    provider
+    config {
+      ... on AWSConfigType {
+        usernameTemplate
+        iamPath
+      }
+    }
+    keyMap {
+      id
+      keyName
+    }
+    defaultTtlSeconds
+    maxTtlSeconds
+    authentication {
+      id
+      name
+    }
+    createdAt
+  }
+}
diff --git a/frontend/graphql/queries/secrets/dynamic/getProviders.gql b/frontend/graphql/queries/secrets/dynamic/getProviders.gql
new file mode 100644
index 000000000..03fef1ce2
--- /dev/null
+++ b/frontend/graphql/queries/secrets/dynamic/getProviders.gql
@@ -0,0 +1,8 @@
+query GetDynamicSecretProviders {
+  dynamicSecretProviders {
+    id
+    name
+    credentials
+    configMap
+  }
+}
diff --git a/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql b/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql
new file mode 100644
index 000000000..a71b05f3c
--- /dev/null
+++ b/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql
@@ -0,0 +1,24 @@
+query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {
+  dynamicSecrets(secretId: $secretId, orgId: $orgId) {
+    id
+    leases {
+      id
+      name
+      createdAt
+      expiresAt
+      revokedAt
+      status
+      organisationMember {
+        id
+        fullName
+        email
+        avatarUrl
+        self
+      }
+      serviceAccount {
+        id
+        name
+      }
+    }
+  }
+}
diff --git a/frontend/graphql/queries/secrets/getSecrets.gql b/frontend/graphql/queries/secrets/getSecrets.gql
index 800a6c0af..21f00f600 100644
--- a/frontend/graphql/queries/secrets/getSecrets.gql
+++ b/frontend/graphql/queries/secrets/getSecrets.gql
@@ -37,7 +37,9 @@ query GetSecrets($appId: ID!, $envId: ID!, $path: String) {
     envType
     identityKey
     app {
+      id
       name
+      sseEnabled
     }
   }
   environmentKeys(appId: $appId, environmentId: $envId) {
@@ -63,4 +65,31 @@ query GetSecrets($appId: ID!, $envId: ID!, $path: String) {
     lastSync
     createdAt
   }
+  dynamicSecrets(envId: $envId) {
+    id
+    name
+    description
+    provider
+    keyMap {
+      id
+      keyName
+    }
+    config {
+      ... on AWSConfigType {
+        usernameTemplate
+        groups
+        iamPath
+        permissionBoundaryArn
+        policyArns
+        policyDocument
+      }
+    }
+    defaultTtlSeconds
+    maxTtlSeconds
+    authentication {
+      id
+      name
+    }
+    createdAt
+  }
 }

From 62ff986ebf498a39f12aad93ddcbc19cbda138eb Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:31:48 +0530
Subject: [PATCH 010/117] feat: add client mutations to crud secrets and leases

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/createDynamicSecret.gql   | 34 +++++++++++++++++++
 .../secrets/dynamic/createLease.gql           | 16 +++++++++
 .../secrets/dynamic/deleteDynamicSecret.gql   |  5 +++
 .../secrets/dynamic/renewLease.gql            | 10 ++++++
 .../secrets/dynamic/revokeLease.gql           | 11 ++++++
 .../secrets/dynamic/updateDynamicSecret.gql   | 34 +++++++++++++++++++
 6 files changed, 110 insertions(+)
 create mode 100644 frontend/graphql/mutations/environments/secrets/dynamic/createDynamicSecret.gql
 create mode 100644 frontend/graphql/mutations/environments/secrets/dynamic/createLease.gql
 create mode 100644 frontend/graphql/mutations/environments/secrets/dynamic/deleteDynamicSecret.gql
 create mode 100644 frontend/graphql/mutations/environments/secrets/dynamic/renewLease.gql
 create mode 100644 frontend/graphql/mutations/environments/secrets/dynamic/revokeLease.gql
 create mode 100644 frontend/graphql/mutations/environments/secrets/dynamic/updateDynamicSecret.gql

diff --git a/frontend/graphql/mutations/environments/secrets/dynamic/createDynamicSecret.gql b/frontend/graphql/mutations/environments/secrets/dynamic/createDynamicSecret.gql
new file mode 100644
index 000000000..05cb8430a
--- /dev/null
+++ b/frontend/graphql/mutations/environments/secrets/dynamic/createDynamicSecret.gql
@@ -0,0 +1,34 @@
+mutation CreateNewAWSDynamicSecret(
+  $organisationId: ID!
+  $environmentId: ID!
+  $path: String
+  $name: String!
+  $description: String
+  $defaultTtl: Int
+  $maxTtl: Int
+  $authenticationId: ID
+  $config: AWSConfigInput!
+  $keyMap: [KeyMapInput]!
+) {
+  createAwsDynamicSecret(
+    organisationId: $organisationId
+    environmentId: $environmentId
+    path: $path
+    name: $name
+    description: $description
+    defaultTtl: $defaultTtl
+    maxTtl: $maxTtl
+    authenticationId: $authenticationId
+    config: $config
+    keyMap: $keyMap
+  ) {
+    dynamicSecret {
+      id
+      name
+      description
+      provider
+      createdAt
+      updatedAt
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/environments/secrets/dynamic/createLease.gql b/frontend/graphql/mutations/environments/secrets/dynamic/createLease.gql
new file mode 100644
index 000000000..5f2f8f179
--- /dev/null
+++ b/frontend/graphql/mutations/environments/secrets/dynamic/createLease.gql
@@ -0,0 +1,16 @@
+mutation CreateDynamicSecretLease($secretId: ID!, $ttl: Int!, $name: String!) {
+  createDynamicSecretLease(secretId: $secretId, ttl: $ttl, name: $name) {
+    lease {
+      id
+      name
+      credentials {
+        ... on AwsCredentialsType {
+          accessKeyId
+          secretAccessKey
+          username
+        }
+      }
+      expiresAt
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/environments/secrets/dynamic/deleteDynamicSecret.gql b/frontend/graphql/mutations/environments/secrets/dynamic/deleteDynamicSecret.gql
new file mode 100644
index 000000000..a33dbfd82
--- /dev/null
+++ b/frontend/graphql/mutations/environments/secrets/dynamic/deleteDynamicSecret.gql
@@ -0,0 +1,5 @@
+mutation DeleteDynamicSecretOP($secretId: ID!) {
+  deleteDynamicSecret(secretId: $secretId) {
+    ok
+  }
+}
diff --git a/frontend/graphql/mutations/environments/secrets/dynamic/renewLease.gql b/frontend/graphql/mutations/environments/secrets/dynamic/renewLease.gql
new file mode 100644
index 000000000..d85dddc50
--- /dev/null
+++ b/frontend/graphql/mutations/environments/secrets/dynamic/renewLease.gql
@@ -0,0 +1,10 @@
+mutation RenewDynamicSecretLeaseOP($leaseId: ID!, $ttl: Int!) {
+  renewDynamicSecretLease(leaseId: $leaseId, ttl: $ttl) {
+    lease {
+      id
+      name
+      expiresAt
+      status
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/environments/secrets/dynamic/revokeLease.gql b/frontend/graphql/mutations/environments/secrets/dynamic/revokeLease.gql
new file mode 100644
index 000000000..25f315ef2
--- /dev/null
+++ b/frontend/graphql/mutations/environments/secrets/dynamic/revokeLease.gql
@@ -0,0 +1,11 @@
+mutation RevokeDynamicSecretLeaseOP($leaseId: ID!) {
+  revokeDynamicSecretLease(leaseId: $leaseId) {
+    lease {
+      id
+      name
+      expiresAt
+      revokedAt
+      status
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/environments/secrets/dynamic/updateDynamicSecret.gql b/frontend/graphql/mutations/environments/secrets/dynamic/updateDynamicSecret.gql
new file mode 100644
index 000000000..8f9869083
--- /dev/null
+++ b/frontend/graphql/mutations/environments/secrets/dynamic/updateDynamicSecret.gql
@@ -0,0 +1,34 @@
+mutation UpdateDynamicSecret(
+  $dynamicSecretId: ID!
+  $organisationId: ID!
+  $path: String
+  $name: String!
+  $description: String
+  $defaultTtl: Int
+  $maxTtl: Int
+  $authenticationId: ID
+  $config: AWSConfigInput!
+  $keyMap: [KeyMapInput]!
+) {
+  updateAwsDynamicSecret(
+    organisationId: $organisationId
+    dynamicSecretId: $dynamicSecretId
+    path: $path
+    name: $name
+    description: $description
+    defaultTtl: $defaultTtl
+    maxTtl: $maxTtl
+    authenticationId: $authenticationId
+    config: $config
+    keyMap: $keyMap
+  ) {
+    dynamicSecret {
+      id
+      name
+      description
+      provider
+      createdAt
+      updatedAt
+    }
+  }
+}

From 986d2c86790c4575c4fe0c8c88bf38ffbbed4fe1 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:31:59 +0530
Subject: [PATCH 011/117] fix: alert spacing

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/Alert.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/components/common/Alert.tsx b/frontend/components/common/Alert.tsx
index f08dea91b..be2d66a94 100644
--- a/frontend/components/common/Alert.tsx
+++ b/frontend/components/common/Alert.tsx
@@ -31,7 +31,7 @@ export const Alert = (props: {
   return (
     <div
       className={clsx(
-        'rounded-lg ring-1 ring-inset p-4 flex items-center gap-4',
+        'rounded-lg ring-1 ring-inset p-4 flex items-center',
         variantStyles[props.variant],
         props.size ? sizeStyles[props.size] : sizeStyles['md']
       )}

From b467f8a0be58ba9187794123df27c0b067320852 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:32:20 +0530
Subject: [PATCH 012/117] fix: aws region picker label

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/syncing/AWS/AWSRegionPicker.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/components/syncing/AWS/AWSRegionPicker.tsx b/frontend/components/syncing/AWS/AWSRegionPicker.tsx
index 6a285b3f4..ce143031b 100644
--- a/frontend/components/syncing/AWS/AWSRegionPicker.tsx
+++ b/frontend/components/syncing/AWS/AWSRegionPicker.tsx
@@ -32,7 +32,7 @@ export const AWSRegionPicker = (props: { onChange: (region: string) => void; val
             <>
               <div className="space-y-2">
                 <Combobox.Label as={Fragment}>
-                  <label className="block text-gray-700 text-sm font-bold" htmlFor="name">
+                  <label className="block text-sm text-neutral-500" htmlFor="name">
                     AWS Region
                   </label>
                 </Combobox.Label>

From 2afb906a24e09490d019182cda17a660c37f971a Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:33:46 +0530
Subject: [PATCH 013/117] feat: dialog to create dynamic secrets

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../[environment]/[[...path]]/page.tsx        |  34 +-
 .../_components/CreateDynamicSecretDialog.tsx | 389 ++++++++++++++++++
 frontend/components/apps/EnableSSEDialog.tsx  |   1 +
 .../secrets/dynamic/AWSCredentials.tsx        |  62 +++
 4 files changed, 482 insertions(+), 4 deletions(-)
 create mode 100644 frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
 create mode 100644 frontend/components/environments/secrets/dynamic/AWSCredentials.tsx

diff --git a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
index f9ac05ae3..ac1a5e472 100644
--- a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
+++ b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
@@ -1,6 +1,12 @@
 'use client'
 
-import { EnvironmentType, SecretFolderType, SecretInput, SecretType } from '@/apollo/graphql'
+import {
+  DynamicSecretType,
+  EnvironmentType,
+  SecretFolderType,
+  SecretInput,
+  SecretType,
+} from '@/apollo/graphql'
 import { KeyringContext } from '@/contexts/keyringContext'
 import { GetSecrets } from '@/graphql/queries/secrets/getSecrets.gql'
 import { GetFolders } from '@/graphql/queries/secrets/getFolders.gql'
@@ -64,6 +70,9 @@ import Spinner from '@/components/common/Spinner'
 import EnvFileDropZone from '@/components/environments/secrets/import/EnvFileDropZone'
 import SingleEnvImportDialog from '@/components/environments/secrets/import/SingleEnvImportDialog'
 import { useWarnIfUnsavedChanges } from '@/hooks/warnUnsavedChanges'
+import { FaBolt } from 'react-icons/fa6'
+import { CreateDynamicSecretDialog } from '@/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog'
+import { DynamicSecretRow } from '@/components/environments/secrets/dynamic/DynamicSecretRow'
 
 export default function EnvironmentPath({
   params,
@@ -87,6 +96,7 @@ export default function EnvironmentPath({
   const [globallyRevealed, setGloballyRevealed] = useState<boolean>(false)
 
   const importDialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
+  const dynamicSecretDialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
 
   const [sort, setSort] = useState<SortOption>('-created')
 
@@ -187,6 +197,7 @@ export default function EnvironmentPath({
   }
 
   const environment = data?.appEnvironments[0] as EnvironmentType
+  const dynamicSecrets: DynamicSecretType[] = data?.dynamicSecrets ?? []
 
   const envLinks =
     appEnvsData?.appEnvironments
@@ -217,10 +228,10 @@ export default function EnvironmentPath({
 
   /**
    * Bulk adds secrets to client state from an import
-   * 
+   *
    * If a secret key being imported already exists, we update the value and comment.
    * Otherwise, we process the import as normal, adding it as a new secret
-   * 
+   *
    * @param {SecretType[]} secrets - Secrets being imported into client state
    */
   const bulkAddSecrets = (secrets: SecretType[]) => {
@@ -502,7 +513,7 @@ export default function EnvironmentPath({
       return false
     }
 
-    if (duplicateKeysExist(clientSecrets)) {
+    if (duplicateKeysExist(clientSecrets, dynamicSecrets)) {
       toast.error('Secret keys cannot be repeated!')
       setIsloading(false)
       return false
@@ -793,6 +804,10 @@ export default function EnvironmentPath({
         onClick={() => handleAddSecret(true)}
         menuContent={
           <div className="w-max flex flex-col items-start gap-1">
+            <Button variant="secondary" onClick={() => dynamicSecretDialogRef.current?.openModal()}>
+              <FaBolt /> Dynamic Secret
+            </Button>
+
             <Button variant="secondary" onClick={() => setFolderMenuIsOpen(true)}>
               <div className="flex items-center gap-2">
                 <FaFolderPlus /> New Folder
@@ -1022,6 +1037,13 @@ export default function EnvironmentPath({
 
           <div className="flex flex-col gap-0 divide-y divide-neutral-500/20 bg-zinc-100 dark:bg-zinc-800 rounded-md shadow-md">
             <NewFolderMenu />
+            <CreateDynamicSecretDialog
+              environment={environment}
+              path={'/'}
+              ref={dynamicSecretDialogRef}
+              staticSecrets={serverSecrets}
+              dynamicSecrets={dynamicSecrets}
+            />
 
             {organisation &&
               filteredFolders.map((folder: SecretFolderType) => (
@@ -1032,6 +1054,10 @@ export default function EnvironmentPath({
                 />
               ))}
 
+            {dynamicSecrets.map((secret) => (
+              <DynamicSecretRow key={secret.id} secret={secret} />
+            ))}
+
             {organisation &&
               filteredAndSortedSecrets.map((secret, index: number) => (
                 <div
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
new file mode 100644
index 000000000..f8c119465
--- /dev/null
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
@@ -0,0 +1,389 @@
+'use client'
+
+import { forwardRef, useContext, useEffect, useImperativeHandle, useRef, useState } from 'react'
+import {
+  AwsConfigInput,
+  DynamicSecretProviderType,
+  EnvironmentType,
+  ProviderCredentialsType,
+  KeyMapInput,
+  SecretType,
+  DynamicSecretType,
+} from '@/apollo/graphql'
+import { GetDynamicSecretProviders } from '@/graphql/queries/secrets/dynamic/getProviders.gql'
+import { CreateNewAWSDynamicSecret } from '@/graphql/mutations/environments/secrets/dynamic/createDynamicSecret.gql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Input } from '@/components/common/Input'
+import { Button } from '@/components/common/Button'
+import { FaCogs } from 'react-icons/fa'
+import { Step, Stepper } from '@/components/onboarding/Stepper'
+import { ProviderCredentialPicker } from '@/components/syncing/ProviderCredentialPicker'
+import { organisationContext } from '@/contexts/organisationContext'
+import { toUpper } from 'lodash'
+import { useMutation, useQuery } from '@apollo/client'
+import { Card } from '@/components/common/Card'
+import { ProviderIcon } from '@/components/syncing/ProviderIcon'
+import { FaArrowRightLong } from 'react-icons/fa6'
+import { MdOutlinePassword } from 'react-icons/md'
+import { camelCase } from 'lodash'
+import { toast } from 'react-toastify'
+import { duplicateKeysExist } from '@/utils/secrets'
+import { EnableSSEDialog } from '@/components/apps/EnableSSEDialog'
+import { MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
+import { Textarea } from '@/components/common/TextArea'
+
+type CreateDynamicSecretDialogRef = {
+  openModal: () => void
+  closeModal: () => void
+}
+
+interface CreateDynamicSecretDialogProps {
+  environment: EnvironmentType
+  path: string
+  staticSecrets: SecretType[]
+  dynamicSecrets: DynamicSecretType[]
+}
+
+export const CreateDynamicSecretDialog = forwardRef<
+  CreateDynamicSecretDialogRef,
+  CreateDynamicSecretDialogProps
+>(({ environment, path, staticSecrets, dynamicSecrets }, ref) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const { data } = useQuery(GetDynamicSecretProviders)
+
+  const [createDynamicSecret] = useMutation(CreateNewAWSDynamicSecret)
+
+  const dialogRef = useRef<{ closeModal: () => void; openModal: () => void }>(null)
+
+  useImperativeHandle(ref, () => ({
+    openModal: () => dialogRef.current?.openModal(),
+    closeModal: () => dialogRef.current?.closeModal(),
+  }))
+
+  const [provider, setProvider] = useState<DynamicSecretProviderType | null>(null)
+  const [activeStep, setActiveStep] = useState(0)
+  const [formData, setFormData] = useState({
+    name: 'AWS IAM credentials',
+    description: '',
+    credential: null as ProviderCredentialsType | null,
+    config: {
+      usernameTemplate: '{{random}}',
+      iamPath: `/phase/`,
+      permissionBoundaryArn: undefined,
+      groups: [],
+      policyArns: [],
+      policyDocument: undefined,
+    } as AwsConfigInput,
+    keyMap: [] as KeyMapInput[],
+    defaultTTL: '3600',
+    maxTTL: '86400',
+  })
+
+  useEffect(() => {
+    if (!provider) return
+
+    const initialKeyMap: KeyMapInput[] = provider.credentials.map((cred: any) => {
+      return {
+        id: cred.id,
+        keyName: cred.default_key_name || '',
+      }
+    })
+
+    setFormData({
+      name: 'AWS IAM credentials',
+      description: '',
+      credential: null,
+      config: {
+        usernameTemplate: '{{random}}',
+        iamPath: `/phase/${organisation?.name}/${environment.app.name}/${environment.name}${path}`,
+      },
+      keyMap: initialKeyMap,
+      defaultTTL: '3600',
+      maxTTL: '86400',
+    })
+  }, [environment.app.name, environment.name, organisation?.name, path, provider])
+
+  const steps: Step[] = [
+    {
+      index: 0,
+      name: 'Provider',
+      icon: <FaCogs />,
+      title: 'Provider Config',
+      description: 'Enter provider-specific configuration',
+    },
+    {
+      index: 1,
+      name: 'Config',
+      icon: <MdOutlinePassword />,
+      title: 'Config',
+      description: 'Define how secrets are created and mapped to outputs',
+    },
+  ]
+
+  const nextStep = () => setActiveStep((s) => Math.min(s + 1, steps.length - 1))
+  const prevStep = () => setActiveStep((s) => Math.max(s - 1, 0))
+
+  const updateConfig = (key: string, value: string) => {
+    setFormData((prev) => ({
+      ...prev,
+      config: { ...prev.config, [key]: value },
+    }))
+  }
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+
+    if (activeStep < steps.length - 1) {
+      nextStep()
+    } else {
+      // Ensure credentials are selected
+      if (formData.credential === null) {
+        toast.error('Please select authentication credentials!')
+        return false
+      }
+
+      // Validate username template
+      const template = formData.config.usernameTemplate ?? ''
+      const randomPlaceholderRegex = /\{\{\s*random\s*\}\}/i
+
+      if (!randomPlaceholderRegex.test(template)) {
+        toast.error('Username template must include {{random}} to generate unique usernames.')
+        return false
+      }
+
+      // Check for duplicate secret names
+      if (
+        duplicateKeysExist(staticSecrets, [
+          ...dynamicSecrets,
+          { id: 'new-dynamic-secret', keyMap: formData.keyMap } as DynamicSecretType,
+        ])
+      ) {
+        toast.error(
+          'One or more secret keys already exist at this path. Please select a unique key name for each credential.'
+        )
+        return false
+      }
+
+      if (parseInt(formData.defaultTTL, 10) > parseInt(formData.maxTTL, 10)) {
+        toast.error('Default TTL must be less than or equal to Max TTL')
+      }
+
+      if (parseInt(formData.maxTTL, 10) <= MINIMUM_LEASE_TTL) {
+        toast.error(`Max TTL must be greater than ${MINIMUM_LEASE_TTL} seconds`)
+      }
+
+      await createDynamicSecret({
+        variables: {
+          organisationId: organisation?.id,
+          environmentId: environment.id,
+          path,
+          name: formData.name,
+          description: formData.description,
+          defaultTtl: parseInt(formData.defaultTTL, 10),
+          maxTtl: parseInt(formData.maxTTL, 10),
+          authenticationId: formData.credential?.id ?? null,
+          config: formData.config,
+          keyMap: formData.keyMap,
+        },
+      })
+
+      toast.success('Created new dynamic secret')
+      dialogRef.current?.closeModal()
+    }
+  }
+
+  const ProviderMenu = () => (
+    <div className="grid">
+      {data?.dynamicSecretProviders?.map((provider: DynamicSecretProviderType) => (
+        <div className="cursor-pointer" key={provider.id} onClick={() => setProvider(provider)}>
+          <Card>
+            <div>
+              <div className="flex items-center gap-2 ">
+                <div className="text-5xl">
+                  <ProviderIcon providerId={provider.id} />
+                </div>
+                <div>
+                  <div className="text-xl font-semibold">{provider.name}</div>
+                  <div className="text-neutral-500">
+                    Set up a dynamic secret for {provider.name}
+                  </div>
+                </div>
+              </div>
+            </div>
+          </Card>
+        </div>
+      ))}
+    </div>
+  )
+
+  return (
+    <GenericDialog ref={dialogRef} title={`Set up a Dynamic Secret`}>
+      {!environment.app.sseEnabled ? (
+        <div className="space-y-6">
+          <div className="py-4">
+            <div className="text-lg font-semibold text-black dark:text-white">
+              Server-side encryption (SSE)
+            </div>
+            <div className="text-neutral-500">
+              Server-side encryption is required to use Dynamic Secrets. Click the button below to
+              enable SSE.
+            </div>
+          </div>
+
+          <div className="flex justify-start">
+            <EnableSSEDialog appId={environment.app.id} />
+          </div>
+        </div>
+      ) : (
+        <div className="space-y-4">
+          <div className="text-neutral-500">Configure a new dynamic secret</div>
+
+          {!provider && <ProviderMenu />}
+          {provider && (
+            <form onSubmit={handleSubmit}>
+              <Stepper steps={steps} activeStep={activeStep} align="left" />
+
+              {/* Step 2: Config */}
+              {activeStep === 0 && (
+                <div className="space-y-4 divide-y divide-neutral-500/40 text-sm">
+                  <div>
+                    <ProviderCredentialPicker
+                      credential={formData.credential}
+                      setCredential={(cred) => setFormData({ ...formData, credential: cred })}
+                      orgId={organisation!.id}
+                      providerFilter={provider.id}
+                    />
+                  </div>
+                  <div className="space-y-4 pt-2">
+                    {provider.configMap.map(
+                      (field: {
+                        id: keyof AwsConfigInput
+                        label: string
+                        help_text?: string
+                        required?: boolean
+                        default?: any
+                      }) => (
+                        <Textarea
+                          key={field.id}
+                          label={field.label}
+                          placeholder={field.help_text}
+                          required={field.required}
+                          value={
+                            formData.config[camelCase(field.id) as keyof AwsConfigInput] ??
+                            field.default ??
+                            ''
+                          }
+                          setValue={(val) => updateConfig(camelCase(field.id), val)}
+                        />
+                      )
+                    )}
+                  </div>
+                </div>
+              )}
+
+              {/* Step 3: Key Mapping */}
+              {activeStep === 1 && (
+                <div className="space-y-6 divide-y divide-neutral-500/40 text-sm">
+                  <div className="space-y-4">
+                    <Input
+                      label="Name"
+                      required
+                      placeholder="The name for this dynamic secret"
+                      value={formData.name}
+                      setValue={(val) => setFormData({ ...formData, name: val })}
+                    />
+                    <Input
+                      label="Description"
+                      placeholder="Optional description for this dynamic secret"
+                      value={formData.description}
+                      setValue={(val) => setFormData({ ...formData, description: val })}
+                    />
+                  </div>
+
+                  <div className="space-y-4 pt-6">
+                    <div className="border-b border-neutral-500/20">
+                      <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">
+                        TTLs
+                      </div>
+                      <div className="text-neutral-500 text-xs">
+                        Configure the default and max TTLs for generated secrets
+                      </div>
+                    </div>
+                    <Input
+                      type="number"
+                      label="Default TTL (seconds)"
+                      required
+                      min={1}
+                      value={formData.defaultTTL}
+                      setValue={(val) => setFormData({ ...formData, defaultTTL: val })}
+                    />
+                    <Input
+                      type="number"
+                      label="Max TTL (seconds)"
+                      required
+                      min={1}
+                      value={formData.maxTTL}
+                      setValue={(val) => setFormData({ ...formData, maxTTL: val })}
+                    />
+                  </div>
+
+                  <div className="space-y-4 pt-6">
+                    <div className="border-b border-neutral-500/20">
+                      <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">
+                        Outputs
+                      </div>
+                      <div className="text-neutral-500 text-xs">
+                        Configure how generated secrets are mapped to keys in your environment
+                      </div>
+                    </div>
+
+                    {formData.keyMap.map((key) => (
+                      <div key={key.id} className="flex items-center gap-4">
+                        <div className="flex-1 font-mono text-sm text-zinc-900 dark:text-zinc-100">
+                          {toUpper(key.id)}
+                        </div>
+                        <FaArrowRightLong className="text-neutral-500" />
+                        <div className="flex-1">
+                          <Input
+                            className="font-mono"
+                            placeholder="Enter secret name"
+                            value={key.keyName ?? ''}
+                            setValue={(val) =>
+                              setFormData((prev) => ({
+                                ...prev,
+                                keyMap: prev.keyMap.map((k) =>
+                                  k.id === key.id ? { ...k, keyName: val } : k
+                                ),
+                              }))
+                            }
+                          />
+                        </div>
+                      </div>
+                    ))}
+                  </div>
+                </div>
+              )}
+
+              <div className="flex justify-between mt-6">
+                <Button
+                  variant="secondary"
+                  type="button"
+                  onClick={prevStep}
+                  disabled={activeStep === 0}
+                >
+                  Back
+                </Button>
+                <Button variant="primary" type="submit">
+                  {activeStep < steps.length - 1 ? 'Next' : 'Finish'}
+                </Button>
+              </div>
+            </form>
+          )}
+        </div>
+      )}
+    </GenericDialog>
+  )
+})
+
+CreateDynamicSecretDialog.displayName = 'CreateDynamicSecretDialog'
diff --git a/frontend/components/apps/EnableSSEDialog.tsx b/frontend/components/apps/EnableSSEDialog.tsx
index fd8a70604..f3e7d08ca 100644
--- a/frontend/components/apps/EnableSSEDialog.tsx
+++ b/frontend/components/apps/EnableSSEDialog.tsx
@@ -161,6 +161,7 @@ export const EnableSSEDialog = (props: { appId: string }) => {
                       </p>
                       <ul className="text-neutral-500 list-disc list-inside">
                         <li>Set up automatic syncing of secrets via third-party integrations</li>
+                        <li>Create and manage dynamic secrets</li>
                         <li>Access and update secrets over the API</li>
                       </ul>
 
diff --git a/frontend/components/environments/secrets/dynamic/AWSCredentials.tsx b/frontend/components/environments/secrets/dynamic/AWSCredentials.tsx
new file mode 100644
index 000000000..2ea710c3e
--- /dev/null
+++ b/frontend/components/environments/secrets/dynamic/AWSCredentials.tsx
@@ -0,0 +1,62 @@
+import { DynamicSecretLeaseType, KeyMap } from '@/apollo/graphql'
+import CopyButton from '@/components/common/CopyButton'
+import { Input } from '@/components/common/Input'
+
+export const AWSCredentials = ({
+  lease,
+  keyMap,
+}: {
+  lease: DynamicSecretLeaseType
+  keyMap: KeyMap[]
+}) => {
+  if (!lease.credentials) return <></>
+
+  const credentialKeyName = (credentialId: string) =>
+    keyMap.find((key) => key.id === credentialId)?.keyName ?? credentialId
+
+  return (
+    <>
+      <div className="relative">
+        <Input
+          type="password"
+          value={lease.credentials.accessKeyId || ''}
+          setValue={() => {}}
+          readOnly
+          label={credentialKeyName('access_key_id')}
+          labelClassName="font-mono"
+        />
+        <div className="absolute right-2 top-9">
+          <CopyButton value={lease.credentials.accessKeyId || ''} />
+        </div>
+      </div>
+
+      <div className="relative">
+        <Input
+          type="password"
+          value={lease.credentials.secretAccessKey || ''}
+          setValue={() => {}}
+          readOnly
+          label={credentialKeyName('secret_access_key')}
+          labelClassName="font-mono"
+        />
+        <div className="absolute right-2 top-9">
+          <CopyButton value={lease.credentials.secretAccessKey || ''} />
+        </div>
+      </div>
+
+      <div className="relative">
+        <Input
+          type="password"
+          value={lease.credentials.username || ''}
+          setValue={() => {}}
+          readOnly
+          label={credentialKeyName('username')}
+          labelClassName="font-mono"
+        />
+        <div className="absolute right-2 top-9">
+          <CopyButton value={lease.credentials.username || ''} />
+        </div>
+      </div>
+    </>
+  )
+}

From 0da7f7c282a3425f1919134c89109e3433b2f636 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:34:58 +0530
Subject: [PATCH 014/117] feat: frontend to view and manage dynamic secrets and
 leases

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/UpdateDynamicSecretDialog.tsx | 311 ++++++++++++++++++
 frontend/components/common/GenericDialog.tsx  |   1 +
 .../secrets/dynamic/CreateLeaseDialog.tsx     | 147 +++++++++
 .../dynamic/DeleteDynamicSecretDialog.tsx     |  75 +++++
 .../secrets/dynamic/DynamicSecretRow.tsx      |  68 ++++
 .../secrets/dynamic/LeaseCard.tsx             |  99 ++++++
 .../dynamic/ManageDynamicSecretDialog.tsx     |  94 ++++++
 .../secrets/dynamic/RenewLeaseDialog.tsx      | 128 +++++++
 .../secrets/dynamic/RevokeLeaseDialog.tsx     |  88 +++++
 .../syncing/ProviderCredentialPicker.tsx      |  12 +-
 10 files changed, 1017 insertions(+), 6 deletions(-)
 create mode 100644 frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
 create mode 100644 frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx
 create mode 100644 frontend/components/environments/secrets/dynamic/DeleteDynamicSecretDialog.tsx
 create mode 100644 frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
 create mode 100644 frontend/components/environments/secrets/dynamic/LeaseCard.tsx
 create mode 100644 frontend/components/environments/secrets/dynamic/ManageDynamicSecretDialog.tsx
 create mode 100644 frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx
 create mode 100644 frontend/components/environments/secrets/dynamic/RevokeLeaseDialog.tsx

diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
new file mode 100644
index 000000000..4a7e094b0
--- /dev/null
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
@@ -0,0 +1,311 @@
+import { forwardRef, useContext, useImperativeHandle, useRef, useState, useEffect } from 'react'
+import {
+  AwsConfigInput,
+  DynamicSecretProviderType,
+  EnvironmentType,
+  ProviderCredentialsType,
+  KeyMapInput,
+  SecretType,
+  DynamicSecretType,
+} from '@/apollo/graphql'
+import { GetDynamicSecretProviders } from '@/graphql/queries/secrets/dynamic/getProviders.gql'
+import { UpdateDynamicSecret } from '@/graphql/mutations/environments/secrets/dynamic/updateDynamicSecret.gql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Input } from '@/components/common/Input'
+import { Button } from '@/components/common/Button'
+import { Step, Stepper } from '@/components/onboarding/Stepper'
+import { ProviderCredentialPicker } from '@/components/syncing/ProviderCredentialPicker'
+import { organisationContext } from '@/contexts/organisationContext'
+import { useMutation, useQuery } from '@apollo/client'
+import { Card } from '@/components/common/Card'
+import { ProviderIcon } from '@/components/syncing/ProviderIcon'
+import { FaArrowRightLong } from 'react-icons/fa6'
+import { MdOutlinePassword } from 'react-icons/md'
+import { camelCase, toUpper } from 'lodash'
+import { toast } from 'react-toastify'
+import { duplicateKeysExist } from '@/utils/secrets'
+import { FaCog, FaCogs } from 'react-icons/fa'
+import { Textarea } from '@/components/common/TextArea'
+
+type UpdateDynamicSecretDialogRef = {
+  openModal: () => void
+  closeModal: () => void
+}
+
+interface UpdateDynamicSecretDialogProps {
+  staticSecrets: SecretType[]
+  dynamicSecrets: DynamicSecretType[]
+  secret: DynamicSecretType // The secret to update
+}
+
+export const UpdateDynamicSecretDialog = forwardRef<
+  UpdateDynamicSecretDialogRef,
+  UpdateDynamicSecretDialogProps
+>(({ staticSecrets, dynamicSecrets, secret }, ref) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+  const [updateDynamicSecret] = useMutation(UpdateDynamicSecret)
+  const dialogRef = useRef<{ closeModal: () => void; openModal: () => void }>(null)
+
+  useImperativeHandle(ref, () => ({
+    openModal: () => dialogRef.current?.openModal(),
+    closeModal: () => dialogRef.current?.closeModal(),
+  }))
+
+  const [activeStep, setActiveStep] = useState(0)
+
+  const nextStep = () => setActiveStep((s) => Math.min(s + 1, steps.length - 1))
+  const prevStep = () => setActiveStep((s) => Math.max(s - 1, 0))
+
+  const { data } = useQuery(GetDynamicSecretProviders)
+
+  const provider: DynamicSecretProviderType = data?.dynamicSecretProviders.find(
+    (p: DynamicSecretProviderType) => p.id === secret.provider.toLowerCase()
+  )
+
+  // Initialize form with existing secret config
+  const [formData, setFormData] = useState({
+    name: secret.name,
+    description: secret.description ?? '',
+    credential: secret.authentication as ProviderCredentialsType | null,
+    config: secret.config as AwsConfigInput,
+    keyMap: secret.keyMap as KeyMapInput[],
+    defaultTTL: String(secret.defaultTtlSeconds ?? '3600'),
+    maxTTL: String(secret.maxTtlSeconds ?? '86400'),
+  })
+
+  useEffect(() => {
+    function sanitize(obj: any): any {
+      if (Array.isArray(obj)) return obj.map(sanitize)
+      if (obj && typeof obj === 'object') {
+        const { __typename, ...rest } = obj
+        return Object.fromEntries(Object.entries(rest).map(([k, v]) => [k, sanitize(v)]))
+      }
+      return obj
+    }
+    setFormData({
+      name: secret.name,
+      description: secret.description ?? '',
+      credential: sanitize(secret.authentication) as ProviderCredentialsType | null,
+      config: sanitize(secret.config) as AwsConfigInput,
+      keyMap: sanitize(secret.keyMap) as KeyMapInput[],
+      defaultTTL: String(secret.defaultTtlSeconds ?? '3600'),
+      maxTTL: String(secret.maxTtlSeconds ?? '86400'),
+    })
+  }, [secret])
+  const steps: Step[] = [
+    {
+      index: 0,
+      name: 'Provider',
+      icon: <FaCogs />,
+      title: 'Provider Config',
+      description: 'Enter provider-specific configuration',
+    },
+    {
+      index: 1,
+      name: 'Config',
+      icon: <MdOutlinePassword />,
+      title: 'Config',
+      description: 'Define how secrets are created and mapped to outputs',
+    },
+  ]
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+
+    if (activeStep < steps.length - 1) {
+      nextStep()
+    } else {
+      // Validate credential
+      if (formData.credential === null) {
+        toast.error('Please select authentication credentials!')
+        return false
+      }
+
+      // Validate username template
+      const template = formData.config.usernameTemplate ?? ''
+      const randomPlaceholderRegex = /\{\{\s*random\s*\}\}/i
+      if (!randomPlaceholderRegex.test(template)) {
+        toast.error('Username template must include {{random}} to generate unique usernames.')
+        return false
+      }
+
+      // Check for duplicate secret names
+      if (
+        duplicateKeysExist(staticSecrets, [
+          ...dynamicSecrets.filter((ds) => ds.id !== secret.id),
+          { ...secret, keyMap: formData.keyMap },
+        ])
+      ) {
+        toast.error(
+          'One or more secret keys already exist at this path. Please select a unique key name for each credential.'
+        )
+        return false
+      }
+
+      await updateDynamicSecret({
+        variables: {
+          dynamicSecretId: secret.id,
+          organisationId: organisation?.id,
+          path: secret.path,
+          name: formData.name,
+          description: formData.description,
+          defaultTtl: parseInt(formData.defaultTTL, 10),
+          maxTtl: parseInt(formData.maxTTL, 10),
+          authenticationId: formData.credential?.id ?? null,
+          config: formData.config,
+          keyMap: formData.keyMap,
+        },
+      })
+
+      toast.success('Updated dynamic secret')
+      dialogRef.current?.closeModal()
+    }
+  }
+
+  const updateConfig = (key: string, value: string) => {
+    setFormData((prev) => ({
+      ...prev,
+      config: { ...prev.config, [key]: value },
+    }))
+  }
+
+  return (
+    <GenericDialog
+      ref={dialogRef}
+      title={`Update Dynamic Secret`}
+      buttonVariant="secondary"
+      buttonContent={
+        <>
+          <FaCog /> Update
+        </>
+      }
+    >
+      <form onSubmit={handleSubmit}>
+        <Stepper steps={steps} activeStep={activeStep} align="left" />
+        {activeStep === 0 && (
+          <div className="space-y-4 divide-y divide-neutral-500/40 text-sm">
+            <div>
+              <ProviderCredentialPicker
+                credential={formData.credential}
+                setCredential={(cred) => setFormData({ ...formData, credential: cred })}
+                orgId={organisation!.id}
+                providerFilter={'aws'}
+              />
+            </div>
+
+            {provider && (
+              <div className="space-y-4 pt-2">
+                {provider.configMap.map(
+                  (field: {
+                    id: keyof AwsConfigInput
+                    label: string
+                    help_text?: string
+                    required?: boolean
+                    default?: any
+                  }) => (
+                    <Textarea
+                      key={field.id}
+                      label={field.label}
+                      placeholder={field.help_text}
+                      required={field.required}
+                      value={
+                        formData.config[camelCase(field.id) as keyof AwsConfigInput] ??
+                        field.default ??
+                        ''
+                      }
+                      setValue={(val) => updateConfig(camelCase(field.id), val)}
+                    />
+                  )
+                )}
+              </div>
+            )}
+          </div>
+        )}
+        {activeStep === 1 && (
+          <div className="space-y-6 divide-y divide-neutral-500/40 text-sm">
+            <div className="space-y-4">
+              <Input
+                label="Name"
+                required
+                placeholder="The name for this dynamic secret"
+                value={formData.name}
+                setValue={(val) => setFormData({ ...formData, name: val })}
+              />
+              <Input
+                label="Description"
+                placeholder="Optional description for this dynamic secret"
+                value={formData.description}
+                setValue={(val) => setFormData({ ...formData, description: val })}
+              />
+            </div>
+            <div className="space-y-4 pt-6">
+              <div className="border-b border-neutral-500/20">
+                <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">TTLs</div>
+                <div className="text-neutral-500 text-xs">
+                  Configure the default and max TTLs for generated secrets
+                </div>
+              </div>
+              <Input
+                type="number"
+                label="Default TTL (seconds)"
+                required
+                min={1}
+                value={formData.defaultTTL}
+                setValue={(val) => setFormData({ ...formData, defaultTTL: val })}
+              />
+              <Input
+                type="number"
+                label="Max TTL (seconds)"
+                required
+                min={1}
+                value={formData.maxTTL}
+                setValue={(val) => setFormData({ ...formData, maxTTL: val })}
+              />
+            </div>
+            <div className="space-y-4 pt-6">
+              <div className="border-b border-neutral-500/20">
+                <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">Outputs</div>
+                <div className="text-neutral-500 text-xs">
+                  Configure how generated secrets are mapped to keys in your environment
+                </div>
+              </div>
+              {formData.keyMap.map((key) => (
+                <div key={key.id} className="flex items-center gap-4">
+                  <div className="flex-1 font-mono text-sm text-zinc-900 dark:text-zinc-100">
+                    {toUpper(key.id)}
+                  </div>
+                  <FaArrowRightLong className="text-neutral-500" />
+                  <div className="flex-1">
+                    <Input
+                      className="font-mono"
+                      placeholder="Enter secret name"
+                      value={key.keyName ?? ''}
+                      setValue={(val) =>
+                        setFormData((prev) => ({
+                          ...prev,
+                          keyMap: prev.keyMap.map((k) =>
+                            k.id === key.id ? { ...k, keyName: val } : k
+                          ),
+                        }))
+                      }
+                    />
+                  </div>
+                </div>
+              ))}
+            </div>
+          </div>
+        )}
+        <div className="flex justify-between mt-6">
+          <Button variant="secondary" type="button" onClick={prevStep} disabled={activeStep === 0}>
+            Back
+          </Button>
+          <Button variant="primary" type="submit">
+            {activeStep < steps.length - 1 ? 'Next' : 'Save'}
+          </Button>
+        </div>
+      </form>
+    </GenericDialog>
+  )
+})
+
+UpdateDynamicSecretDialog.displayName = 'UpdateDynamicSecretDialog'
diff --git a/frontend/components/common/GenericDialog.tsx b/frontend/components/common/GenericDialog.tsx
index b70002af9..e5a547b9c 100644
--- a/frontend/components/common/GenericDialog.tsx
+++ b/frontend/components/common/GenericDialog.tsx
@@ -51,6 +51,7 @@ const GenericDialog = forwardRef(
     }
 
     useImperativeHandle(ref, () => ({
+      isOpen,
       openModal,
       closeModal,
     }))
diff --git a/frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx b/frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx
new file mode 100644
index 000000000..3c7444bae
--- /dev/null
+++ b/frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx
@@ -0,0 +1,147 @@
+import { DynamicSecretLeaseType, DynamicSecretType, KeyMap } from '@/apollo/graphql'
+import { Alert } from '@/components/common/Alert'
+import { Button } from '@/components/common/Button'
+import CopyButton from '@/components/common/CopyButton'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Input } from '@/components/common/Input'
+import { Textarea } from '@/components/common/TextArea'
+import { organisationContext } from '@/contexts/organisationContext'
+import { CreateDynamicSecretLease } from '@/graphql/mutations/environments/secrets/dynamic/createLease.gql'
+import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
+import { leaseTtlButtons } from '@/utils/dynamicSecrets'
+import { relativeTimeFromDates } from '@/utils/time'
+import { useMutation } from '@apollo/client'
+import { useContext, useState } from 'react'
+import { FaInfoCircle } from 'react-icons/fa'
+import { FaBolt } from 'react-icons/fa6'
+import { toast } from 'react-toastify'
+import { AWSCredentials } from './AWSCredentials'
+
+export const CreateLeaseDialog = ({ secret }: { secret: DynamicSecretType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const [createLease, { loading }] = useMutation(CreateDynamicSecretLease)
+
+  const [ttl, setTtl] = useState(secret.defaultTtlSeconds!.toString())
+  const [name, setName] = useState(secret.name)
+
+  const [lease, setLease] = useState<DynamicSecretLeaseType | null>(null)
+
+  const reset = () => {
+    setTtl(secret.defaultTtlSeconds!.toString())
+    setName(secret.name)
+    setLease(null)
+  }
+
+  const handleCreateLease = async () => {
+    if (parseInt(ttl) > secret.maxTtlSeconds!) {
+      toast.error(`The maximum allowed TTL for this secret is ${secret.maxTtlSeconds}`)
+      return
+    }
+    try {
+      const result = await createLease({
+        variables: { secretId: secret.id, ttl: parseInt(ttl), name },
+        refetchQueries: [
+          {
+            query: GetDynamicSecretLeases,
+            variables: { secretId: secret.id, orgId: organisation?.id },
+          },
+        ],
+      })
+
+      const lease = result.data?.createDynamicSecretLease?.lease
+      if (lease) {
+        toast.success('Created new lease!')
+        setLease(lease)
+      }
+    } catch (error) {
+      console.error(error)
+      toast.error('Failed to create lease')
+    }
+  }
+
+  const ttlButtons = leaseTtlButtons.filter((button) =>
+    secret.maxTtlSeconds ? parseInt(button.seconds) <= secret.maxTtlSeconds : button
+  )
+
+  return (
+    <GenericDialog
+      title="Generate secrets"
+      buttonContent={
+        <>
+          <FaBolt /> Generate
+        </>
+      }
+      onClose={reset}
+    >
+      <div className="space-y-6">
+        <div className="text-neutral-500">
+          Generate new values for this dynamic secret. These values will be leased to you for the
+          specifed TTL.
+        </div>
+
+        {lease?.credentials ? (
+          <div className="space-y-4">
+            <div className="border-b border-neutral-500/40 pb-2">
+              <div className="text-base font-semibold text-zinc-900 dark:text-zinc-100">
+                {lease.name}
+              </div>
+              <span className="text-neutral-500 text-sm">Lease ID: </span>
+              <CopyButton value={lease.id}>
+                <span className="text-xs font-mono">{lease.id}</span>
+              </CopyButton>
+            </div>
+            <Alert variant="warning" size="sm" icon={true}>
+              Copy these values. You will not be able to view them once this dialog is closed!
+            </Alert>
+
+            <AWSCredentials lease={lease} keyMap={(secret?.keyMap as KeyMap[]) || []} />
+
+            <div>
+              <div
+                className="flex items-center gap-2 text-neutral-500 text-sm"
+                title={lease.expiresAt}
+              >
+                <FaInfoCircle /> This lease expires{' '}
+                {relativeTimeFromDates(new Date(lease.expiresAt))}
+              </div>
+              <div className="font-mono text-sm text-neutral-500">({lease.expiresAt})</div>
+            </div>
+          </div>
+        ) : (
+          <div className="space-y-2">
+            <Input value={name} setValue={setName} label="Name" required />
+
+            <Input
+              value={ttl}
+              setValue={setTtl}
+              type="number"
+              label="TTL (seconds)"
+              max={secret.maxTtlSeconds!}
+              required
+            />
+
+            <div className="flex items-center gap-4">
+              {ttlButtons.map((button) => (
+                <Button
+                  variant={ttl === button.seconds ? 'secondary' : 'ghost'}
+                  key={button.label}
+                  onClick={() => setTtl(button.seconds)}
+                >
+                  {button.label}
+                </Button>
+              ))}
+            </div>
+          </div>
+        )}
+        <div className="flex justify-end">
+          {!lease?.credentials && (
+            <Button onClick={handleCreateLease} variant="primary" icon={FaBolt} isLoading={loading}>
+              Generate
+            </Button>
+          )}
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/components/environments/secrets/dynamic/DeleteDynamicSecretDialog.tsx b/frontend/components/environments/secrets/dynamic/DeleteDynamicSecretDialog.tsx
new file mode 100644
index 000000000..14c20f7e5
--- /dev/null
+++ b/frontend/components/environments/secrets/dynamic/DeleteDynamicSecretDialog.tsx
@@ -0,0 +1,75 @@
+import { DynamicSecretType, KeyMap } from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { organisationContext } from '@/contexts/organisationContext'
+import { DeleteDynamicSecretOP } from '@/graphql/mutations/environments/secrets/dynamic/deleteDynamicSecret.gql'
+import { useMutation } from '@apollo/client'
+import { useContext, useRef } from 'react'
+import { FaTrashAlt } from 'react-icons/fa'
+import { toast } from 'react-toastify'
+import { userHasPermission } from '@/utils/access/permissions'
+import { Button } from '@/components/common/Button'
+
+export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const [deleteSecret, { loading: deleteIsPending }] = useMutation(DeleteDynamicSecretOP)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const closeModal = () => dialogRef.current?.closeModal()
+
+  const keyMap: KeyMap[] = secret.keyMap as KeyMap[]
+
+  const handleDelete = async () => {
+    await deleteSecret({ variables: { secretId: secret.id } })
+    toast.success('Deleted dynamic secret')
+  }
+
+  const activeUserCanDeleteUsers = organisation?.role?.permissions
+    ? userHasPermission(organisation?.role?.permissions, 'Members', 'delete', false)
+    : false
+
+  if (!activeUserCanDeleteUsers) return <></>
+
+  return (
+    <GenericDialog
+      title="Delete Dynamic Secret"
+      buttonVariant="danger"
+      buttonContent={
+        <div className="py-1">
+          <FaTrashAlt />
+        </div>
+      }
+    >
+      <div className="space-y-6">
+        <p className="text-neutral-500 py-4">
+          Are you sure you want to delete this dynamic secret? This will immediately revoke all
+          active leases and delete the following secrets from your environment:
+          <ul>
+            {keyMap.map((k: KeyMap) => (
+              <li
+                key={k.keyName}
+                className="list-disc list-inside font-mono text-red-400 line-through"
+              >
+                {k.keyName?.toUpperCase()}
+              </li>
+            ))}
+          </ul>
+        </p>
+        <div className="flex items-center justify-between gap-4">
+          <Button variant="secondary" type="button" onClick={closeModal}>
+            Cancel
+          </Button>
+          <Button
+            variant="danger"
+            onClick={handleDelete}
+            isLoading={deleteIsPending}
+            icon={FaTrashAlt}
+          >
+            Delete Dynamic Secret
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
new file mode 100644
index 000000000..4fb199ba8
--- /dev/null
+++ b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
@@ -0,0 +1,68 @@
+import { DynamicSecretType, KeyMap } from '@/apollo/graphql'
+import { Button } from '@/components/common/Button'
+import clsx from 'clsx'
+import { FaCog } from 'react-icons/fa'
+import { FaBolt } from 'react-icons/fa6'
+
+import { useMutation } from '@apollo/client'
+import { CreateLeaseDialog } from './CreateLeaseDialog'
+import { ManageDynamicSecretDialog } from './ManageDynamicSecretDialog'
+import { DeleteDynamicSecretDialog } from './DeleteDynamicSecretDialog'
+import { Input } from '@/components/common/Input'
+import { useMemo } from 'react'
+import { UpdateDynamicSecretDialog } from '@/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog'
+
+export const DynamicSecretRow = ({ secret }: { secret: DynamicSecretType }) => {
+  const keyMap: KeyMap[] = (secret.keyMap as KeyMap[]) ?? []
+
+  const KEY_BASE_STYLE = 'w-full font-mono custom bg-transparent transition ease p-1 ph-no-capture'
+
+  function randomString(min = 6, max = 18) {
+    const length = Math.floor(Math.random() * (max - min + 1)) + min
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+    let result = ''
+    for (let i = 0; i < length; i++) {
+      result += chars.charAt(Math.floor(Math.random() * chars.length))
+    }
+    return result
+  }
+
+  return (
+    <div className="p-2 ring-1 ring-inset ring-emerald-400/20 flex w-full rounded-lg group">
+      <div className="w-1/3">
+        <div className="text-2xs text-emerald-500 flex items-center gap-1 bg-emerald-400/10 rounded-full w-min whitespace-nowrap px-1">
+          <FaBolt /> {secret.name}
+        </div>
+        <div className={clsx('flex flex-col gap-2 group relative pl-8 ')}>
+          {keyMap.map((key) => (
+            <div key={key.id} className={KEY_BASE_STYLE}>
+              {String(key.keyName).toUpperCase()}
+            </div>
+          ))}
+        </div>
+      </div>
+      <div className="w-2/3 px-6 relative group">
+        <div className="absolute flex flex-col gap-2 pointer-events-none group-hover:opacity-0 transition ease">
+          {keyMap.map((k) => (
+            <input
+              className="custom outline-none font-mono bg-transparent"
+              key={`value-${k.keyName}`}
+              readOnly
+              type="password"
+              value={randomString()}
+            />
+          ))}
+        </div>
+
+        <div className="flex h-full items-center gap-4  opacity-0 group-hover:opacity-100 transition ease">
+          <CreateLeaseDialog secret={secret} />
+          <ManageDynamicSecretDialog secret={secret} />
+          <UpdateDynamicSecretDialog secret={secret} staticSecrets={[]} dynamicSecrets={[]} />
+        </div>
+      </div>
+      <div className="opacity-0 group-hover:opacity-100 transition ease flex items-center">
+        <DeleteDynamicSecretDialog secret={secret} />
+      </div>
+    </div>
+  )
+}
diff --git a/frontend/components/environments/secrets/dynamic/LeaseCard.tsx b/frontend/components/environments/secrets/dynamic/LeaseCard.tsx
new file mode 100644
index 000000000..f747568ff
--- /dev/null
+++ b/frontend/components/environments/secrets/dynamic/LeaseCard.tsx
@@ -0,0 +1,99 @@
+import {
+  ApiDynamicSecretLeaseStatusChoices,
+  DynamicSecretLeaseType,
+  DynamicSecretType,
+} from '@/apollo/graphql'
+import { Avatar } from '@/components/common/Avatar'
+import { Button } from '@/components/common/Button'
+import { relativeTimeFromDates } from '@/utils/time'
+import clsx from 'clsx'
+import { FaBan } from 'react-icons/fa6'
+import { FiRefreshCw } from 'react-icons/fi'
+import { RenewLeaseDialog } from './RenewLeaseDialog'
+import { RevokeLeaseDialog } from './RevokeLeaseDialog'
+
+export const LeaseCard = ({
+  secret,
+  lease,
+}: {
+  secret: DynamicSecretType
+  lease: DynamicSecretLeaseType
+}) => {
+  const toTitleCase = (str: string) => str.charAt(0).toUpperCase() + str.slice(1).toLowerCase()
+
+  //const isExpired = new Date(lease.expiresAt) <= new Date()
+  const isRevoked = lease.revokedAt !== null && new Date(lease.revokedAt) <= new Date()
+
+  const leaseStatusBadge = (status: ApiDynamicSecretLeaseStatusChoices) => {
+    const styles: Record<ApiDynamicSecretLeaseStatusChoices, string> = {
+      [ApiDynamicSecretLeaseStatusChoices.Active]:
+        'bg-emerald-400/10 text-emerald-400 ring-1 ring-inset ring-emerald-400/10',
+      [ApiDynamicSecretLeaseStatusChoices.Created]:
+        'bg-blue-400/10 text-blue-400 ring-1 ring-inset ring-blue-400/10',
+      [ApiDynamicSecretLeaseStatusChoices.Expired]:
+        'bg-gray-400/10 text-gray-400 ring-1 ring-inset ring-gray-400/10',
+      [ApiDynamicSecretLeaseStatusChoices.Renewed]:
+        'bg-emerald-400/10 text-emerald-400 ring-1 ring-inset ring-emerald-400/10',
+      [ApiDynamicSecretLeaseStatusChoices.Revoked]:
+        'bg-red-400/10 text-red-400 ring-1 ring-inset ring-red-400/10',
+    }
+
+    return (
+      <span
+        className={clsx(
+          'inline-flex items-center gap-1 rounded-full px-2 py-0.5 text-2xs font-medium',
+          styles[status] ??
+            'bg-neutral-400/10 text-neutral-700 ring-1 ring-inset ring-neutral-400/20'
+        )}
+      >
+        <span className="size-2 rounded-full bg-current" />
+        {toTitleCase(status)}
+      </span>
+    )
+  }
+
+  return (
+    <div className="grid grid-cols-5 text-sm py-2" key={lease.id}>
+      <div className="col-span-2">
+        <div className="flex items-center gap-1">{leaseStatusBadge(lease.status)}</div>
+        <div className="font-medium text-sm text-zinc-900 dark:text-zinc-100">{lease.name}</div>
+        <div className="font-mono text-2xs text-neutral-500">{lease.id}</div>
+      </div>
+
+      <div className="space-y-1 col-span-2">
+        <div className="text-neutral-500 flex items-center gap-2 text-xs">
+          Created {relativeTimeFromDates(new Date(lease.createdAt))}
+          {(lease.organisationMember || lease.serviceAccount) && (
+            <div className="flex items-center gap-1">
+              <span className="text-neutral-500 w-4">by</span>
+              <Avatar
+                member={lease.organisationMember || undefined}
+                serviceAccount={lease.serviceAccount || undefined}
+                size="sm"
+              />
+              <span className="font-medium text-zinc-900 dark:text-zinc-100">
+                {lease.organisationMember?.self
+                  ? 'You'
+                  : lease.organisationMember?.fullName || lease.serviceAccount?.name}
+              </span>
+            </div>
+          )}
+        </div>
+        {isRevoked ? (
+          <div className="text-red-400 text-xs">
+            {`${lease.status == ApiDynamicSecretLeaseStatusChoices.Expired ? 'Expire' : 'Revoke'}${isRevoked ? 'd' : 's'}`}{' '}
+            {relativeTimeFromDates(new Date(lease.revokedAt))}
+          </div>
+        ) : (
+          <div className="text-neutral-500">
+            Expires {relativeTimeFromDates(new Date(lease.expiresAt))}
+          </div>
+        )}
+      </div>
+      <div className={clsx('flex flex-col gap-2 items-end', isRevoked ? 'pt-9' : '')}>
+        {!isRevoked && <RenewLeaseDialog secret={secret} lease={lease} />}
+        {!lease.revokedAt && <RevokeLeaseDialog secret={secret} lease={lease} />}
+      </div>
+    </div>
+  )
+}
diff --git a/frontend/components/environments/secrets/dynamic/ManageDynamicSecretDialog.tsx b/frontend/components/environments/secrets/dynamic/ManageDynamicSecretDialog.tsx
new file mode 100644
index 000000000..3e384b6c3
--- /dev/null
+++ b/frontend/components/environments/secrets/dynamic/ManageDynamicSecretDialog.tsx
@@ -0,0 +1,94 @@
+import { DynamicSecretLeaseType, DynamicSecretType } from '@/apollo/graphql'
+import { Button } from '@/components/common/Button'
+import GenericDialog from '@/components/common/GenericDialog'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
+import { useQuery } from '@apollo/client'
+import { useContext, useRef, useState } from 'react'
+import { FaAngleDoubleDown, FaAngleDoubleUp, FaCog } from 'react-icons/fa'
+import { LeaseCard } from './LeaseCard'
+import { FiRefreshCw } from 'react-icons/fi'
+import { FaListCheck } from 'react-icons/fa6'
+import { CreateLeaseDialog } from './CreateLeaseDialog'
+import { EmptyState } from '@/components/common/EmptyState'
+
+export const ManageDynamicSecretDialog = ({ secret }: { secret: DynamicSecretType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const dialogRef = useRef<{ closeModal: () => void; isOpen: boolean }>(null)
+
+  const { data, refetch, loading } = useQuery(GetDynamicSecretLeases, {
+    variables: { secretId: secret.id, orgId: organisation?.id },
+    skip: !organisation,
+    notifyOnNetworkStatusChange: true,
+  })
+
+  const handleRefetch = async () => await refetch()
+
+  const [viewLimit, setViewLimit] = useState(10)
+
+  const resetViewLimit = () => setViewLimit(10)
+  const removeViewLimit = () => setViewLimit(0)
+
+  const leases: DynamicSecretLeaseType[] = data?.dynamicSecrets[0].leases ?? []
+
+  return (
+    <GenericDialog
+      ref={dialogRef}
+      size="lg"
+      buttonVariant="secondary"
+      buttonContent={
+        <>
+          <FaListCheck /> Leases
+        </>
+      }
+      title="View and manage leases"
+    >
+      <div className="space-y-6">
+        <div className="text-neutral-500 ">
+          Manage leases and configuration for this dynamic secret
+        </div>
+        <div className="flex items-center justify-between border-b border-neutral-500/40">
+          <div>
+            <div className="text-base font-semibold text-zinc-900 dark:text-zinc-100">Leases</div>
+            <div className="text-neutral-500 text-sm">Manage leases for this dynamic secret</div>
+          </div>
+          <Button variant="ghost" onClick={handleRefetch} icon={FiRefreshCw} isLoading={loading}>
+            Refresh
+          </Button>
+        </div>
+        <div className="divide-y divide-neutral-500/20 max-h-[80vh] overflow-y-auto">
+          {leases.slice(0, viewLimit === 0 ? undefined : viewLimit).map((lease) => (
+            <LeaseCard key={lease.id} secret={secret} lease={lease} />
+          ))}
+
+          {leases.length > 10 && (
+            <div className="flex items-center justify-center py-2">
+              <Button
+                onClick={viewLimit === 0 ? resetViewLimit : removeViewLimit}
+                variant="ghost"
+                icon={viewLimit === 0 ? FaAngleDoubleUp : FaAngleDoubleDown}
+              >
+                {viewLimit === 0 ? 'Show less' : 'Show more'}
+              </Button>
+            </div>
+          )}
+        </div>
+
+        {leases.length === 0 && (
+          <EmptyState
+            title="No leases"
+            subtitle="There are no leases for this dynamic secret."
+            graphic={
+              <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                <FaListCheck />
+              </div>
+            }
+          >
+            <CreateLeaseDialog secret={secret} />
+          </EmptyState>
+        )}
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx
new file mode 100644
index 000000000..900ec9752
--- /dev/null
+++ b/frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx
@@ -0,0 +1,128 @@
+import { DynamicSecretLeaseType, DynamicSecretType } from '@/apollo/graphql'
+import { Button } from '@/components/common/Button'
+import GenericDialog from '@/components/common/GenericDialog'
+import { leaseTtlButtons } from '@/utils/dynamicSecrets'
+import { relativeTimeFromDates } from '@/utils/time'
+import { useContext, useState } from 'react'
+import { FiRefreshCw } from 'react-icons/fi'
+import { RenewDynamicSecretLeaseOP } from '@/graphql/mutations/environments/secrets/dynamic/renewLease.gql'
+import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
+import { useMutation } from '@apollo/client'
+import { toast } from 'react-toastify'
+import { organisationContext } from '@/contexts/organisationContext'
+import { Input } from '@/components/common/Input'
+
+export const RenewLeaseDialog = ({
+  secret,
+  lease,
+}: {
+  secret: DynamicSecretType
+  lease: DynamicSecretLeaseType
+}) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const [ttl, setTtl] = useState(secret.defaultTtlSeconds!.toString())
+  const [renewedLease, setRenewedLease] = useState<DynamicSecretLeaseType | null>(null)
+
+  const ttlButtons = leaseTtlButtons.filter((button) =>
+    secret.maxTtlSeconds ? parseInt(button.seconds) <= secret.maxTtlSeconds : button
+  )
+
+  const [renewLease, { loading: renewIsPending }] = useMutation(RenewDynamicSecretLeaseOP)
+
+  const handleRenewLease = async () => {
+    if (parseInt(ttl) > secret.maxTtlSeconds!) {
+      toast.error(`The maximum allowed TTL for this secret is ${secret.maxTtlSeconds}`)
+      return
+    }
+    try {
+      const result = await renewLease({
+        variables: { leaseId: lease.id, ttl: parseInt(ttl) },
+        refetchQueries: [
+          {
+            query: GetDynamicSecretLeases,
+            variables: { secretId: secret.id, orgId: organisation?.id },
+          },
+        ],
+      })
+
+      const renewedLeaseData = result.data?.renewDynamicSecretLease?.lease
+      if (renewedLeaseData) {
+        toast.success('Renewed lease')
+        setRenewedLease(renewedLeaseData)
+      }
+    } catch (error) {
+      console.error(error)
+      toast.error('Failed to renew lease')
+    }
+  }
+
+  return (
+    <GenericDialog
+      title="Renew lease"
+      buttonVariant="secondary"
+      buttonContent={
+        <>
+          <FiRefreshCw /> Renew
+        </>
+      }
+    >
+      <div className="space-y-4">
+        <div className="text-neutral-500">Renew the lease for these dynamic secrets</div>
+
+        {renewedLease ? (
+          <div className="py-4">
+            <div className="text-zinc-900 dark:text-zinc-100">
+              This lease has been renewed. The leased credentials will expire{' '}
+              {relativeTimeFromDates(new Date(lease.expiresAt))}{' '}
+              <span className="font-mono">({lease.expiresAt})</span>.
+            </div>
+          </div>
+        ) : (
+          <div className="py-4 space-y-2">
+            <div className="text-zinc-900 dark:text-zinc-100">
+              <p>
+                This lease was created {relativeTimeFromDates(new Date(lease.createdAt))} and
+                expires {relativeTimeFromDates(new Date(lease.expiresAt))}{' '}
+                <span className="font-mono">({lease.expiresAt})</span>.
+              </p>
+
+              <p>Select a TTL to renew this lease.</p>
+            </div>
+            <Input
+              value={ttl}
+              setValue={setTtl}
+              type="number"
+              label="TTL (seconds)"
+              max={secret.maxTtlSeconds!}
+              required
+            />
+            <div className="flex items-center gap-4">
+              {ttlButtons.map((button) => (
+                <Button
+                  variant={ttl === button.seconds ? 'secondary' : 'ghost'}
+                  key={button.label}
+                  onClick={() => setTtl(button.seconds)}
+                >
+                  {button.label}
+                </Button>
+              ))}
+            </div>
+          </div>
+        )}
+
+        <div className="flex items-center justify-end">
+          <Button
+            variant="primary"
+            icon={FiRefreshCw}
+            onClick={handleRenewLease}
+            isLoading={renewIsPending}
+          >
+            {' '}
+            Renew Lease
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/components/environments/secrets/dynamic/RevokeLeaseDialog.tsx b/frontend/components/environments/secrets/dynamic/RevokeLeaseDialog.tsx
new file mode 100644
index 000000000..a34ea364a
--- /dev/null
+++ b/frontend/components/environments/secrets/dynamic/RevokeLeaseDialog.tsx
@@ -0,0 +1,88 @@
+import { DynamicSecretLeaseType, DynamicSecretType } from '@/apollo/graphql'
+import { Button } from '@/components/common/Button'
+import GenericDialog from '@/components/common/GenericDialog'
+import { relativeTimeFromDates } from '@/utils/time'
+import { useContext, useRef } from 'react'
+import { RevokeDynamicSecretLeaseOP } from '@/graphql/mutations/environments/secrets/dynamic/revokeLease.gql'
+import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
+import { useMutation } from '@apollo/client'
+import { toast } from 'react-toastify'
+import { organisationContext } from '@/contexts/organisationContext'
+import { FaBan } from 'react-icons/fa6'
+
+export const RevokeLeaseDialog = ({
+  secret,
+  lease,
+}: {
+  secret: DynamicSecretType
+  lease: DynamicSecretLeaseType
+}) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const dialogRef = useRef<{ closeModal: () => void; isOpen: boolean }>(null)
+
+  const [revokeLease, { loading: revokeIsPending }] = useMutation(RevokeDynamicSecretLeaseOP)
+
+  const handleRevokeLease = async () => {
+    try {
+      const result = await revokeLease({
+        variables: { leaseId: lease.id },
+        refetchQueries: [
+          {
+            query: GetDynamicSecretLeases,
+            variables: { secretId: secret.id, orgId: organisation?.id },
+          },
+        ],
+      })
+
+      const revokedLeaseData = result.data?.revokeDynamicSecretLease?.lease.revokedAt
+      if (revokedLeaseData) {
+        toast.success('Revoked lease')
+        dialogRef.current?.closeModal()
+      }
+    } catch (error) {
+      console.error(error)
+      toast.error('Failed to revoke lease. Please try again later')
+    }
+  }
+
+  return (
+    <GenericDialog
+      ref={dialogRef}
+      title="Revoke lease"
+      buttonVariant="danger"
+      buttonContent={
+        <>
+          <FaBan /> Revoke
+        </>
+      }
+    >
+      <div className="space-y-4">
+        <div className="text-neutral-500">Revoke the lease for these dynamic secrets</div>
+
+        <div className="py-4 space-y-2">
+          <div className="text-zinc-900 dark:text-zinc-100">
+            <p>Are you sure you want to revoke this lease?</p>
+            <p>
+              This lease was created {relativeTimeFromDates(new Date(lease.createdAt))} and expires{' '}
+              {relativeTimeFromDates(new Date(lease.expiresAt))}{' '}
+              <span className="font-mono">({lease.expiresAt})</span>.
+            </p>
+          </div>
+        </div>
+
+        <div className="flex items-center justify-end">
+          <Button
+            variant="danger"
+            icon={FaBan}
+            onClick={handleRevokeLease}
+            isLoading={revokeIsPending}
+          >
+            {' '}
+            Revoke Lease
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/components/syncing/ProviderCredentialPicker.tsx b/frontend/components/syncing/ProviderCredentialPicker.tsx
index 46859164f..7ad5577fb 100644
--- a/frontend/components/syncing/ProviderCredentialPicker.tsx
+++ b/frontend/components/syncing/ProviderCredentialPicker.tsx
@@ -46,11 +46,11 @@ export const ProviderCredentialPicker = (props: {
     : credentials
 
   const credentialMatchesFilter =
-    credential && providerFilter ? 
-      (providerFilter === 'aws' ? 
-        (credential.provider?.id === 'aws' || credential.provider?.id === 'aws_assume_role') :
-        credential.provider?.id === providerFilter
-      ) : true
+    credential && providerFilter
+      ? providerFilter === 'aws'
+        ? credential.provider?.id === 'aws' || credential.provider?.id === 'aws_assume_role'
+        : credential.provider?.id === providerFilter
+      : true
 
   useEffect(() => {
     if (setDefault && filteredCredentials.length > 0 && !credentialMatchesFilter)
@@ -81,7 +81,7 @@ export const ProviderCredentialPicker = (props: {
     <Listbox value={credential} onChange={setCredential}>
       {({ open }) => (
         <>
-          <label className="block text-gray-700 text-sm font-bold mb-2">Service credentials</label>
+          <label className="block text-neutral-500 text-sm mb-2">Service credentials</label>
           <Listbox.Button as={Fragment} aria-required aria-disabled={disabled}>
             <div
               className={clsx(

From 9df7915afd193aa6bc91fd027722261c394d4eb3 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 30 Aug 2025 14:35:21 +0530
Subject: [PATCH 015/117] feat: add dynamic secrets to integrations page

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/DynamicSecret.tsx             |  39 ++++++
 .../integrations/dynamic-secrets/page.tsx     | 115 ++++++++++++++++++
 frontend/app/[team]/integrations/layout.tsx   |   4 +
 3 files changed, 158 insertions(+)
 create mode 100644 frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
 create mode 100644 frontend/app/[team]/integrations/dynamic-secrets/page.tsx

diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
new file mode 100644
index 000000000..e53075439
--- /dev/null
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
@@ -0,0 +1,39 @@
+import { DynamicSecretType } from '@/apollo/graphql'
+import { CreateLeaseDialog } from '@/components/environments/secrets/dynamic/CreateLeaseDialog'
+import { DeleteDynamicSecretDialog } from '@/components/environments/secrets/dynamic/DeleteDynamicSecretDialog'
+import { ManageDynamicSecretDialog } from '@/components/environments/secrets/dynamic/ManageDynamicSecretDialog'
+import { FaBolt } from 'react-icons/fa6'
+import { UpdateDynamicSecretDialog } from './UpdateDynamicSecretDialog'
+import { ProviderIcon } from '@/components/syncing/ProviderIcon'
+
+export const DynamicSecret = ({ secret }: { secret: DynamicSecretType }) => {
+  return (
+    <div className="p-2 ring-1 ring-inset ring-neutral-400/20 flex flex-col gap-4 w-full rounded-lg group justify-between">
+      <div className="">
+        <div className="text-base text-zinc-900 dark:text-zinc-100 flex items-center gap-1 px-1">
+          <ProviderIcon providerId={secret.provider} /> {secret.name}
+        </div>
+        <div className="flex items-center gap-2">
+          {secret.keyMap?.map((key) => (
+            <span
+              key={key!.keyName}
+              className="font-mono text-neutral-500 text-xs bg-neutral-400/10 px-1 rounded-full"
+            >
+              {key!.keyName}
+            </span>
+          ))}
+        </div>
+      </div>
+      <div className="relative group flex items-center justify-between w-full">
+        <div className="flex h-full items-center justify-start gap-4 opacity-0 group-hover:opacity-100 transition ease">
+          <CreateLeaseDialog secret={secret} />
+          <ManageDynamicSecretDialog secret={secret} />
+          <UpdateDynamicSecretDialog secret={secret} staticSecrets={[]} dynamicSecrets={[]} />
+        </div>
+        <div className="flex h-full items-center justify-end gap-4 opacity-0 group-hover:opacity-100 transition ease">
+          <DeleteDynamicSecretDialog secret={secret} />
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/page.tsx b/frontend/app/[team]/integrations/dynamic-secrets/page.tsx
new file mode 100644
index 000000000..0fc3ca4db
--- /dev/null
+++ b/frontend/app/[team]/integrations/dynamic-secrets/page.tsx
@@ -0,0 +1,115 @@
+'use client'
+
+import { EmptyState } from '@/components/common/EmptyState'
+import { organisationContext } from '@/contexts/organisationContext'
+import { userHasPermission } from '@/utils/access/permissions'
+import { useContext } from 'react'
+import { FaBan } from 'react-icons/fa6'
+import { GetDynamicSecrets } from '@/graphql/queries/secrets/dynamic/getDynamicSecrets.gql'
+import { useQuery } from '@apollo/client'
+import { DynamicSecretType } from '@/apollo/graphql'
+import { DynamicSecret } from './_components/DynamicSecret'
+
+export default function DynamicSecrets({ params }: { params: { team: string } }) {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  // permissions
+  const userCanReadDynamicSecrets = organisation
+    ? userHasPermission(organisation.role?.permissions, 'Secrets', 'read', true)
+    : false
+
+  const { data } = useQuery(GetDynamicSecrets, {
+    variables: { orgId: organisation?.id },
+    skip: !organisation || !userCanReadDynamicSecrets,
+  })
+
+  // Group secrets by appId, then environmentId
+  const groupedSecrets: Record<
+    string,
+    {
+      appName: string
+      environments: Record<
+        string,
+        {
+          envName: string
+          secrets: DynamicSecretType[]
+        }
+      >
+    }
+  > = {}
+
+  if (data?.dynamicSecrets) {
+    data.dynamicSecrets.forEach((secret: DynamicSecretType) => {
+      const appId = secret.environment.app.id
+      const appName = secret.environment.app.name
+      const envId = secret.environment.id
+      const envName = secret.environment.name
+
+      if (!groupedSecrets[appId]) {
+        groupedSecrets[appId] = {
+          appName,
+          environments: {},
+        }
+      }
+      if (!groupedSecrets[appId].environments[envId]) {
+        groupedSecrets[appId].environments[envId] = {
+          envName,
+          secrets: [],
+        }
+      }
+      groupedSecrets[appId].environments[envId].secrets.push(secret)
+    })
+  }
+
+  return (
+    <div className="w-full space-y-8 md:space-y-10 text-black dark:text-white">
+      {userCanReadDynamicSecrets ? (
+        <div className="space-y-4">
+          <div className="border-b border-neutral-500/20 pb-2">
+            <h2 className="text-black dark:text-white text-xl font-medium">Dynamic Secrets</h2>
+            <p className="text-neutral-500">View and manage dynamic secrets</p>
+          </div>
+
+          {/* Grouped display */}
+          <div className="space-y-8 divide-y divide-neutral-400/20">
+            {Object.entries(groupedSecrets).map(([appId, appGroup]) => (
+              <div key={appId} className="space-y-1 py-4">
+                <div className="font-semibold text-lg">{appGroup.appName}</div>
+                <div className="flex flex-row gap-8 flex-1">
+                  {Object.entries(appGroup.environments)
+                    .sort(
+                      ([, aEnv], [, bEnv]) =>
+                        (aEnv.secrets[0]?.environment.index ?? 0) -
+                        (bEnv.secrets[0]?.environment.index ?? 0)
+                    )
+                    .map(([envId, envGroup]) => (
+                      <div key={envId} className="flex flex-col gap-2 min-w-[160px]">
+                        <div className="font-medium text-base text-neutral-700 dark:text-neutral-300 mb-2">
+                          {envGroup.envName}
+                        </div>
+                        {envGroup.secrets.map((secret) => (
+                          <DynamicSecret key={secret.id} secret={secret} />
+                        ))}
+                      </div>
+                    ))}
+                </div>
+              </div>
+            ))}
+          </div>
+        </div>
+      ) : (
+        <EmptyState
+          title="Access restricted"
+          subtitle="You don't have the permissions required to view Dynamic Secrets in this organisation."
+          graphic={
+            <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+              <FaBan />
+            </div>
+          }
+        >
+          <></>
+        </EmptyState>
+      )}
+    </div>
+  )
+}
diff --git a/frontend/app/[team]/integrations/layout.tsx b/frontend/app/[team]/integrations/layout.tsx
index 5a4fa64e9..8c415e044 100644
--- a/frontend/app/[team]/integrations/layout.tsx
+++ b/frontend/app/[team]/integrations/layout.tsx
@@ -27,6 +27,10 @@ export default function AccessLayout({
         name: 'Syncs',
         link: 'syncs',
       },
+      {
+        name: 'Dynamic Secrets',
+        link: 'dynamic-secrets',
+      },
       {
         name: 'Third-party credentials',
         link: 'credentials',

From 133f2360fbae3706dfcbf6c5c1eee2ec16d7db1e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:36:03 +0530
Subject: [PATCH 016/117] feat: schedule all active leases for revoation when
 deleting a secret

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/models.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/backend/api/models.py b/backend/api/models.py
index 1b3a5eb86..e26cc1740 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -685,7 +685,7 @@ class DynamicSecret(models.Model):
     config = models.JSONField()
     key_map = models.JSONField(
         help_text="Provider-agnostic mapping of keys: "
-        "[{'id': '<key_id>', 'name': '<key_name>'}, ...]",
+        "[{'id': '<key_id>', 'key_name': '<encrypted_key_name>', 'key_digest': '<key_digest>'}, ...]",
         default=list,
     )
     created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
@@ -702,9 +702,19 @@ def save(self, *args, **kwargs):
             self.environment.save()
 
     def delete(self, *args, **kwargs):
-        env = self.environment
-        super().delete(*args, **kwargs)
+        # Soft delete the object by setting the 'deleted_at' field.
+        self.updated_at = timezone.now()
+        self.deleted_at = timezone.now()
+        self.save()
+
+        # Revoke all active leases
+        from ee.integrations.secrets.dynamic.utils import schedule_lease_revocation
+
+        for lease in self.leases.filter(status=DynamicSecretLease.ACTIVE):
+            schedule_lease_revocation(lease, True)
+
         # Update the 'updated_at' timestamp of the associated Environment
+        env = self.environment
         if env:
             env.updated_at = timezone.now()
             env.save()

From 6ea430cbd64bb615024b52f9ac8f76225234a7a1 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:36:49 +0530
Subject: [PATCH 017/117] feat: refactor dynamic secret creation, validation,
 revocation logic

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../integrations/secrets/dynamic/aws/utils.py | 104 +---------
 .../ee/integrations/secrets/dynamic/utils.py  | 178 +++++++++++++++++-
 2 files changed, 175 insertions(+), 107 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index 7b53cdb4e..af427476b 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -1,10 +1,11 @@
 from django.utils import timezone
 from django.core.exceptions import ValidationError
-from uuid import uuid4
+
 from api.models import DynamicSecret
 from api.utils.crypto import decrypt_asymmetric, encrypt_asymmetric, get_server_keypair
 from api.utils.syncing.aws.auth import get_aws_sts_session
 from api.utils.secrets import get_environment_keys
+from ee.integrations.secrets.dynamic.utils import schedule_lease_revocation
 from backend.utils.secrets import get_secret
 from ee.integrations.secrets.dynamic.providers import DynamicSecretProviders
 import logging
@@ -140,97 +141,6 @@ def build_dynamic_secret_config(provider: str, user_config: dict) -> dict:
     return merged_config
 
 
-def create_dynamic_secret(
-    *,
-    environment,
-    folder,
-    name: str,
-    description="",
-    default_ttl,
-    max_ttl,
-    authentication=None,
-    provider: str,
-    config: dict,
-    key_map: list,
-) -> DynamicSecret:
-    """
-    Create a DynamicSecret with validated provider config.
-    Used by both GraphQL resolvers and REST API.
-    """
-
-    # --- validate provider ---
-    provider_def = None
-    for prov in DynamicSecretProviders.__dict__.values():
-        if isinstance(prov, dict) and prov.get("id") == provider:
-            provider_def = prov
-            break
-    if not provider_def:
-        raise ValidationError(f"Unsupported provider: {provider}")
-
-    # --- validate required config fields ---
-    validated_config = {}
-    for field in provider_def.get("config_map", []):
-        fid = field["id"]
-        required = field.get("required", False)
-        default = field.get("default")
-
-        if fid in config:
-            validated_config[fid] = config[fid]
-        elif required and default is None:
-            raise ValidationError(f"Missing required config field: {fid}")
-        elif default is not None:
-            validated_config[fid] = default
-
-    # --- validate key_map ---
-    valid_creds = {c["id"]: c for c in provider_def.get("credentials", [])}
-    validated_key_map = []
-
-    for entry in key_map:
-        if not isinstance(entry, dict):
-            raise ValidationError(f"Invalid key_map entry (must be dict): {entry}")
-
-        key_id = entry.get("id")
-        key_name = entry.get("key_name")
-
-        if key_id not in valid_creds:
-            raise ValidationError(
-                f"Invalid key id '{key_id}' for provider '{provider}'"
-            )
-
-        # fallback to provider default_key_name
-        if not key_name:
-            key_name = valid_creds[key_id].get("default_key_name")
-
-        if not key_name:
-            raise ValidationError(
-                f"No key name provided for key id '{key_id}', and no default defined"
-            )
-
-        validated_key_map.append({"id": key_id, "key_name": key_name})
-
-    # --- construct DynamicSecret ---
-    dynamic_secret = DynamicSecret.objects.create(
-        id=uuid4(),
-        environment=environment,
-        folder=folder,
-        path="/",
-        name=name,
-        description=description,
-        default_ttl=default_ttl,
-        max_ttl=max_ttl,
-        authentication=authentication,
-        provider=provider,
-        config=validated_config,
-        key_map=validated_key_map,
-    )
-
-    # Update environment timestamp
-    environment.updated_at = timezone.now()
-    environment.save(update_fields=["updated_at"])
-
-    return dynamic_secret
-
-
 def create_temporary_user(user_config, iam_client):
     """
     Create a temporary IAM user with specified configuration.
@@ -508,15 +418,7 @@ def create_aws_dynamic_secret_lease(
     )
 
     # --- Schedule revocation ---
-    scheduler = django_rq.get_scheduler("scheduled-jobs")
-    job = scheduler.enqueue_at(
-        lease.expires_at,
-        revoke_aws_dynamic_secret_lease,
-        lease.id,
-    )
-
-    lease.cleanup_job_id = job.id
-    lease.save()
+    schedule_lease_revocation(lease)
 
     return lease, lease_data
 
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index 493c53374..7ed2c119c 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -1,15 +1,151 @@
 from datetime import timedelta
-from ee.integrations.secrets.dynamic.aws.utils import (
-    revoke_aws_dynamic_secret_lease,
+
+from api.utils.secrets import (
+    check_for_duplicates_blind,
+    compute_key_digest,
+    create_environment_folder_structure,
+    get_environment_keys,
 )
+from api.utils.crypto import decrypt_asymmetric
+from ee.integrations.secrets.dynamic.providers import DynamicSecretProviders
+from uuid import uuid4
+from django.core.exceptions import ValidationError
 from graphql import GraphQLError
 from django.utils import timezone
 import django_rq
 from rq.job import Job
 import logging
+from django.apps import apps
 
 logger = logging.getLogger(__name__)
 
+DynamicSecret = apps.get_model("api", "DynamicSecret")
+
+
+def validate_key_map(key_map, provider, environment, path):
+    provider_def = None
+    for prov in DynamicSecretProviders.__dict__.values():
+        if isinstance(prov, dict) and prov.get("id") == provider:
+            provider_def = prov
+            break
+    if not provider_def:
+        raise ValidationError(f"Unsupported provider: {provider}")
+
+    valid_creds = {c["id"]: c for c in provider_def.get("credentials", [])}
+    validated_key_map = []
+
+    env_pubkey, env_privkey = get_environment_keys(environment.id)
+
+    for entry in key_map:
+        decrypted_key_name = decrypt_asymmetric(
+            entry["key_name"], env_privkey, env_pubkey
+        )
+        entry["path"] = path
+        digest = compute_key_digest(decrypted_key_name, environment.id)
+        entry["keyDigest"] = digest
+
+    if check_for_duplicates_blind(key_map, environment):
+        raise ValidationError("One or more secrets keys already exist ")
+
+    for entry in key_map:
+        if not isinstance(entry, dict):
+            raise ValidationError(f"Invalid key_map entry (must be dict): {entry}")
+
+        key_id = entry.get("id")
+        key_name = entry.get("key_name")
+        key_digest = entry.get("keyDigest")
+
+        if key_id not in valid_creds:
+            raise ValidationError(
+                f"Invalid key id '{key_id}' for provider '{provider}'"
+            )
+
+        # fallback to provider default_key_name
+        if not key_name:
+            key_name = valid_creds[key_id].get("default_key_name")
+
+        if not key_name:
+            raise ValidationError(
+                f"No key name provided for key id '{key_id}', and no default defined"
+            )
+
+        validated_key_map.append(
+            {"id": key_id, "key_name": key_name, "key_digest": key_digest}
+        )
+
+    return validated_key_map
+
+
+def create_dynamic_secret(
+    *,
+    environment,
+    path,
+    name: str,
+    description="",
+    default_ttl,
+    max_ttl,
+    authentication=None,
+    provider: str,
+    config: dict,
+    key_map: list,
+) -> DynamicSecret:
+    """
+    Create a DynamicSecret with validated provider config.
+    Used by both GraphQL resolvers and REST API.
+    """
+
+    # --- validate provider ---
+    provider_def = None
+    for prov in DynamicSecretProviders.__dict__.values():
+        if isinstance(prov, dict) and prov.get("id") == provider:
+            provider_def = prov
+            break
+    if not provider_def:
+        raise ValidationError(f"Unsupported provider: {provider}")
+
+    folder = None
+    if path and path != "/":
+        folder = create_environment_folder_structure(path, environment.id)
+
+    # --- validate required config fields ---
+    validated_config = {}
+    for field in provider_def.get("config_map", []):
+        fid = field["id"]
+        required = field.get("required", False)
+        default = field.get("default")
+
+        if fid in config:
+            validated_config[fid] = config[fid]
+        elif required and default is None:
+            raise ValidationError(f"Missing required config field: {fid}")
+        elif default is not None:
+            validated_config[fid] = default
+
+    # --- validate key_map ---
+    validated_key_map = validate_key_map(key_map, provider, environment, path)
+
+    # --- construct DynamicSecret ---
+    dynamic_secret = DynamicSecret.objects.create(
+        id=uuid4(),
+        environment=environment,
+        folder=folder,
+        path=path,
+        name=name,
+        description=description,
+        default_ttl=default_ttl,
+        max_ttl=max_ttl,
+        authentication=authentication,
+        provider=provider,
+        config=validated_config,
+        key_map=validated_key_map,
+    )
+
+    # Update environment timestamp
+    environment.updated_at = timezone.now()
+    environment.save(update_fields=["updated_at"])
+
+    return dynamic_secret
+
 
 def renew_dynamic_secret_lease(lease, ttl):
     if timedelta(seconds=ttl) > lease.secret.max_ttl:
@@ -36,13 +172,43 @@ def renew_dynamic_secret_lease(lease, ttl):
             logger.info(f"Failed to delete job: {e}")
             pass
 
+    lease.save()
+
     # enqueue a new revocation job
+    schedule_lease_revocation(lease)
+
+    return lease
+
+
+def schedule_lease_revocation(lease, immediate=False):
+    """
+    Schedule a job to revoke the lease at its expiry time.
+    """
+
+    # --- Schedule revocation ---
+
+    if lease.revoked_at is not None:
+        logger.info(f"Lease {lease.id} already revoked at {lease.revoked_at}")
+        return
+
+    scheduled_revoke_time = lease.expires_at
+    if immediate:
+        scheduled_revoke_time = timezone.now()
+
+    scheduler = django_rq.get_scheduler("scheduled-jobs")
+
+    if lease.secret.provider == "aws":
+        from ee.integrations.secrets.dynamic.aws.utils import (
+            revoke_aws_dynamic_secret_lease,
+        )
+
+        revoke_job = revoke_aws_dynamic_secret_lease
+
     job = scheduler.enqueue_at(
-        lease.expires_at,
-        revoke_aws_dynamic_secret_lease,
+        scheduled_revoke_time,
+        revoke_job,
         lease.id,
     )
+
     lease.cleanup_job_id = job.id
     lease.save()
-
-    return lease

From 16cc210cb302a3e66e97be32443c6870cfda013d Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:36:57 +0530
Subject: [PATCH 018/117] feat: enhance duplicate check to include dynamic
 secrets key_map

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/utils/secrets.py | 40 +++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/backend/api/utils/secrets.py b/backend/api/utils/secrets.py
index b460059c1..c84a9f6d8 100644
--- a/backend/api/utils/secrets.py
+++ b/backend/api/utils/secrets.py
@@ -144,7 +144,8 @@ def normalize_path_string(path):
 
 def check_for_duplicates_blind(secrets, environment):
     """
-    Checks if a list of secrets contains any duplicates internally or in the target env + path by checking each secret's key_digest
+    Checks if a list of secrets contains any duplicates internally or in the target env + path by checking each secret's key_digest.
+    Also checks key_map key_digest for DynamicSecret objects at the environment and path.
 
     Args:
         secrets (List[Dict]): The list of encrypted secrets to check for duplicates.
@@ -154,9 +155,11 @@ def check_for_duplicates_blind(secrets, environment):
         bool: True if a duplicate is found, False otherwise.
     """
     Secret = apps.get_model("api", "Secret")
+    DynamicSecret = apps.get_model("api", "DynamicSecret")
 
     processed_secrets = set()  # Set to store processed secrets
 
+    # --- Check static secrets ---
     for secret in secrets:
         if "keyDigest" in secret:
             try:
@@ -185,6 +188,41 @@ def check_for_duplicates_blind(secrets, environment):
             # Add the processed secret to the set
             processed_secrets.add((path, secret["keyDigest"]))
 
+    # --- Check dynamic secrets key_map ---
+    for secret in secrets:
+        try:
+            path = normalize_path_string(secret.get("path", "/"))
+        except:
+            path = "/"
+
+        # Query all DynamicSecret objects at this environment and path
+        dynamic_secrets = DynamicSecret.objects.filter(
+            environment=environment,
+            path=path,
+            deleted_at=None,
+        )
+
+        for dyn_secret in dynamic_secrets:
+            key_map = dyn_secret.key_map or []
+            for entry in key_map:
+                key_digest = entry.get("key_digest")
+
+                if key_digest and (path, key_digest) in processed_secrets:
+                    return True  # Found a duplicate in dynamic secret key_map
+
+                # Also check for duplicates within the database
+                if key_digest:
+                    # Check if any other DynamicSecret at this env/path has this key_digest
+                    other_dyn_secrets = dynamic_secrets.exclude(id=dyn_secret.id)
+                    for other_dyn in other_dyn_secrets:
+                        other_key_map = other_dyn.key_map or []
+                        for other_entry in other_key_map:
+                            if other_entry.get("key_digest") == key_digest:
+                                return True
+
+                if key_digest:
+                    processed_secrets.add((path, key_digest))
+
     return False  # No duplicates found
 
 

From 2542040e0aebf49a31912d8278fa539505777ebb Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:37:09 +0530
Subject: [PATCH 019/117] feat: simplify secret deletion by directly calling
 delete method

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/aws/graphene/mutations.py | 38 ++++++++++---------
 .../secrets/dynamic/graphene/mutations.py     |  4 +-
 2 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
index 80bffe505..8396a4fe8 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
@@ -4,18 +4,16 @@
     user_is_org_member,
 )
 from api.utils.secrets import create_environment_folder_structure
-from ee.integrations.secrets.dynamic.aws.graphene.types import (
-    AwsCredentialsType,
+from ee.integrations.secrets.dynamic.utils import (
+    create_dynamic_secret,
+    validate_key_map,
 )
+
 from ee.integrations.secrets.dynamic.graphene.types import (
-    DynamicSecretLeaseType,
     DynamicSecretType,
     KeyMapInput,
 )
-from ee.integrations.secrets.dynamic.aws.utils import (
-    create_dynamic_secret,
-    create_aws_dynamic_secret_lease,
-)
+
 from datetime import timedelta
 import graphene
 from graphql import GraphQLError
@@ -89,10 +87,6 @@ def mutate(
         if not env.app.sse_enabled:
             raise GraphQLError("SSE is not enabled!")
 
-        folder = None
-        if path and path != "/":
-            folder = create_environment_folder_structure(path, environment_id)
-
         authentication = None
         if authentication_id:
             try:
@@ -102,12 +96,18 @@ def mutate(
             except ProviderCredentials.DoesNotExist:
                 raise GraphQLError("Invalid authentication credentials")
 
-        # --- create secret ---
+        try:
+            validated_key_map = validate_key_map(key_map, "aws", env, path)
+            key_map = validated_key_map
+        except ValidationError as e:
+            message = f"Error updating secret: {e.messages[0]}"
+            raise GraphQLError(message)
 
+        # --- create secret ---
         try:
             dynamic_secret = create_dynamic_secret(
                 environment=Environment.objects.get(id=environment_id),
-                folder=folder,
+                path=path,
                 name=name,
                 description=description,
                 default_ttl=timedelta(seconds=default_ttl),
@@ -201,12 +201,16 @@ def mutate(
         dynamic_secret.max_ttl = timedelta(seconds=max_ttl) if max_ttl else None
         dynamic_secret.authentication = authentication
         dynamic_secret.config = config
-        dynamic_secret.key_map = key_map
 
         try:
-            # dynamic_secret.full_clean()
-            dynamic_secret.save()
+            validated_key_map = validate_key_map(
+                key_map, dynamic_secret.provider, dynamic_secret.environment, path
+            )
+            dynamic_secret.key_map = validated_key_map
         except ValidationError as e:
-            raise GraphQLError(f"Validation error:{e}")
+            message = f"Error updating secret: {e.messages[0]}"
+            raise GraphQLError(message)
+
+        dynamic_secret.save()
 
         return UpdateAWSDynamicSecretMutation(dynamic_secret=dynamic_secret)
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
index ed123d7a7..4e274a03e 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
@@ -51,9 +51,7 @@ def mutate(
                 "You don't have permission to delete secrets in this organisation"
             )
 
-        secret.updated_at = timezone.now()
-        secret.deleted_at = timezone.now()
-        secret.save()
+        secret.delete()
 
         return DeleteDynamicSecretMutation(ok=True)
 

From c65b5d1fb95cf1017327e42c0bfe93b6adcec8a6 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:37:18 +0530
Subject: [PATCH 020/117] feat: encrypt key names in dynamic secret creation
 process

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/CreateDynamicSecretDialog.tsx | 35 ++++++++++++-------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
index f8c119465..55af0f3d8 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
@@ -31,6 +31,7 @@ import { duplicateKeysExist } from '@/utils/secrets'
 import { EnableSSEDialog } from '@/components/apps/EnableSSEDialog'
 import { MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
 import { Textarea } from '@/components/common/TextArea'
+import { encryptAsymmetric } from '@/utils/crypto'
 
 type CreateDynamicSecretDialogRef = {
   openModal: () => void
@@ -153,17 +154,17 @@ export const CreateDynamicSecretDialog = forwardRef<
       }
 
       // Check for duplicate secret names
-      if (
-        duplicateKeysExist(staticSecrets, [
-          ...dynamicSecrets,
-          { id: 'new-dynamic-secret', keyMap: formData.keyMap } as DynamicSecretType,
-        ])
-      ) {
-        toast.error(
-          'One or more secret keys already exist at this path. Please select a unique key name for each credential.'
-        )
-        return false
-      }
+      // if (
+      //   duplicateKeysExist(staticSecrets, [
+      //     ...dynamicSecrets,
+      //     { id: 'new-dynamic-secret', keyMap: formData.keyMap } as DynamicSecretType,
+      //   ])
+      // ) {
+      //   toast.error(
+      //     'One or more secret keys already exist at this path. Please select a unique key name for each credential.'
+      //   )
+      //   return false
+      // }
 
       if (parseInt(formData.defaultTTL, 10) > parseInt(formData.maxTTL, 10)) {
         toast.error('Default TTL must be less than or equal to Max TTL')
@@ -173,6 +174,16 @@ export const CreateDynamicSecretDialog = forwardRef<
         toast.error(`Max TTL must be greater than ${MINIMUM_LEASE_TTL} seconds`)
       }
 
+      // Encrypt each keyName in keyMap
+      const encryptedKeyMap = await Promise.all(
+        formData.keyMap.map(async (key) => ({
+          ...key,
+          keyName: key.keyName
+            ? await encryptAsymmetric(key.keyName, environment.identityKey)
+            : key.keyName,
+        }))
+      )
+
       await createDynamicSecret({
         variables: {
           organisationId: organisation?.id,
@@ -184,7 +195,7 @@ export const CreateDynamicSecretDialog = forwardRef<
           maxTtl: parseInt(formData.maxTTL, 10),
           authenticationId: formData.credential?.id ?? null,
           config: formData.config,
-          keyMap: formData.keyMap,
+          keyMap: encryptedKeyMap,
         },
       })
 

From 4a14428fbda844758aa6eea1dbdedf381fc0767c Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:37:30 +0530
Subject: [PATCH 021/117] feat: encrypt key names in dynamic secret update
 process

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/UpdateDynamicSecretDialog.tsx | 29 +++++++++----------
 1 file changed, 13 insertions(+), 16 deletions(-)

diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
index 4a7e094b0..7a31522b0 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
@@ -26,6 +26,7 @@ import { toast } from 'react-toastify'
 import { duplicateKeysExist } from '@/utils/secrets'
 import { FaCog, FaCogs } from 'react-icons/fa'
 import { Textarea } from '@/components/common/TextArea'
+import { encryptAsymmetric } from '@/utils/crypto'
 
 type UpdateDynamicSecretDialogRef = {
   openModal: () => void
@@ -33,15 +34,14 @@ type UpdateDynamicSecretDialogRef = {
 }
 
 interface UpdateDynamicSecretDialogProps {
-  staticSecrets: SecretType[]
-  dynamicSecrets: DynamicSecretType[]
+  environment: EnvironmentType
   secret: DynamicSecretType // The secret to update
 }
 
 export const UpdateDynamicSecretDialog = forwardRef<
   UpdateDynamicSecretDialogRef,
   UpdateDynamicSecretDialogProps
->(({ staticSecrets, dynamicSecrets, secret }, ref) => {
+>(({ secret, environment }, ref) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
   const [updateDynamicSecret] = useMutation(UpdateDynamicSecret)
   const dialogRef = useRef<{ closeModal: () => void; openModal: () => void }>(null)
@@ -129,18 +129,15 @@ export const UpdateDynamicSecretDialog = forwardRef<
         return false
       }
 
-      // Check for duplicate secret names
-      if (
-        duplicateKeysExist(staticSecrets, [
-          ...dynamicSecrets.filter((ds) => ds.id !== secret.id),
-          { ...secret, keyMap: formData.keyMap },
-        ])
-      ) {
-        toast.error(
-          'One or more secret keys already exist at this path. Please select a unique key name for each credential.'
-        )
-        return false
-      }
+      // Encrypt each keyName in keyMap
+      const encryptedKeyMap = await Promise.all(
+        formData.keyMap.map(async (key) => ({
+          ...key,
+          keyName: key.keyName
+            ? await encryptAsymmetric(key.keyName, environment.identityKey)
+            : key.keyName,
+        }))
+      )
 
       await updateDynamicSecret({
         variables: {
@@ -153,7 +150,7 @@ export const UpdateDynamicSecretDialog = forwardRef<
           maxTtl: parseInt(formData.maxTTL, 10),
           authenticationId: formData.credential?.id ?? null,
           config: formData.config,
-          keyMap: formData.keyMap,
+          keyMap: encryptedKeyMap,
         },
       })
 

From 3538c415015e577c0c4779b360e5574ad85cce3e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:37:38 +0530
Subject: [PATCH 022/117] feat: improve layout of TTL input and buttons in
 CreateLeaseDialog

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/CreateLeaseDialog.tsx     | 38 ++++++++++---------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx b/frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx
index 3c7444bae..867b59010 100644
--- a/frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx
+++ b/frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx
@@ -112,25 +112,27 @@ export const CreateLeaseDialog = ({ secret }: { secret: DynamicSecretType }) =>
           <div className="space-y-2">
             <Input value={name} setValue={setName} label="Name" required />
 
-            <Input
-              value={ttl}
-              setValue={setTtl}
-              type="number"
-              label="TTL (seconds)"
-              max={secret.maxTtlSeconds!}
-              required
-            />
+            <div className="flex items-end gap-4 justify-between">
+              <Input
+                value={ttl}
+                setValue={setTtl}
+                type="number"
+                label="TTL (seconds)"
+                max={secret.maxTtlSeconds!}
+                required
+              />
 
-            <div className="flex items-center gap-4">
-              {ttlButtons.map((button) => (
-                <Button
-                  variant={ttl === button.seconds ? 'secondary' : 'ghost'}
-                  key={button.label}
-                  onClick={() => setTtl(button.seconds)}
-                >
-                  {button.label}
-                </Button>
-              ))}
+              <div className="flex items-center gap-2 py-1">
+                {ttlButtons.map((button) => (
+                  <Button
+                    variant={ttl === button.seconds ? 'secondary' : 'ghost'}
+                    key={button.label}
+                    onClick={() => setTtl(button.seconds)}
+                  >
+                    {button.label}
+                  </Button>
+                ))}
+              </div>
             </div>
           </div>
         )}

From 1f83fccfc958785c8e7c159c4368edfab2a19bac Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:37:53 +0530
Subject: [PATCH 023/117] feat: add environment prop to DynamicSecretRow

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/DynamicSecretRow.tsx        | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
index 4fb199ba8..a27332708 100644
--- a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
+++ b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
@@ -1,18 +1,19 @@
-import { DynamicSecretType, KeyMap } from '@/apollo/graphql'
-import { Button } from '@/components/common/Button'
+import { DynamicSecretType, EnvironmentType, KeyMap } from '@/apollo/graphql'
 import clsx from 'clsx'
-import { FaCog } from 'react-icons/fa'
 import { FaBolt } from 'react-icons/fa6'
 
-import { useMutation } from '@apollo/client'
 import { CreateLeaseDialog } from './CreateLeaseDialog'
 import { ManageDynamicSecretDialog } from './ManageDynamicSecretDialog'
 import { DeleteDynamicSecretDialog } from './DeleteDynamicSecretDialog'
-import { Input } from '@/components/common/Input'
-import { useMemo } from 'react'
 import { UpdateDynamicSecretDialog } from '@/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog'
 
-export const DynamicSecretRow = ({ secret }: { secret: DynamicSecretType }) => {
+export const DynamicSecretRow = ({
+  secret,
+  environment,
+}: {
+  secret: DynamicSecretType
+  environment: EnvironmentType
+}) => {
   const keyMap: KeyMap[] = (secret.keyMap as KeyMap[]) ?? []
 
   const KEY_BASE_STYLE = 'w-full font-mono custom bg-transparent transition ease p-1 ph-no-capture'
@@ -57,7 +58,7 @@ export const DynamicSecretRow = ({ secret }: { secret: DynamicSecretType }) => {
         <div className="flex h-full items-center gap-4  opacity-0 group-hover:opacity-100 transition ease">
           <CreateLeaseDialog secret={secret} />
           <ManageDynamicSecretDialog secret={secret} />
-          <UpdateDynamicSecretDialog secret={secret} staticSecrets={[]} dynamicSecrets={[]} />
+          <UpdateDynamicSecretDialog secret={secret} environment={environment} />
         </div>
       </div>
       <div className="opacity-0 group-hover:opacity-100 transition ease flex items-center">

From 7f198442fdc06677f0a88f19b8e9649df0b19055 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:38:04 +0530
Subject: [PATCH 024/117] feat: enhance DynamicSecret component layout and add
 link to view secret

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/DynamicSecret.tsx             | 41 +++++++++++--------
 1 file changed, 23 insertions(+), 18 deletions(-)

diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
index e53075439..d4a19dd06 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
@@ -1,37 +1,42 @@
 import { DynamicSecretType } from '@/apollo/graphql'
-import { CreateLeaseDialog } from '@/components/environments/secrets/dynamic/CreateLeaseDialog'
 import { DeleteDynamicSecretDialog } from '@/components/environments/secrets/dynamic/DeleteDynamicSecretDialog'
 import { ManageDynamicSecretDialog } from '@/components/environments/secrets/dynamic/ManageDynamicSecretDialog'
-import { FaBolt } from 'react-icons/fa6'
-import { UpdateDynamicSecretDialog } from './UpdateDynamicSecretDialog'
 import { ProviderIcon } from '@/components/syncing/ProviderIcon'
+import { Button } from '@/components/common/Button'
+import { organisationContext } from '@/contexts/organisationContext'
+import Link from 'next/link'
+import { useContext } from 'react'
+import { FaExternalLinkAlt } from 'react-icons/fa'
 
 export const DynamicSecret = ({ secret }: { secret: DynamicSecretType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
   return (
-    <div className="p-2 ring-1 ring-inset ring-neutral-400/20 flex flex-col gap-4 w-full rounded-lg group justify-between">
-      <div className="">
+    <div className="p-2 ring-1 ring-inset ring-neutral-400/20 flex flex-col gap-4 w-full rounded-lg group justify-between bg-zinc-100 dark:bg-zinc-800">
+      <div>
         <div className="text-base text-zinc-900 dark:text-zinc-100 flex items-center gap-1 px-1">
           <ProviderIcon providerId={secret.provider} /> {secret.name}
         </div>
-        <div className="flex items-center gap-2">
-          {secret.keyMap?.map((key) => (
-            <span
-              key={key!.keyName}
-              className="font-mono text-neutral-500 text-xs bg-neutral-400/10 px-1 rounded-full"
-            >
-              {key!.keyName}
-            </span>
-          ))}
-        </div>
+        <div className="text-sm text-neutral-500 px-1">{secret.description}</div>
       </div>
+
       <div className="relative group flex items-center justify-between w-full">
         <div className="flex h-full items-center justify-start gap-4 opacity-0 group-hover:opacity-100 transition ease">
-          <CreateLeaseDialog secret={secret} />
+          {/* <CreateLeaseDialog secret={secret} /> */}
           <ManageDynamicSecretDialog secret={secret} />
-          <UpdateDynamicSecretDialog secret={secret} staticSecrets={[]} dynamicSecrets={[]} />
         </div>
         <div className="flex h-full items-center justify-end gap-4 opacity-0 group-hover:opacity-100 transition ease">
-          <DeleteDynamicSecretDialog secret={secret} />
+          {/* <DeleteDynamicSecretDialog secret={secret} /> */}
+          <Link
+            href={`/${organisation?.name}/apps/${secret.environment.app.id}/environments/${secret.environment.id}${secret.path}?secret=${secret.id}`}
+            title="View this secret"
+          >
+            <Button variant="ghost">
+              <span className="py-1">
+                <FaExternalLinkAlt />
+              </span>
+            </Button>
+          </Link>
         </div>
       </div>
     </div>

From 455a6916fb32785a19e0be9451a4f37fb8b688ee Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 16:38:13 +0530
Subject: [PATCH 025/117] feat: add dynamic secrets handling and decryption in
 EnvironmentPath component

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../[environment]/[[...path]]/page.tsx        | 45 +++++++++++++++----
 1 file changed, 37 insertions(+), 8 deletions(-)

diff --git a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
index ac1a5e472..088bc81c9 100644
--- a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
+++ b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
@@ -87,8 +87,12 @@ export default function EnvironmentPath({
   const highlightedRef = useRef<HTMLDivElement>(null)
 
   const [envKeys, setEnvKeys] = useState<EnvKeyring | null>(null)
+
   const [serverSecrets, setServerSecrets] = useState<SecretType[]>([])
   const [clientSecrets, setClientSecrets] = useState<SecretType[]>([])
+
+  const [dynamicSecrets, setDynamicSecrets] = useState<DynamicSecretType[]>([])
+
   const [secretsToDelete, setSecretsToDelete] = useState<string[]>([])
   const [searchQuery, setSearchQuery] = useState<string>('')
   const [isLoading, setIsloading] = useState(false)
@@ -197,7 +201,7 @@ export default function EnvironmentPath({
   }
 
   const environment = data?.appEnvironments[0] as EnvironmentType
-  const dynamicSecrets: DynamicSecretType[] = data?.dynamicSecrets ?? []
+  //const dynamicSecrets: DynamicSecretType[] = data?.dynamicSecrets ?? []
 
   const envLinks =
     appEnvsData?.appEnvironments
@@ -392,7 +396,7 @@ export default function EnvironmentPath({
   useEffect(() => {
     if (data && envKeys) {
       const decryptSecrets = async () => {
-        const decryptedSecrets = await Promise.all(
+        const decryptedStaticSecrets = await Promise.all(
           data.secrets.map(async (secret: SecretType) => {
             const decryptedSecret = structuredClone(secret)
 
@@ -460,12 +464,36 @@ export default function EnvironmentPath({
             return decryptedSecret
           })
         )
-        return decryptedSecrets
+
+        //Decrypt dynamic secrets keyMap.keyName
+        const decryptedDynamicSecrets = await Promise.all(
+          (data.dynamicSecrets ?? []).map(async (secret: DynamicSecretType) => {
+            const decryptedSecret = structuredClone(secret)
+            if (decryptedSecret.keyMap && Array.isArray(decryptedSecret.keyMap)) {
+              decryptedSecret.keyMap = await Promise.all(
+                decryptedSecret.keyMap.map(async (keyMapItem) => ({
+                  ...keyMapItem,
+                  keyName: keyMapItem?.keyName
+                    ? await decryptAsymmetric(
+                        keyMapItem.keyName,
+                        envKeys.privateKey,
+                        envKeys.publicKey
+                      )
+                    : keyMapItem?.keyName,
+                }))
+              )
+            }
+            return decryptedSecret
+          })
+        )
+
+        return { decryptedStaticSecrets, decryptedDynamicSecrets }
       }
 
       decryptSecrets().then((decryptedSecrets) => {
-        setServerSecrets(decryptedSecrets)
-        setClientSecrets(decryptedSecrets)
+        setServerSecrets(decryptedSecrets.decryptedStaticSecrets)
+        setClientSecrets(decryptedSecrets.decryptedStaticSecrets)
+        setDynamicSecrets(decryptedSecrets.decryptedDynamicSecrets)
       })
     }
   }, [envKeys, data])
@@ -1054,9 +1082,10 @@ export default function EnvironmentPath({
                 />
               ))}
 
-            {dynamicSecrets.map((secret) => (
-              <DynamicSecretRow key={secret.id} secret={secret} />
-            ))}
+            {environment &&
+              dynamicSecrets.map((secret) => (
+                <DynamicSecretRow key={secret.id} secret={secret} environment={environment} />
+              ))}
 
             {organisation &&
               filteredAndSortedSecrets.map((secret, index: number) => (

From e8ba64165aa126c9588dea9571ae9f6e5828d5d5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 17:01:51 +0530
Subject: [PATCH 026/117] feat: add and enforce permissions for
 DynamicSecretLeases

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/utils/access/roles.py             |  5 ++
 .../secrets/dynamic/graphene/mutations.py     | 49 +++++--------------
 .../secrets/dynamic/graphene/types.py         | 16 +++++-
 3 files changed, 31 insertions(+), 39 deletions(-)

diff --git a/backend/api/utils/access/roles.py b/backend/api/utils/access/roles.py
index b3723fd16..6eb243191 100644
--- a/backend/api/utils/access/roles.py
+++ b/backend/api/utils/access/roles.py
@@ -19,6 +19,7 @@
         "app_permissions": {
             "Environments": ["create", "read", "update", "delete"],
             "Secrets": ["create", "read", "update", "delete"],
+            "DynamicSecretLeases": ["create", "read", "update", "delete"],
             "Lockbox": ["create", "read", "update", "delete"],
             "Logs": ["create", "read", "update", "delete"],
             "Tokens": ["create", "read", "update", "delete"],
@@ -49,6 +50,7 @@
         "app_permissions": {
             "Environments": ["create", "read", "update", "delete"],
             "Secrets": ["create", "read", "update", "delete"],
+            "DynamicSecretLeases": ["create", "read", "update", "delete"],
             "Lockbox": ["create", "read", "update", "delete"],
             "Logs": ["create", "read", "update", "delete"],
             "Tokens": ["create", "read", "update", "delete"],
@@ -78,6 +80,7 @@
         "app_permissions": {
             "Environments": ["read", "create", "update"],
             "Secrets": ["create", "read", "update", "delete"],
+            "DynamicSecretLeases": ["create", "read", "update", "delete"],
             "Lockbox": ["create", "read", "update", "delete"],
             "Logs": ["create", "read", "update", "delete"],
             "Tokens": ["create", "read", "update", "delete"],
@@ -111,6 +114,7 @@
         "app_permissions": {
             "Environments": ["read", "create", "update"],
             "Secrets": ["create", "read", "update", "delete"],
+            "DynamicSecretLeases": ["create", "read"],
             "Lockbox": ["create", "read", "update", "delete"],
             "Logs": ["read"],
             "Tokens": ["read", "create"],
@@ -140,6 +144,7 @@
         "app_permissions": {
             "Environments": ["read", "create", "update", "delete"],
             "Secrets": ["create", "read", "update", "delete"],
+            "DynamicSecretLeases": ["create", "read"],
             "Lockbox": [],
             "Logs": [],
             "Tokens": [],
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
index 4e274a03e..84796fe20 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
@@ -140,45 +140,16 @@ def mutate(
         if not user_is_org_member(user.userId, org.id):
             raise GraphQLError("You don't have access to this organisation")
 
-        if not user_has_permission(user, "create", "Secrets", org, True):
-            raise GraphQLError("You don't have permission to create Dynamic Secrets")
+        if lease.organisation_member.id != org_member.id and not user_has_permission(
+            info.context.user, "update", "DynamicSecretLeases", org, True
+        ):
+            raise GraphQLError(
+                "You cannot renew this lease as it wasn't created by you"
+            )
 
         if not user_can_access_environment(user.userId, lease.secret.environment.id):
             raise GraphQLError("You don't have access to this environment")
 
-        # if timedelta(seconds=ttl) > lease.secret.max_ttl:
-        #     raise GraphQLError(
-        #         "The specified TTL exceeds the maximum TTL for this dynamic secret."
-        #     )
-
-        # if lease.expires_at <= timezone.now():
-        #     raise GraphQLError("This lease has expired and cannot be renewed")
-
-        # else:
-        #     lease.expires_at = timezone.now() + timedelta(seconds=ttl)
-        #     lease.updated_at = timezone.now()
-
-        # # --- reschedule cleanup job ---
-        # scheduler = django_rq.get_scheduler("scheduled-jobs")
-
-        # # cancel the old job if it exists
-        # if lease.cleanup_job_id:
-        #     try:
-        #         old_job = Job.fetch(lease.cleanup_job_id, connection=scheduler.connection)
-        #         old_job.cancel()
-        #     except Exception:
-        #         # job might already have run or been deleted
-        #         pass
-
-        # # enqueue a new revocation job
-        # job = scheduler.enqueue_at(
-        #     lease.expires_at,
-        #     revoke_aws_dynamic_secret_lease,
-        #     lease.id,
-        # )
-        # lease.cleanup_job_id = job.id
-        # lease.save()
-
         lease = renew_dynamic_secret_lease(lease, ttl)
 
         return RenewLeaseMutation(lease=lease)
@@ -208,8 +179,12 @@ def mutate(
         if not user_is_org_member(user.userId, org.id):
             raise GraphQLError("You don't have access to this organisation")
 
-        if not user_has_permission(user, "create", "Secrets", org, True):
-            raise GraphQLError("You don't have permission to create Dynamic Secrets")
+        if lease.organisation_member.id != org_member.id and not user_has_permission(
+            info.context.user, "delete", "DynamicSecretLeases", org, True
+        ):
+            raise GraphQLError(
+                "You cannot revoke this lease as it wasn't created by you"
+            )
 
         if not user_can_access_environment(user.userId, lease.secret.environment.id):
             raise GraphQLError("You don't have access to this environment")
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/types.py b/backend/ee/integrations/secrets/dynamic/graphene/types.py
index 5539614f4..0e302ec81 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/types.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/types.py
@@ -1,4 +1,5 @@
-from api.models import DynamicSecret, DynamicSecretLease
+from api.models import DynamicSecret, DynamicSecretLease, OrganisationMember
+from api.utils.access.permissions import user_has_permission
 import graphene
 from graphene_django import DjangoObjectType
 from graphene.types.generic import GenericScalar
@@ -75,7 +76,18 @@ def resolve_max_ttl_seconds(self, info):
         return int(self.max_ttl.total_seconds()) if self.max_ttl else None
 
     def resolve_leases(self, info):
-        return self.leases.order_by("-created_at")
+        filter = {}
+        if not user_has_permission(
+            info.context.user,
+            "read",
+            "DynamicSecretLeases",
+            self.environment.app.organisation,
+            True,
+        ):
+            filter["organisation_member"] = OrganisationMember.objects.get(
+                organisation=self.environment.app.organisation, user=info.context.user
+            )
+        return self.leases.filter(**filter).order_by("-created_at")
 
 
 class DynamicSecretLeaseType(DjangoObjectType):

From 693488569f208f8fd6ca1a3b47e678e80373bf81 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 19:13:45 +0530
Subject: [PATCH 027/117] fix: duplicate check logic for dynamic secret key map

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/utils/secrets.py | 47 +++++++++++-------------------------
 1 file changed, 14 insertions(+), 33 deletions(-)

diff --git a/backend/api/utils/secrets.py b/backend/api/utils/secrets.py
index c84a9f6d8..efca5c15c 100644
--- a/backend/api/utils/secrets.py
+++ b/backend/api/utils/secrets.py
@@ -159,71 +159,52 @@ def check_for_duplicates_blind(secrets, environment):
 
     processed_secrets = set()  # Set to store processed secrets
 
-    # --- Check static secrets ---
+    # --- Collect digests from input secrets ---
     for secret in secrets:
         if "keyDigest" in secret:
             try:
                 path = normalize_path_string(secret["path"])
             except:
                 path = "/"
+            processed_secrets.add((path, secret["keyDigest"]))
 
-            # Check if the secret is already processed
-            if (path, secret["keyDigest"]) in processed_secrets:
-                return True  # Found a duplicate within the list
-
-            # Check if the secret already exists in the database
+    # --- Check static secrets in DB ---
+    for secret in secrets:
+        if "keyDigest" in secret:
+            try:
+                path = normalize_path_string(secret["path"])
+            except:
+                path = "/"
             query_duplicates = Secret.objects.filter(
                 environment=environment,
                 path=path,
                 key_digest=secret["keyDigest"],
                 deleted_at=None,
             )
-
             if "id" in secret:
                 query_duplicates = query_duplicates.exclude(id=secret["id"])
-
             if query_duplicates.exists():
-                return True  # Found a duplicate in the database
-
-            # Add the processed secret to the set
-            processed_secrets.add((path, secret["keyDigest"]))
+                return True
 
-    # --- Check dynamic secrets key_map ---
+    # --- Check dynamic secrets key_map in DB ---
     for secret in secrets:
         try:
             path = normalize_path_string(secret.get("path", "/"))
         except:
             path = "/"
-
-        # Query all DynamicSecret objects at this environment and path
         dynamic_secrets = DynamicSecret.objects.filter(
             environment=environment,
             path=path,
             deleted_at=None,
         )
-
         for dyn_secret in dynamic_secrets:
             key_map = dyn_secret.key_map or []
             for entry in key_map:
                 key_digest = entry.get("key_digest")
-
                 if key_digest and (path, key_digest) in processed_secrets:
-                    return True  # Found a duplicate in dynamic secret key_map
-
-                # Also check for duplicates within the database
-                if key_digest:
-                    # Check if any other DynamicSecret at this env/path has this key_digest
-                    other_dyn_secrets = dynamic_secrets.exclude(id=dyn_secret.id)
-                    for other_dyn in other_dyn_secrets:
-                        other_key_map = other_dyn.key_map or []
-                        for other_entry in other_key_map:
-                            if other_entry.get("key_digest") == key_digest:
-                                return True
-
-                if key_digest:
-                    processed_secrets.add((path, key_digest))
-
-    return False  # No duplicates found
+                    return True
+
+    return False
 
 
 def decompose_path_and_key(composed_key):

From ff72d496e9ad7bf975b9d35e435581767ac0da11 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 2 Sep 2025 19:14:08 +0530
Subject: [PATCH 028/117] fix: cleanup create dialog props and rest form state
 on create

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../[environment]/[[...path]]/page.tsx        |  2 -
 .../_components/CreateDynamicSecretDialog.tsx | 41 +++++++++++--------
 2 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
index 088bc81c9..050919ea9 100644
--- a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
+++ b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
@@ -1069,8 +1069,6 @@ export default function EnvironmentPath({
               environment={environment}
               path={'/'}
               ref={dynamicSecretDialogRef}
-              staticSecrets={serverSecrets}
-              dynamicSecrets={dynamicSecrets}
             />
 
             {organisation &&
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
index 55af0f3d8..f0510bf92 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
@@ -7,7 +7,6 @@ import {
   EnvironmentType,
   ProviderCredentialsType,
   KeyMapInput,
-  SecretType,
   DynamicSecretType,
 } from '@/apollo/graphql'
 import { GetDynamicSecretProviders } from '@/graphql/queries/secrets/dynamic/getProviders.gql'
@@ -27,7 +26,6 @@ import { FaArrowRightLong } from 'react-icons/fa6'
 import { MdOutlinePassword } from 'react-icons/md'
 import { camelCase } from 'lodash'
 import { toast } from 'react-toastify'
-import { duplicateKeysExist } from '@/utils/secrets'
 import { EnableSSEDialog } from '@/components/apps/EnableSSEDialog'
 import { MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
 import { Textarea } from '@/components/common/TextArea'
@@ -41,14 +39,12 @@ type CreateDynamicSecretDialogRef = {
 interface CreateDynamicSecretDialogProps {
   environment: EnvironmentType
   path: string
-  staticSecrets: SecretType[]
-  dynamicSecrets: DynamicSecretType[]
 }
 
 export const CreateDynamicSecretDialog = forwardRef<
   CreateDynamicSecretDialogRef,
   CreateDynamicSecretDialogProps
->(({ environment, path, staticSecrets, dynamicSecrets }, ref) => {
+>(({ environment, path }, ref) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
   const { data } = useQuery(GetDynamicSecretProviders)
@@ -81,6 +77,27 @@ export const CreateDynamicSecretDialog = forwardRef<
     maxTTL: '86400',
   })
 
+  const reset = () => {
+    setProvider(null)
+    setActiveStep(0)
+    setFormData({
+      name: 'AWS IAM credentials',
+      description: '',
+      credential: null as ProviderCredentialsType | null,
+      config: {
+        usernameTemplate: '{{random}}',
+        iamPath: `/phase/`,
+        permissionBoundaryArn: undefined,
+        groups: [],
+        policyArns: [],
+        policyDocument: undefined,
+      } as AwsConfigInput,
+      keyMap: [] as KeyMapInput[],
+      defaultTTL: '3600',
+      maxTTL: '86400',
+    })
+  }
+
   useEffect(() => {
     if (!provider) return
 
@@ -153,19 +170,6 @@ export const CreateDynamicSecretDialog = forwardRef<
         return false
       }
 
-      // Check for duplicate secret names
-      // if (
-      //   duplicateKeysExist(staticSecrets, [
-      //     ...dynamicSecrets,
-      //     { id: 'new-dynamic-secret', keyMap: formData.keyMap } as DynamicSecretType,
-      //   ])
-      // ) {
-      //   toast.error(
-      //     'One or more secret keys already exist at this path. Please select a unique key name for each credential.'
-      //   )
-      //   return false
-      // }
-
       if (parseInt(formData.defaultTTL, 10) > parseInt(formData.maxTTL, 10)) {
         toast.error('Default TTL must be less than or equal to Max TTL')
       }
@@ -200,6 +204,7 @@ export const CreateDynamicSecretDialog = forwardRef<
       })
 
       toast.success('Created new dynamic secret')
+      reset()
       dialogRef.current?.closeModal()
     }
   }

From 8e1e076d4b34996c8f617d4c8e646a4f0ab740b1 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 3 Sep 2025 14:13:20 +0530
Subject: [PATCH 029/117] feat: misc updates and improvements to TTL inputs

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/CreateDynamicSecretDialog.tsx | 70 ++++++++++++++-----
 .../_components/UpdateDynamicSecretDialog.tsx | 69 +++++++++++++-----
 .../secrets/dynamic/RenewLeaseDialog.tsx      | 39 ++++++-----
 frontend/utils/dynamicSecrets.ts              | 16 ++---
 4 files changed, 135 insertions(+), 59 deletions(-)

diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
index f0510bf92..ae1b298d7 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
@@ -27,7 +27,7 @@ import { MdOutlinePassword } from 'react-icons/md'
 import { camelCase } from 'lodash'
 import { toast } from 'react-toastify'
 import { EnableSSEDialog } from '@/components/apps/EnableSSEDialog'
-import { MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
+import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
 import { Textarea } from '@/components/common/TextArea'
 import { encryptAsymmetric } from '@/utils/crypto'
 
@@ -209,6 +209,8 @@ export const CreateDynamicSecretDialog = forwardRef<
     }
   }
 
+  const ttlButtons = leaseTtlButtons
+
   const ProviderMenu = () => (
     <div className="grid">
       {data?.dynamicSecretProviders?.map((provider: DynamicSecretProviderType) => (
@@ -326,22 +328,56 @@ export const CreateDynamicSecretDialog = forwardRef<
                         Configure the default and max TTLs for generated secrets
                       </div>
                     </div>
-                    <Input
-                      type="number"
-                      label="Default TTL (seconds)"
-                      required
-                      min={1}
-                      value={formData.defaultTTL}
-                      setValue={(val) => setFormData({ ...formData, defaultTTL: val })}
-                    />
-                    <Input
-                      type="number"
-                      label="Max TTL (seconds)"
-                      required
-                      min={1}
-                      value={formData.maxTTL}
-                      setValue={(val) => setFormData({ ...formData, maxTTL: val })}
-                    />
+
+                    <div className="flex items-end gap-4 justify-between">
+                      <Input
+                        value={formData.maxTTL}
+                        setValue={(val) => setFormData({ ...formData, maxTTL: val })}
+                        type="number"
+                        min={60}
+                        label="Max TTL (seconds)"
+                        max={formData.maxTTL!}
+                        required
+                      />
+
+                      <div className="flex items-center gap-2 py-1">
+                        {ttlButtons.map((button) => (
+                          <Button
+                            type="button"
+                            variant={formData.maxTTL === button.seconds ? 'secondary' : 'ghost'}
+                            key={button.label}
+                            onClick={() => setFormData({ ...formData, maxTTL: button.seconds })}
+                          >
+                            {button.label}
+                          </Button>
+                        ))}
+                      </div>
+                    </div>
+
+                    <div className="flex items-end gap-4 justify-between">
+                      <Input
+                        value={formData.defaultTTL}
+                        setValue={(val) => setFormData({ ...formData, defaultTTL: val })}
+                        type="number"
+                        min={60}
+                        label="Default TTL (seconds)"
+                        max={formData.maxTTL!}
+                        required
+                      />
+
+                      <div className="flex items-center gap-2 py-1">
+                        {ttlButtons.map((button) => (
+                          <Button
+                            type="button"
+                            variant={formData.defaultTTL === button.seconds ? 'secondary' : 'ghost'}
+                            key={button.label}
+                            onClick={() => setFormData({ ...formData, defaultTTL: button.seconds })}
+                          >
+                            {button.label}
+                          </Button>
+                        ))}
+                      </div>
+                    </div>
                   </div>
 
                   <div className="space-y-4 pt-6">
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
index 7a31522b0..bbe1ea167 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
@@ -27,6 +27,7 @@ import { duplicateKeysExist } from '@/utils/secrets'
 import { FaCog, FaCogs } from 'react-icons/fa'
 import { Textarea } from '@/components/common/TextArea'
 import { encryptAsymmetric } from '@/utils/crypto'
+import { leaseTtlButtons } from '@/utils/dynamicSecrets'
 
 type UpdateDynamicSecretDialogRef = {
   openModal: () => void
@@ -166,6 +167,8 @@ export const UpdateDynamicSecretDialog = forwardRef<
     }))
   }
 
+  const ttlButtons = leaseTtlButtons
+
   return (
     <GenericDialog
       ref={dialogRef}
@@ -242,22 +245,56 @@ export const UpdateDynamicSecretDialog = forwardRef<
                   Configure the default and max TTLs for generated secrets
                 </div>
               </div>
-              <Input
-                type="number"
-                label="Default TTL (seconds)"
-                required
-                min={1}
-                value={formData.defaultTTL}
-                setValue={(val) => setFormData({ ...formData, defaultTTL: val })}
-              />
-              <Input
-                type="number"
-                label="Max TTL (seconds)"
-                required
-                min={1}
-                value={formData.maxTTL}
-                setValue={(val) => setFormData({ ...formData, maxTTL: val })}
-              />
+
+              <div className="flex items-end gap-4 justify-between">
+                <Input
+                  value={formData.maxTTL}
+                  setValue={(val) => setFormData({ ...formData, maxTTL: val })}
+                  type="number"
+                  min={60}
+                  label="Max TTL (seconds)"
+                  max={formData.maxTTL!}
+                  required
+                />
+
+                <div className="flex items-center gap-2 py-1">
+                  {ttlButtons.map((button) => (
+                    <Button
+                      type="button"
+                      variant={formData.maxTTL === button.seconds ? 'secondary' : 'ghost'}
+                      key={button.label}
+                      onClick={() => setFormData({ ...formData, maxTTL: button.seconds })}
+                    >
+                      {button.label}
+                    </Button>
+                  ))}
+                </div>
+              </div>
+
+              <div className="flex items-end gap-4 justify-between">
+                <Input
+                  value={formData.defaultTTL}
+                  setValue={(val) => setFormData({ ...formData, defaultTTL: val })}
+                  type="number"
+                  min={60}
+                  label="Default TTL (seconds)"
+                  max={formData.maxTTL!}
+                  required
+                />
+
+                <div className="flex items-center gap-2 py-1">
+                  {ttlButtons.map((button) => (
+                    <Button
+                      type="button"
+                      variant={formData.defaultTTL === button.seconds ? 'secondary' : 'ghost'}
+                      key={button.label}
+                      onClick={() => setFormData({ ...formData, defaultTTL: button.seconds })}
+                    >
+                      {button.label}
+                    </Button>
+                  ))}
+                </div>
+              </div>
             </div>
             <div className="space-y-4 pt-6">
               <div className="border-b border-neutral-500/20">
diff --git a/frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx
index 900ec9752..6a72070bb 100644
--- a/frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx
@@ -89,24 +89,27 @@ export const RenewLeaseDialog = ({
 
               <p>Select a TTL to renew this lease.</p>
             </div>
-            <Input
-              value={ttl}
-              setValue={setTtl}
-              type="number"
-              label="TTL (seconds)"
-              max={secret.maxTtlSeconds!}
-              required
-            />
-            <div className="flex items-center gap-4">
-              {ttlButtons.map((button) => (
-                <Button
-                  variant={ttl === button.seconds ? 'secondary' : 'ghost'}
-                  key={button.label}
-                  onClick={() => setTtl(button.seconds)}
-                >
-                  {button.label}
-                </Button>
-              ))}
+            <div className="flex items-end gap-4 justify-between">
+              <Input
+                value={ttl}
+                setValue={setTtl}
+                type="number"
+                label="TTL (seconds)"
+                max={secret.maxTtlSeconds!}
+                required
+              />
+
+              <div className="flex items-center gap-2 py-1">
+                {ttlButtons.map((button) => (
+                  <Button
+                    variant={ttl === button.seconds ? 'secondary' : 'ghost'}
+                    key={button.label}
+                    onClick={() => setTtl(button.seconds)}
+                  >
+                    {button.label}
+                  </Button>
+                ))}
+              </div>
             </div>
           </div>
         )}
diff --git a/frontend/utils/dynamicSecrets.ts b/frontend/utils/dynamicSecrets.ts
index 190d9e419..379520d67 100644
--- a/frontend/utils/dynamicSecrets.ts
+++ b/frontend/utils/dynamicSecrets.ts
@@ -9,14 +9,6 @@ export const leaseTtlButtons = [
       label: '1h',
       seconds: '3600',
     },
-    {
-      label: '3h',
-      seconds: '10800',
-    },
-    {
-      label: '6h',
-      seconds: '21600',
-    },
     {
       label: '12h',
       seconds: '43200',
@@ -25,6 +17,14 @@ export const leaseTtlButtons = [
       label: '24h',
       seconds: '86400',
     },
+    {
+      label: '30d',
+      seconds: '2592000',
+    },
+    {
+      label: '90d',
+      seconds: '7776000',
+    },
   ]
 
 

From 1f08f5617d2f9e038dd4cfbb332ad08c32723338 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 3 Sep 2025 14:13:50 +0530
Subject: [PATCH 030/117] fix: duplicate key checking for existing dynamic
 secrets

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/utils/secrets.py                                | 2 +-
 .../integrations/secrets/dynamic/aws/graphene/mutations.py  | 6 +++++-
 backend/ee/integrations/secrets/dynamic/utils.py            | 3 ++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/backend/api/utils/secrets.py b/backend/api/utils/secrets.py
index efca5c15c..0516f59b2 100644
--- a/backend/api/utils/secrets.py
+++ b/backend/api/utils/secrets.py
@@ -196,7 +196,7 @@ def check_for_duplicates_blind(secrets, environment):
             environment=environment,
             path=path,
             deleted_at=None,
-        )
+        ).exclude(id=secret["dynamic_secret_id"])
         for dyn_secret in dynamic_secrets:
             key_map = dyn_secret.key_map or []
             for entry in key_map:
diff --git a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
index 8396a4fe8..2478efb47 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
@@ -204,7 +204,11 @@ def mutate(
 
         try:
             validated_key_map = validate_key_map(
-                key_map, dynamic_secret.provider, dynamic_secret.environment, path
+                key_map,
+                dynamic_secret.provider,
+                dynamic_secret.environment,
+                path,
+                dynamic_secret.id,
             )
             dynamic_secret.key_map = validated_key_map
         except ValidationError as e:
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index 7ed2c119c..866a0e1c5 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -22,7 +22,7 @@
 DynamicSecret = apps.get_model("api", "DynamicSecret")
 
 
-def validate_key_map(key_map, provider, environment, path):
+def validate_key_map(key_map, provider, environment, path, dynamic_secret_id=None):
     provider_def = None
     for prov in DynamicSecretProviders.__dict__.values():
         if isinstance(prov, dict) and prov.get("id") == provider:
@@ -40,6 +40,7 @@ def validate_key_map(key_map, provider, environment, path):
         decrypted_key_name = decrypt_asymmetric(
             entry["key_name"], env_privkey, env_pubkey
         )
+        entry["dynamic_secret_id"] = dynamic_secret_id
         entry["path"] = path
         digest = compute_key_digest(decrypted_key_name, environment.id)
         entry["keyDigest"] = digest

From fb3cef1676417c02bd97e5e64a02a536ca8cb238 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 4 Sep 2025 18:50:20 +0530
Subject: [PATCH 031/117] feat: reorganize dynamic secret lease utils and
 improve error handling

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../integrations/secrets/dynamic/aws/utils.py |  4 ++-
 .../secrets/dynamic/graphene/mutations.py     | 32 +++++++------------
 .../ee/integrations/secrets/dynamic/utils.py  | 25 +++++++++++++++
 3 files changed, 40 insertions(+), 21 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index af427476b..8e05c94cd 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -5,7 +5,7 @@
 from api.utils.crypto import decrypt_asymmetric, encrypt_asymmetric, get_server_keypair
 from api.utils.syncing.aws.auth import get_aws_sts_session
 from api.utils.secrets import get_environment_keys
-from ee.integrations.secrets.dynamic.utils import schedule_lease_revocation
+
 from backend.utils.secrets import get_secret
 from ee.integrations.secrets.dynamic.providers import DynamicSecretProviders
 import logging
@@ -418,6 +418,8 @@ def create_aws_dynamic_secret_lease(
     )
 
     # --- Schedule revocation ---
+    from ee.integrations.secrets.dynamic.utils import schedule_lease_revocation
+
     schedule_lease_revocation(lease)
 
     return lease, lease_data
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
index 84796fe20..27bb9cd00 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
@@ -4,7 +4,10 @@
     user_has_permission,
     user_is_org_member,
 )
-from ee.integrations.secrets.dynamic.utils import renew_dynamic_secret_lease
+from ee.integrations.secrets.dynamic.utils import (
+    create_dynamic_secret_lease,
+    renew_dynamic_secret_lease,
+)
 from ee.integrations.secrets.dynamic.aws.graphene.types import (
     AwsCredentialsType,
 )
@@ -92,25 +95,14 @@ def mutate(
 
         # create lease
         lease_name = secret.name if name is None else name
-        try:
-            if secret.provider == "aws":
-                lease, lease_data = create_aws_dynamic_secret_lease(
-                    secret=secret,
-                    lease_name=lease_name,
-                    organisation_member=org_member,
-                    ttl_seconds=ttl,
-                )
-
-                lease._credentials = AwsCredentialsType(
-                    access_key_id=lease_data["access_key_id"],
-                    secret_access_key=lease_data["secret_access_key"],
-                    username=lease_data["username"],
-                )
-
-        except ValidationError as e:
-            logger.error(f"Error creating dynamic secret lease: {e}")
-            raise GraphQLError(e.message)
-
+        lease, lease_data = create_dynamic_secret_lease(
+            secret, lease_name, ttl, org_member
+        )
+        lease._credentials = AwsCredentialsType(
+            access_key_id=lease_data["access_key_id"],
+            secret_access_key=lease_data["secret_access_key"],
+            username=lease_data["username"],
+        )
         return LeaseDynamicSecret(lease=lease)
 
 
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index 866a0e1c5..9d7aa70ec 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -7,6 +7,9 @@
     get_environment_keys,
 )
 from api.utils.crypto import decrypt_asymmetric
+from ee.integrations.secrets.dynamic.aws.utils import (
+    create_aws_dynamic_secret_lease,
+)
 from ee.integrations.secrets.dynamic.providers import DynamicSecretProviders
 from uuid import uuid4
 from django.core.exceptions import ValidationError
@@ -148,6 +151,28 @@ def create_dynamic_secret(
     return dynamic_secret
 
 
+def create_dynamic_secret_lease(
+    secret, lease_name=None, ttl=None, organisation_member=None, service_account=None
+):
+    try:
+        lease_name = lease_name or secret.name
+        ttl = ttl or int(secret.default_ttl.total_seconds())
+        if secret.provider == "aws":
+            lease, lease_data = create_aws_dynamic_secret_lease(
+                secret=secret,
+                lease_name=lease_name,
+                organisation_member=organisation_member,
+                service_account=service_account,
+                ttl_seconds=ttl,
+            )
+
+            return lease, lease_data
+
+    except ValidationError as e:
+        logger.error(f"Error creating dynamic secret lease: {e}")
+        raise GraphQLError(e.message)
+
+
 def renew_dynamic_secret_lease(lease, ttl):
     if timedelta(seconds=ttl) > lease.secret.max_ttl:
         raise GraphQLError(

From c83a2f99e99909efadb88685626917d105af0472 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 4 Sep 2025 18:50:58 +0530
Subject: [PATCH 032/117] feat: add rest api serializer for leased dynamic
 secrets

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/serializers.py            | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 backend/ee/integrations/secrets/dynamic/serializers.py

diff --git a/backend/ee/integrations/secrets/dynamic/serializers.py b/backend/ee/integrations/secrets/dynamic/serializers.py
new file mode 100644
index 000000000..b8e4233e5
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/serializers.py
@@ -0,0 +1,51 @@
+from api.models import DynamicSecretLease
+from api.utils.crypto import decrypt_asymmetric
+from api.utils.secrets import get_environment_keys
+from rest_framework import serializers
+
+
+class DynamicSecretLeaseSerializer(serializers.ModelSerializer):
+    credentials = serializers.SerializerMethodField()
+
+    class Meta:
+        model = DynamicSecretLease
+        fields = [
+            "id",
+            "name",
+            "description",
+            "secret",
+            "ttl",
+            "status",
+            "credentials",
+            "created_at",
+            "renewed_at",
+            "expires_at",
+            "revoked_at",
+            "deleted_at",
+        ]
+
+    def get_credentials(self, obj):
+        sse = self.context.get("sse")
+        credentials = obj.credentials or {}
+        key_map = obj.secret.key_map if obj.secret else []
+        result = []
+        if sse:
+            env_pubkey, env_privkey = get_environment_keys(obj.secret.environment.id)
+            for entry in key_map:
+                key_id = entry.get("id")
+                key_name_encrypted = entry.get("key_name")
+                cred_encrypted = credentials.get(key_id)
+                if key_name_encrypted and cred_encrypted:
+                    key_name = decrypt_asymmetric(
+                        key_name_encrypted, env_privkey, env_pubkey
+                    )
+                    value = decrypt_asymmetric(cred_encrypted, env_privkey, env_pubkey)
+                    result.append({"key_name": key_name, "value": value})
+        else:
+            for entry in key_map:
+                key_id = entry.get("id")
+                key_name = entry.get("key_name")
+                value = credentials.get(key_id)
+                if key_name and value:
+                    result.append({"key": key_name, "value": value})
+        return result

From b199db6df90a2c5c661a7dd7c9becd5cd9eb4519 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 4 Sep 2025 19:26:45 +0530
Subject: [PATCH 033/117] fix: correctly parse path query var when fetching
 dynamic secrets

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/schema.py                                     | 1 +
 backend/ee/integrations/secrets/dynamic/graphene/queries.py   | 4 +++-
 frontend/apollo/gql.ts                                        | 4 ++--
 frontend/apollo/graphql.ts                                    | 3 ++-
 frontend/apollo/schema.graphql                                | 2 +-
 .../graphql/queries/secrets/dynamic/getDynamicSecrets.gql     | 4 ++--
 frontend/graphql/queries/secrets/getSecrets.gql               | 2 +-
 7 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index 8bd2e4943..1496c7eef 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -418,6 +418,7 @@ class Query(graphene.ObjectType):
         secret_id=graphene.ID(required=False),
         app_id=graphene.ID(required=False),
         env_id=graphene.ID(required=False),
+        path=graphene.String(required=False),
         org_id=graphene.ID(),
     )
 
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/queries.py b/backend/ee/integrations/secrets/dynamic/graphene/queries.py
index aad308d68..ca799c5f1 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/queries.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/queries.py
@@ -24,7 +24,7 @@ def resolve_dynamic_secret_providers(self, info):
 
 
 def resolve_dynamic_secrets(
-    root, info, secret_id=None, app_id=None, env_id=None, org_id=None
+    root, info, secret_id=None, app_id=None, env_id=None, path="/", org_id=None
 ):
     user = info.context.user
     filters = {"deleted_at": None}
@@ -32,6 +32,8 @@ def resolve_dynamic_secrets(
     if secret_id:
         filters["id"] = secret_id
 
+    else:
+        filters["path"] = path
     org = None
 
     # Figure out which org to use
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 0c62d6b7e..b81930a76 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -130,7 +130,7 @@ const documents = {
     "query GetSecretHistory($appId: ID!, $envId: ID!, $id: ID!) {\n  secrets(envId: $envId, id: $id) {\n    id\n    history {\n      id\n      key\n      value\n      path\n      tags {\n        id\n        name\n        color\n      }\n      version\n      comment\n      timestamp\n      ipAddress\n      userAgent\n      user {\n        email\n        username\n        fullName\n        avatarUrl\n      }\n      serviceToken {\n        id\n        name\n      }\n      serviceAccount {\n        id\n        name\n        deletedAt\n      }\n      eventType\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n}": types.GetSecretHistoryDocument,
     "query GetEnvSecretsKV($envId: ID!) {\n  folders(envId: $envId, path: \"/\") {\n    id\n    name\n  }\n  secrets(envId: $envId, path: \"/\") {\n    id\n    key\n    value\n    comment\n    path\n  }\n  environmentKeys(environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n}": types.GetEnvSecretsKvDocument,
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
-    "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
+    "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
     "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
@@ -643,7 +643,7 @@ export function graphql(source: "query GetSecretTags($orgId: ID!) {\n  secretTag
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 3e72aeac9..b62fa0905 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -1760,6 +1760,7 @@ export type QueryDynamicSecretsArgs = {
   appId?: InputMaybe<Scalars['ID']['input']>;
   envId?: InputMaybe<Scalars['ID']['input']>;
   orgId?: InputMaybe<Scalars['ID']['input']>;
+  path?: InputMaybe<Scalars['String']['input']>;
   secretId?: InputMaybe<Scalars['ID']['input']>;
 };
 
@@ -3704,7 +3705,7 @@ export const GetOrgSecretKeysDocument = {"kind":"Document","definitions":[{"kind
 export const GetSecretHistoryDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretHistory"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"version"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"username"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}}]}}]} as unknown as DocumentNode<GetSecretHistoryQuery, GetSecretHistoryQueryVariables>;
 export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetEnvSecretsKV"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"StringValue","value":"/","block":false}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"StringValue","value":"/","block":false}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}}]}}]} as unknown as DocumentNode<GetEnvSecretsKvQuery, GetEnvSecretsKvQueryVariables>;
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
-export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
+export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
 export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 0ebf2732b..6cec7aac4 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -54,7 +54,7 @@ type Query {
   stripeSubscriptionDetails(organisationId: ID): StripeSubscriptionDetails
   stripeCustomerPortalUrl(organisationId: ID!): String
   dynamicSecretProviders: [DynamicSecretProviderType]
-  dynamicSecrets(secretId: ID, appId: ID, envId: ID, orgId: ID): [DynamicSecretType]
+  dynamicSecrets(secretId: ID, appId: ID, envId: ID, path: String, orgId: ID): [DynamicSecretType]
 }
 
 type OrganisationType {
diff --git a/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql b/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql
index 160b076ce..30cb66914 100644
--- a/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql
+++ b/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql
@@ -1,5 +1,5 @@
-query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID) {
-  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId) {
+query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {
+  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {
     id
     name
     environment {
diff --git a/frontend/graphql/queries/secrets/getSecrets.gql b/frontend/graphql/queries/secrets/getSecrets.gql
index 21f00f600..597568cad 100644
--- a/frontend/graphql/queries/secrets/getSecrets.gql
+++ b/frontend/graphql/queries/secrets/getSecrets.gql
@@ -65,7 +65,7 @@ query GetSecrets($appId: ID!, $envId: ID!, $path: String) {
     lastSync
     createdAt
   }
-  dynamicSecrets(envId: $envId) {
+  dynamicSecrets(envId: $envId, path: $path) {
     id
     name
     description

From dee747c26e57c6aae7c3f29edced7b5490f1f672 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 4 Sep 2025 19:27:13 +0530
Subject: [PATCH 034/117] fix: misc fixes to path handling and other cleanup

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../[environment]/[[...path]]/page.tsx        |  9 ++++--
 .../_components/DynamicSecret.tsx             |  4 +--
 .../secrets/dynamic/DynamicSecretRow.tsx      |  4 +--
 ...ecretDialog.tsx => ManageLeasesDialog.tsx} | 29 ++++++++++++++-----
 4 files changed, 33 insertions(+), 13 deletions(-)
 rename frontend/components/environments/secrets/dynamic/{ManageDynamicSecretDialog.tsx => ManageLeasesDialog.tsx} (77%)

diff --git a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
index 050919ea9..109130700 100644
--- a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
+++ b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
@@ -587,6 +587,11 @@ export default function EnvironmentPath({
 
   const filteredAndSortedSecrets = sortSecrets(filteredSecrets, sort)
 
+  const noSecrets =
+    filteredAndSortedSecrets.length === 0 &&
+    filteredFolders.length === 0 &&
+    dynamicSecrets.length === 0
+
   const downloadEnvFile = () => {
     const envContent = serverSecrets
       .map((secret) => {
@@ -1067,7 +1072,7 @@ export default function EnvironmentPath({
             <NewFolderMenu />
             <CreateDynamicSecretDialog
               environment={environment}
-              path={'/'}
+              path={secretPath}
               ref={dynamicSecretDialogRef}
             />
 
@@ -1111,7 +1116,7 @@ export default function EnvironmentPath({
                 </div>
               ))}
 
-            {filteredAndSortedSecrets.length === 0 && filteredFolders.length === 0 && (
+            {noSecrets && (
               <EmptyState
                 title={searchQuery ? `No results for "${searchQuery}"` : 'No secrets here'}
                 subtitle="Add secrets or folders here to get started"
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
index d4a19dd06..123b54581 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
@@ -1,6 +1,6 @@
 import { DynamicSecretType } from '@/apollo/graphql'
 import { DeleteDynamicSecretDialog } from '@/components/environments/secrets/dynamic/DeleteDynamicSecretDialog'
-import { ManageDynamicSecretDialog } from '@/components/environments/secrets/dynamic/ManageDynamicSecretDialog'
+import { ManageLeasesDialog } from '@/components/environments/secrets/dynamic/ManageLeasesDialog'
 import { ProviderIcon } from '@/components/syncing/ProviderIcon'
 import { Button } from '@/components/common/Button'
 import { organisationContext } from '@/contexts/organisationContext'
@@ -23,7 +23,7 @@ export const DynamicSecret = ({ secret }: { secret: DynamicSecretType }) => {
       <div className="relative group flex items-center justify-between w-full">
         <div className="flex h-full items-center justify-start gap-4 opacity-0 group-hover:opacity-100 transition ease">
           {/* <CreateLeaseDialog secret={secret} /> */}
-          <ManageDynamicSecretDialog secret={secret} />
+          <ManageLeasesDialog secret={secret} />
         </div>
         <div className="flex h-full items-center justify-end gap-4 opacity-0 group-hover:opacity-100 transition ease">
           {/* <DeleteDynamicSecretDialog secret={secret} /> */}
diff --git a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
index a27332708..66ff2fb94 100644
--- a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
+++ b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
@@ -3,7 +3,7 @@ import clsx from 'clsx'
 import { FaBolt } from 'react-icons/fa6'
 
 import { CreateLeaseDialog } from './CreateLeaseDialog'
-import { ManageDynamicSecretDialog } from './ManageDynamicSecretDialog'
+import { ManageLeasesDialog } from './ManageLeasesDialog'
 import { DeleteDynamicSecretDialog } from './DeleteDynamicSecretDialog'
 import { UpdateDynamicSecretDialog } from '@/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog'
 
@@ -57,7 +57,7 @@ export const DynamicSecretRow = ({
 
         <div className="flex h-full items-center gap-4  opacity-0 group-hover:opacity-100 transition ease">
           <CreateLeaseDialog secret={secret} />
-          <ManageDynamicSecretDialog secret={secret} />
+          <ManageLeasesDialog secret={secret} />
           <UpdateDynamicSecretDialog secret={secret} environment={environment} />
         </div>
       </div>
diff --git a/frontend/components/environments/secrets/dynamic/ManageDynamicSecretDialog.tsx b/frontend/components/environments/secrets/dynamic/ManageLeasesDialog.tsx
similarity index 77%
rename from frontend/components/environments/secrets/dynamic/ManageDynamicSecretDialog.tsx
rename to frontend/components/environments/secrets/dynamic/ManageLeasesDialog.tsx
index 3e384b6c3..82b9534bb 100644
--- a/frontend/components/environments/secrets/dynamic/ManageDynamicSecretDialog.tsx
+++ b/frontend/components/environments/secrets/dynamic/ManageLeasesDialog.tsx
@@ -3,8 +3,8 @@ import { Button } from '@/components/common/Button'
 import GenericDialog from '@/components/common/GenericDialog'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
-import { useQuery } from '@apollo/client'
-import { useContext, useRef, useState } from 'react'
+import { useLazyQuery, useQuery } from '@apollo/client'
+import { useContext, useEffect, useRef, useState } from 'react'
 import { FaAngleDoubleDown, FaAngleDoubleUp, FaCog } from 'react-icons/fa'
 import { LeaseCard } from './LeaseCard'
 import { FiRefreshCw } from 'react-icons/fi'
@@ -12,18 +12,31 @@ import { FaListCheck } from 'react-icons/fa6'
 import { CreateLeaseDialog } from './CreateLeaseDialog'
 import { EmptyState } from '@/components/common/EmptyState'
 
-export const ManageDynamicSecretDialog = ({ secret }: { secret: DynamicSecretType }) => {
+export const ManageLeasesDialog = ({ secret }: { secret: DynamicSecretType }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
   const dialogRef = useRef<{ closeModal: () => void; isOpen: boolean }>(null)
 
-  const { data, refetch, loading } = useQuery(GetDynamicSecretLeases, {
-    variables: { secretId: secret.id, orgId: organisation?.id },
-    skip: !organisation,
+  const [isOpen, setIsOpen] = useState(false)
+
+  // Listen for dialog open/close
+  const handleOpen = () => setIsOpen(true)
+  const handleClose = () => setIsOpen(false)
+
+  const [fetchLeases, { data, refetch, loading }] = useLazyQuery(GetDynamicSecretLeases, {
+    //variables: { secretId: secret.id, orgId: organisation?.id },
     notifyOnNetworkStatusChange: true,
   })
 
-  const handleRefetch = async () => await refetch()
+  // Fetch leases when dialog is opened
+  useEffect(() => {
+    if (isOpen && organisation) {
+      fetchLeases({ variables: { secretId: secret.id, orgId: organisation?.id } })
+    }
+  }, [isOpen, organisation, fetchLeases, secret.id])
+
+  const handleRefetch = async () =>
+    await refetch({ variables: { secretId: secret.id, orgId: organisation?.id } })
 
   const [viewLimit, setViewLimit] = useState(10)
 
@@ -43,6 +56,8 @@ export const ManageDynamicSecretDialog = ({ secret }: { secret: DynamicSecretTyp
         </>
       }
       title="View and manage leases"
+      onOpen={handleOpen}
+      onClose={handleClose}
     >
       <div className="space-y-6">
         <div className="text-neutral-500 ">

From fd5486cf169f9f5f2d92633a92616eab822a6ae2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 4 Sep 2025 20:37:00 +0530
Subject: [PATCH 035/117] chore: misc cleanup, formatting

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .vscode/settings.json                         |  4 +-
 .../secrets/dynamic/DynamicSecretRow.tsx      | 12 +--
 frontend/utils/copy.ts                        | 78 +++++++++++--------
 frontend/utils/dynamicSecrets.ts              | 52 ++++++-------
 4 files changed, 75 insertions(+), 71 deletions(-)

diff --git a/.vscode/settings.json b/.vscode/settings.json
index b3af7d528..c63be9001 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -32,5 +32,7 @@
   "[typescriptreact]": {
     "editor.defaultFormatter": "esbenp.prettier-vscode"
   },
-  "cSpell.words": ["organisation"] // Don't run prettier for files listed in .gitignore
+  "[typescript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  } // Don't run prettier for files listed in .gitignore
 }
diff --git a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
index 66ff2fb94..d0a11768b 100644
--- a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
+++ b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
@@ -1,11 +1,11 @@
 import { DynamicSecretType, EnvironmentType, KeyMap } from '@/apollo/graphql'
 import clsx from 'clsx'
 import { FaBolt } from 'react-icons/fa6'
-
 import { CreateLeaseDialog } from './CreateLeaseDialog'
 import { ManageLeasesDialog } from './ManageLeasesDialog'
 import { DeleteDynamicSecretDialog } from './DeleteDynamicSecretDialog'
 import { UpdateDynamicSecretDialog } from '@/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog'
+import { randomString } from '@/utils/copy'
 
 export const DynamicSecretRow = ({
   secret,
@@ -18,16 +18,6 @@ export const DynamicSecretRow = ({
 
   const KEY_BASE_STYLE = 'w-full font-mono custom bg-transparent transition ease p-1 ph-no-capture'
 
-  function randomString(min = 6, max = 18) {
-    const length = Math.floor(Math.random() * (max - min + 1)) + min
-    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
-    let result = ''
-    for (let i = 0; i < length; i++) {
-      result += chars.charAt(Math.floor(Math.random() * chars.length))
-    }
-    return result
-  }
-
   return (
     <div className="p-2 ring-1 ring-inset ring-emerald-400/20 flex w-full rounded-lg group">
       <div className="w-1/3">
diff --git a/frontend/utils/copy.ts b/frontend/utils/copy.ts
index 7cccfde30..1317bdb61 100644
--- a/frontend/utils/copy.ts
+++ b/frontend/utils/copy.ts
@@ -27,8 +27,8 @@ export const colors = [
  * @returns {string} The space-separated string.
  */
 export const camelCaseToSpaces = (str: string): string => {
-  return str.replace(/([a-z])([A-Z])/g, '$1 $2');
-};
+  return str.replace(/([a-z])([A-Z])/g, '$1 $2')
+}
 
 /**
  * Generates a hex color code from a given string.
@@ -39,19 +39,19 @@ export const camelCaseToSpaces = (str: string): string => {
  */
 export const stringToHexColor = (input: string): string => {
   // Simple hash function to generate a consistent hash from the input string
-  let hash = 0;
+  let hash = 0
   for (let i = 0; i < input.length; i++) {
-    hash = input.charCodeAt(i) + ((hash << 5) - hash);
+    hash = input.charCodeAt(i) + ((hash << 5) - hash)
   }
 
   // Convert the hash to a hex color code
-  let color = '#';
+  let color = '#'
   for (let i = 0; i < 3; i++) {
-    const value = (hash >> (i * 8)) & 0xFF;
-    color += ('00' + value.toString(16)).slice(-2);
+    const value = (hash >> (i * 8)) & 0xff
+    color += ('00' + value.toString(16)).slice(-2)
   }
 
-  return color;
+  return color
 }
 
 /**
@@ -62,27 +62,27 @@ export const stringToHexColor = (input: string): string => {
  */
 export const getContrastingTextColor = (hexColor: string): string => {
   // Convert hex to RGB
-  const r = parseInt(hexColor.slice(1, 3), 16);
-  const g = parseInt(hexColor.slice(3, 5), 16);
-  const b = parseInt(hexColor.slice(5, 7), 16);
+  const r = parseInt(hexColor.slice(1, 3), 16)
+  const g = parseInt(hexColor.slice(3, 5), 16)
+  const b = parseInt(hexColor.slice(5, 7), 16)
 
   // Calculate luminance
-  const luminance = (0.299 * r + 0.587 * g + 0.114 * b) / 255;
+  const luminance = (0.299 * r + 0.587 * g + 0.114 * b) / 255
 
   // Return black or white depending on luminance
-  return luminance > 0.5 ? 'black' : 'white';
-};
+  return luminance > 0.5 ? 'black' : 'white'
+}
 
 /**
-* Generates a random hexadecimal color string.
-*
-* @returns {string} A string representing a random hex color in the format "#RRGGBB".
-*/
+ * Generates a random hexadecimal color string.
+ *
+ * @returns {string} A string representing a random hex color in the format "#RRGGBB".
+ */
 export const generateRandomHexColor = (): string => {
- // Generate a random number between 0 and 0xFFFFFF, then convert to a hexadecimal string
- const randomColor = Math.floor(Math.random() * 0xffffff).toString(16)
- // Pad the string with leading zeros if necessary to ensure it has a length of 6 characters
- return '#' + randomColor.padStart(6, '0')
+  // Generate a random number between 0 and 0xFFFFFF, then convert to a hexadecimal string
+  const randomColor = Math.floor(Math.random() * 0xffffff).toString(16)
+  // Pad the string with leading zeros if necessary to ensure it has a length of 6 characters
+  return '#' + randomColor.padStart(6, '0')
 }
 
 /**
@@ -91,21 +91,35 @@ export const generateRandomHexColor = (): string => {
  * @returns {string} A random color in hex format.
  */
 export const getRandomCuratedColor = (): string => {
-  const randomIndex = Math.floor(Math.random() * colors.length);
-  return colors[randomIndex];
-};
-
-
+  const randomIndex = Math.floor(Math.random() * colors.length)
+  return colors[randomIndex]
+}
 
 /**
  * Checks if a string contains at least one non-space character
- * 
- * @param {string} value 
+ *
+ * @param {string} value
  * @returns {boolean}
  */
 export const stringContainsCharacters = (value: string) => {
-  const trimmedValue = value.trim(); // Trim leading and trailing spaces
-  const isValid = /^(?!\s*$).+/.test(trimmedValue); // Validate using the regex
+  const trimmedValue = value.trim() // Trim leading and trailing spaces
+  const isValid = /^(?!\s*$).+/.test(trimmedValue) // Validate using the regex
 
   return isValid
-};
\ No newline at end of file
+}
+
+/**
+ * Generates a random alphanumeric string of specified length.
+ * @param {string} min Minimum length of the string (default is 6)
+ * @param {string} max Maximum length of the string (default is 18)
+ * @returns  A random string
+ */
+export const randomString = (min = 6, max = 18) => {
+  const length = Math.floor(Math.random() * (max - min + 1)) + min
+  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+  let result = ''
+  for (let i = 0; i < length; i++) {
+    result += chars.charAt(Math.floor(Math.random() * chars.length))
+  }
+  return result
+}
diff --git a/frontend/utils/dynamicSecrets.ts b/frontend/utils/dynamicSecrets.ts
index 379520d67..bd0f0e5a9 100644
--- a/frontend/utils/dynamicSecrets.ts
+++ b/frontend/utils/dynamicSecrets.ts
@@ -1,30 +1,28 @@
 export const MINIMUM_LEASE_TTL = 60 // 1 minute
 
 export const leaseTtlButtons = [
-    {
-      label: '15min',
-      seconds: '900',
-    },
-    {
-      label: '1h',
-      seconds: '3600',
-    },
-    {
-      label: '12h',
-      seconds: '43200',
-    },
-    {
-      label: '24h',
-      seconds: '86400',
-    },
-    {
-      label: '30d',
-      seconds: '2592000',
-    },
-    {
-      label: '90d',
-      seconds: '7776000',
-    },
-  ]
-
-
+  {
+    label: '15min',
+    seconds: '900',
+  },
+  {
+    label: '1h',
+    seconds: '3600',
+  },
+  {
+    label: '12h',
+    seconds: '43200',
+  },
+  {
+    label: '24h',
+    seconds: '86400',
+  },
+  {
+    label: '30d',
+    seconds: '2592000',
+  },
+  {
+    label: '90d',
+    seconds: '7776000',
+  },
+]

From bf3262e4e427a5000fd04ce6ce1df1739da0f8a1 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 4 Sep 2025 20:38:38 +0530
Subject: [PATCH 036/117] fix: dynamic secret row ring color

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../environments/secrets/dynamic/DynamicSecretRow.tsx           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
index d0a11768b..86d1ece21 100644
--- a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
+++ b/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
@@ -19,7 +19,7 @@ export const DynamicSecretRow = ({
   const KEY_BASE_STYLE = 'w-full font-mono custom bg-transparent transition ease p-1 ph-no-capture'
 
   return (
-    <div className="p-2 ring-1 ring-inset ring-emerald-400/20 flex w-full rounded-lg group">
+    <div className="p-2 ring-1 ring-inset ring-neutral-400/20 flex w-full rounded-lg group">
       <div className="w-1/3">
         <div className="text-2xs text-emerald-500 flex items-center gap-1 bg-emerald-400/10 rounded-full w-min whitespace-nowrap px-1">
           <FaBolt /> {secret.name}

From 10879b075e3402f40f1fa465086937f8ef44b0fd Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 4 Sep 2025 20:41:19 +0530
Subject: [PATCH 037/117] fix: delete secret button style

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/environments/secrets/SecretRow.tsx | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/frontend/components/environments/secrets/SecretRow.tsx b/frontend/components/environments/secrets/SecretRow.tsx
index 9f03b9fba..62ccce89c 100644
--- a/frontend/components/environments/secrets/SecretRow.tsx
+++ b/frontend/components/environments/secrets/SecretRow.tsx
@@ -266,9 +266,7 @@ export default function SecretRow(props: {
             onClick={() => handleDelete(secret.id)}
             title={stagedForDelete ? 'Restore this secret' : 'Delete this secret'}
           >
-            <div className="text-white dark:text-red-500 flex items-center gap-1 p-1">
-              {stagedForDelete ? <FaUndo /> : <FaTrashAlt />}
-            </div>
+            <div className="p-1">{stagedForDelete ? <FaUndo /> : <FaTrashAlt />}</div>
           </Button>
         )}
       </div>

From b6727f72654f65e31a9abe7fcac42a384f8bb93a Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 5 Sep 2025 00:30:30 +0530
Subject: [PATCH 038/117] fix: permission checks for renew and revoke
 operations on leases for other accounts

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/graphene/mutations.py         | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
index 27bb9cd00..2b904eb3f 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
@@ -132,7 +132,10 @@ def mutate(
         if not user_is_org_member(user.userId, org.id):
             raise GraphQLError("You don't have access to this organisation")
 
-        if lease.organisation_member.id != org_member.id and not user_has_permission(
+        if (
+            lease.organisation_member is None
+            or lease.organisation_member.id != org_member.id
+        ) and not user_has_permission(
             info.context.user, "update", "DynamicSecretLeases", org, True
         ):
             raise GraphQLError(
@@ -171,7 +174,10 @@ def mutate(
         if not user_is_org_member(user.userId, org.id):
             raise GraphQLError("You don't have access to this organisation")
 
-        if lease.organisation_member.id != org_member.id and not user_has_permission(
+        if (
+            lease.organisation_member is None
+            or lease.organisation_member.id != org_member.id
+        ) and not user_has_permission(
             info.context.user, "delete", "DynamicSecretLeases", org, True
         ):
             raise GraphQLError(
@@ -181,11 +187,6 @@ def mutate(
         if not user_can_access_environment(user.userId, lease.secret.environment.id):
             raise GraphQLError("You don't have access to this environment")
 
-        if lease.organisation_member.id != org_member.id:
-            raise GraphQLError(
-                "You cannot revoke this lease as it wasn't created by you"
-            )
-
         else:
             if lease.secret.provider == "aws":
                 revoke_aws_dynamic_secret_lease(lease.id, manual=True)

From c1a8f2a373cd5246c12a85e49e485b2b2fc177ad Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 5 Sep 2025 00:30:42 +0530
Subject: [PATCH 039/117] fix: lease card typography

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../components/environments/secrets/dynamic/LeaseCard.tsx   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/frontend/components/environments/secrets/dynamic/LeaseCard.tsx b/frontend/components/environments/secrets/dynamic/LeaseCard.tsx
index f747568ff..780e33876 100644
--- a/frontend/components/environments/secrets/dynamic/LeaseCard.tsx
+++ b/frontend/components/environments/secrets/dynamic/LeaseCard.tsx
@@ -60,8 +60,8 @@ export const LeaseCard = ({
         <div className="font-mono text-2xs text-neutral-500">{lease.id}</div>
       </div>
 
-      <div className="space-y-1 col-span-2">
-        <div className="text-neutral-500 flex items-center gap-2 text-xs">
+      <div className="space-y-1 col-span-2 text-xs">
+        <div className="text-neutral-500 flex items-center gap-1">
           Created {relativeTimeFromDates(new Date(lease.createdAt))}
           {(lease.organisationMember || lease.serviceAccount) && (
             <div className="flex items-center gap-1">
@@ -80,7 +80,7 @@ export const LeaseCard = ({
           )}
         </div>
         {isRevoked ? (
-          <div className="text-red-400 text-xs">
+          <div className="text-red-400">
             {`${lease.status == ApiDynamicSecretLeaseStatusChoices.Expired ? 'Expire' : 'Revoke'}${isRevoked ? 'd' : 's'}`}{' '}
             {relativeTimeFromDates(new Date(lease.revokedAt))}
           </div>

From 8cf5fa0e96c46fabd294a72db542279d06f10af6 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 5 Sep 2025 00:37:20 +0530
Subject: [PATCH 040/117] fix: correct key name in credentials serializer

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/integrations/secrets/dynamic/serializers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/ee/integrations/secrets/dynamic/serializers.py b/backend/ee/integrations/secrets/dynamic/serializers.py
index b8e4233e5..39ad8aa7b 100644
--- a/backend/ee/integrations/secrets/dynamic/serializers.py
+++ b/backend/ee/integrations/secrets/dynamic/serializers.py
@@ -40,7 +40,7 @@ def get_credentials(self, obj):
                         key_name_encrypted, env_privkey, env_pubkey
                     )
                     value = decrypt_asymmetric(cred_encrypted, env_privkey, env_pubkey)
-                    result.append({"key_name": key_name, "value": value})
+                    result.append({"key": key_name, "value": value})
         else:
             for entry in key_map:
                 key_id = entry.get("id")

From 6b526f6c6ca28b06bafdb733060a973b90e1ce70 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 5 Sep 2025 14:54:45 +0530
Subject: [PATCH 041/117] fix: ensure secret name is unique per env and path

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/aws/graphene/mutations.py       | 13 ++++++++++++-
 backend/ee/integrations/secrets/dynamic/utils.py    | 11 +++++++++++
 frontend/graphql/queries/secrets/getSecrets.gql     |  1 +
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
index 2478efb47..78e61bfe4 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
@@ -100,7 +100,7 @@ def mutate(
             validated_key_map = validate_key_map(key_map, "aws", env, path)
             key_map = validated_key_map
         except ValidationError as e:
-            message = f"Error updating secret: {e.messages[0]}"
+            message = f"Error creating secret: {e.messages[0]}"
             raise GraphQLError(message)
 
         # --- create secret ---
@@ -190,6 +190,17 @@ def mutate(
             except ProviderCredentials.DoesNotExist:
                 raise GraphQLError("Invalid authentication credentials")
 
+        # --- ensure name is unique in this environment and path ---
+        if DynamicSecret.objects.filter(
+            environment=dynamic_secret.environment,
+            path=path,
+            name=name,
+            deleted_at=None,
+        ).exists():
+            raise GraphQLError(
+                f"A dynamic secret with name '{name}' already exists at this path."
+            )
+
         # --- update secret fields ---
         dynamic_secret.name = name
         dynamic_secret.description = description
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index 9d7aa70ec..dcabf962c 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -98,6 +98,17 @@ def create_dynamic_secret(
     Used by both GraphQL resolvers and REST API.
     """
 
+    # --- ensure name is unique in this environment and path ---
+    if DynamicSecret.objects.filter(
+        environment=environment,
+        path=path,
+        name=name,
+        deleted_at=None,
+    ).exists():
+        raise ValidationError(
+            f"A dynamic secret with name '{name}' already exists at this path."
+        )
+
     # --- validate provider ---
     provider_def = None
     for prov in DynamicSecretProviders.__dict__.values():
diff --git a/frontend/graphql/queries/secrets/getSecrets.gql b/frontend/graphql/queries/secrets/getSecrets.gql
index 597568cad..aee554746 100644
--- a/frontend/graphql/queries/secrets/getSecrets.gql
+++ b/frontend/graphql/queries/secrets/getSecrets.gql
@@ -68,6 +68,7 @@ query GetSecrets($appId: ID!, $envId: ID!, $path: String) {
   dynamicSecrets(envId: $envId, path: $path) {
     id
     name
+    path
     description
     provider
     keyMap {

From cabc0b4c04eaa50730a4591a15eda8aa43b63014 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 5 Sep 2025 14:55:26 +0530
Subject: [PATCH 042/117] fix: apply search queries to dynamic secrets

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../[environment]/[[...path]]/page.tsx             | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
index 109130700..8344f995c 100644
--- a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
+++ b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
@@ -587,10 +587,18 @@ export default function EnvironmentPath({
 
   const filteredAndSortedSecrets = sortSecrets(filteredSecrets, sort)
 
+  const filteredDynamicSecrets =
+    searchQuery === ''
+      ? dynamicSecrets
+      : dynamicSecrets.filter((secret) => {
+          const searchRegex = new RegExp(searchQuery, 'i')
+          return searchRegex.test(`${secret.name}${secret.keyMap?.map((k) => k!.keyName).join('')}`)
+        })
+
   const noSecrets =
     filteredAndSortedSecrets.length === 0 &&
     filteredFolders.length === 0 &&
-    dynamicSecrets.length === 0
+    filteredDynamicSecrets.length === 0
 
   const downloadEnvFile = () => {
     const envContent = serverSecrets
@@ -1038,7 +1046,7 @@ export default function EnvironmentPath({
               ref={importDialogRef}
             />
 
-            {(clientSecrets.length > 0 || folders.length > 0) && (
+            {!noSecrets && (
               <div className="flex items-center w-full">
                 <div className="px-9 py-3 text-left text-xs font-medium text-neutral-500 uppercase tracking-wider w-1/3">
                   key
@@ -1086,7 +1094,7 @@ export default function EnvironmentPath({
               ))}
 
             {environment &&
-              dynamicSecrets.map((secret) => (
+              filteredDynamicSecrets.map((secret) => (
                 <DynamicSecretRow key={secret.id} secret={secret} environment={environment} />
               ))}
 

From 6daef3da20bd304c84f1340b5c4335fc4239285f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 7 Sep 2025 20:56:46 +0530
Subject: [PATCH 043/117] feat: api

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/views/secrets.py                  | 172 ++++++++++-
 backend/backend/settings.py                   |   1 +
 backend/backend/urls.py                       |   9 +
 backend/ee/__init__.py                        |   0
 backend/ee/integrations/__init__.py           |   0
 backend/ee/integrations/secrets/__init__.py   |   0
 .../integrations/secrets/dynamic/__init__.py  |   0
 .../secrets/dynamic/graphene/queries.py       |   4 +-
 .../secrets/dynamic/rest/__init__.py          |   0
 .../integrations/secrets/dynamic/rest/urls.py |  11 +
 .../secrets/dynamic/rest/views.py             | 266 ++++++++++++++++++
 .../secrets/dynamic/serializers.py            |  63 ++++-
 .../ee/integrations/secrets/dynamic/utils.py  |   4 +-
 .../_components/DynamicSecret.tsx             |   9 +-
 frontend/components/common/Avatar.tsx         |   2 +-
 15 files changed, 529 insertions(+), 12 deletions(-)
 create mode 100644 backend/ee/__init__.py
 create mode 100644 backend/ee/integrations/__init__.py
 create mode 100644 backend/ee/integrations/secrets/__init__.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/__init__.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/rest/__init__.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/rest/urls.py
 create mode 100644 backend/ee/integrations/secrets/dynamic/rest/views.py

diff --git a/backend/api/views/secrets.py b/backend/api/views/secrets.py
index ff0f6f075..f78ec4858 100644
--- a/backend/api/views/secrets.py
+++ b/backend/api/views/secrets.py
@@ -1,5 +1,7 @@
 from api.auth import PhaseTokenAuthentication
 from api.models import (
+    DynamicSecret,
+    DynamicSecretLease,
     Environment,
     PersonalSecret,
     Secret,
@@ -26,10 +28,12 @@
     METHOD_TO_ACTION,
     get_resolver_request_meta,
 )
-
+import logging
 import json
 from api.content_negotiation import CamelCaseContentNegotiation
 from api.utils.access.middleware import IsIPAllowed
+from ee.integrations.secrets.dynamic.serializers import DynamicSecretSerializer
+from ee.integrations.secrets.dynamic.utils import create_dynamic_secret_lease
 from rest_framework.views import APIView
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.exceptions import PermissionDenied
@@ -42,6 +46,8 @@
 )
 from rest_framework.renderers import JSONRenderer
 
+logger = logging.getLogger(__name__)
+
 
 class E2EESecretsView(APIView):
     authentication_classes = [PhaseTokenAuthentication]
@@ -138,7 +144,87 @@ def get(self, request, *args, **kwargs):
             secrets, many=True, context={"org_member": request.auth["org_member"]}
         )
 
-        return Response(serializer.data, status=status.HTTP_200_OK)
+        include_dynamic_secrets = (
+            # treat presence (any value) of either header as True unless explicitly "false"
+            (
+                "dynamic" in request.headers
+                and request.headers.get("dynamic", "false").lower() != "false"
+            )
+            or (
+                "include_dynamic" in request.headers
+                and request.headers.get("include_dynamic", "false").lower() != "false"
+            )
+        )
+
+        dynamic_secrets_data = []
+        if include_dynamic_secrets:
+            dynamic_secrets_filter = {
+                "environment": env,
+                "deleted_at": None,
+            }
+            try:
+                path = request.headers.get("path")
+                if path:
+                    path = normalize_path_string(path)
+                    dynamic_secrets_filter["path"] = path
+            except Exception:
+                pass
+
+            dynamic_secrets_qs = DynamicSecret.objects.filter(**dynamic_secrets_filter)
+
+            # If lease header is present, generate a lease per secret
+            include_lease = (
+                "lease" in request.headers
+                and request.headers.get("lease", "false").lower() != "false"
+            )
+
+            service_account = None
+            if request.auth.get("service_account_token") is not None:
+                service_account = request.auth["service_account_token"].service_account
+
+            if include_lease:
+                leases_by_secret_id = {}
+                for ds in dynamic_secrets_qs:
+                    try:
+                        lease, _job = create_dynamic_secret_lease(
+                            ds,
+                            organisation_member=request.auth.get("org_member"),
+                            service_account=service_account,
+                        )
+                        leases_by_secret_id[ds.id] = str(lease.id)
+                    except Exception as e:
+                        logger.error(
+                            f"Failed to create lease for dynamic secret {ds.id}: {e}"
+                        )
+
+                # Serialize each secret with its lease_id in context
+                dynamic_secrets_data = [
+                    DynamicSecretSerializer(
+                        ds,
+                        context={
+                            "sse": False,
+                            "with_credentials": True,
+                            "lease_id": leases_by_secret_id.get(ds.id),
+                        },
+                    ).data
+                    for ds in dynamic_secrets_qs
+                ]
+            else:
+                # Serialize without lease
+                dynamic_secrets_data = DynamicSecretSerializer(
+                    dynamic_secrets_qs, many=True, context={"sse": False}
+                ).data
+
+        response_data = {
+            "secrets": serializer.data,
+        }
+        if include_dynamic_secrets:
+            response_data["dynamicSecrets"] = dynamic_secrets_data
+
+        return Response(
+            response_data,
+            status=status.HTTP_200_OK,
+        )
 
     def post(self, request, *args, **kwargs):
 
@@ -451,7 +537,87 @@ def get(self, request, *args, **kwargs):
             },
         )
 
-        return Response(serializer.data, status=status.HTTP_200_OK)
+        include_dynamic_secrets = (
+            # treat presence (any value) of either param as True unless explicitly "false"
+            (
+                "dynamic" in request.GET
+                and request.GET.get("dynamic", "false").lower() != "false"
+            )
+            or (
+                "include_dynamic" in request.GET
+                and request.GET.get("include_dynamic", "false").lower() != "false"
+            )
+        )
+
+        dynamic_secrets_data = []
+        if include_dynamic_secrets:
+            dynamic_secrets_filter = {
+                "environment": env,
+                "deleted_at": None,
+            }
+            try:
+                path = request.GET.get("path")
+                if path:
+                    path = normalize_path_string(path)
+                    dynamic_secrets_filter["path"] = path
+            except Exception:
+                pass
+
+            dynamic_secrets_qs = DynamicSecret.objects.filter(**dynamic_secrets_filter)
+
+            # If ?lease is present, generate a lease per secret
+            include_lease = (
+                "lease" in request.GET
+                and request.GET.get("lease", "false").lower() != "false"
+            )
+
+            service_account = None
+            if request.auth.get("service_account_token") is not None:
+                service_account = request.auth["service_account_token"].service_account
+
+            if include_lease:
+                leases_by_secret_id = {}
+                for ds in dynamic_secrets_qs:
+                    try:
+                        lease, _job = create_dynamic_secret_lease(
+                            ds,
+                            organisation_member=request.auth.get("org_member"),
+                            service_account=service_account,
+                        )
+                        leases_by_secret_id[ds.id] = str(lease.id)
+                    except Exception as e:
+                        logger.error(
+                            f"Failed to create lease for dynamic secret {ds.id}: {e}"
+                        )
+
+                # Serialize each secret with its lease_id in context
+                dynamic_secrets_data = [
+                    DynamicSecretSerializer(
+                        ds,
+                        context={
+                            "sse": True,
+                            "with_credentials": True,
+                            "lease_id": leases_by_secret_id.get(ds.id),
+                        },
+                    ).data
+                    for ds in dynamic_secrets_qs
+                ]
+            else:
+                # Serialize without lease
+                dynamic_secrets_data = DynamicSecretSerializer(
+                    dynamic_secrets_qs, many=True, context={"sse": True}
+                ).data
+
+        response_data = {
+            "secrets": serializer.data,
+        }
+        if include_dynamic_secrets:
+            response_data["dynamicSecrets"] = dynamic_secrets_data
+
+        return Response(
+            response_data,
+            status=status.HTTP_200_OK,
+        )
 
     def post(self, request, *args, **kwargs):
 
diff --git a/backend/backend/settings.py b/backend/backend/settings.py
index fa5b2315f..301c1c3d9 100644
--- a/backend/backend/settings.py
+++ b/backend/backend/settings.py
@@ -95,6 +95,7 @@ def get_version():
     "allauth.socialaccount.providers.gitlab",
     "allauth.socialaccount.providers.microsoft",
     "api.config.APIConfig",
+    # "ee",
     "logs",
     "graphene_django",
     "django_rq",
diff --git a/backend/backend/urls.py b/backend/backend/urls.py
index eaac0f175..983386987 100644
--- a/backend/backend/urls.py
+++ b/backend/backend/urls.py
@@ -13,6 +13,7 @@
     root_endpoint,
 )
 from api.views.kms import kms
+from ee.integrations.secrets.dynamic.rest.views import DynamicSecretsView
 
 
 CLOUD_HOSTED = settings.APP_HOST == "cloud"
@@ -32,6 +33,14 @@
     path("secrets/tokens/", secrets_tokens),
     path("oauth/github/callback", github_integration_callback),
     path("lockbox/<box_id>", LockboxView.as_view()),
+    # path(
+    #     "public/v1/secrets/dynamic/",
+    #     PublicDynamicSecretsView.as_view(),
+    # ),
+    path(
+        "public/v1/secrets/dynamic/",
+        include("ee.integrations.secrets.dynamic.rest.urls"),
+    ),
 ]
 
 if CLOUD_HOSTED:
diff --git a/backend/ee/__init__.py b/backend/ee/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/ee/integrations/__init__.py b/backend/ee/integrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/ee/integrations/secrets/__init__.py b/backend/ee/integrations/secrets/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/ee/integrations/secrets/dynamic/__init__.py b/backend/ee/integrations/secrets/dynamic/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/queries.py b/backend/ee/integrations/secrets/dynamic/graphene/queries.py
index ca799c5f1..bcbbb9c21 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/queries.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/queries.py
@@ -24,7 +24,7 @@ def resolve_dynamic_secret_providers(self, info):
 
 
 def resolve_dynamic_secrets(
-    root, info, secret_id=None, app_id=None, env_id=None, path="/", org_id=None
+    root, info, secret_id=None, app_id=None, env_id=None, path=None, org_id=None
 ):
     user = info.context.user
     filters = {"deleted_at": None}
@@ -32,7 +32,7 @@ def resolve_dynamic_secrets(
     if secret_id:
         filters["id"] = secret_id
 
-    else:
+    elif path is not None:
         filters["path"] = path
     org = None
 
diff --git a/backend/ee/integrations/secrets/dynamic/rest/__init__.py b/backend/ee/integrations/secrets/dynamic/rest/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/ee/integrations/secrets/dynamic/rest/urls.py b/backend/ee/integrations/secrets/dynamic/rest/urls.py
new file mode 100644
index 000000000..d5f612c35
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/rest/urls.py
@@ -0,0 +1,11 @@
+from django.urls import path
+
+from ee.integrations.secrets.dynamic.rest.views import (
+    DynamicSecretLeaseView,
+    DynamicSecretsView,
+)
+
+urlpatterns = [
+    path("", DynamicSecretsView.as_view(), name="dynamic-secrets"),
+    path("leases/", DynamicSecretLeaseView.as_view(), name="dynamic-secret-lease"),
+]
diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
new file mode 100644
index 000000000..de6b73356
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -0,0 +1,266 @@
+from api.auth import PhaseTokenAuthentication
+from api.models import (
+    DynamicSecret,
+    DynamicSecretLease,
+    OrganisationMember,
+)
+from api.utils.secrets import (
+    normalize_path_string,
+)
+from api.utils.access.permissions import (
+    user_has_permission,
+)
+from ee.integrations.secrets.dynamic.serializers import (
+    DynamicSecretLeaseSerializer,
+)
+from api.utils.rest import (
+    METHOD_TO_ACTION,
+    get_resolver_request_meta,
+)
+
+from api.utils.access.middleware import IsIPAllowed
+from ee.integrations.secrets.dynamic.aws.utils import (
+    revoke_aws_dynamic_secret_lease,
+)
+from ee.integrations.secrets.dynamic.utils import (
+    create_dynamic_secret_lease,
+    renew_dynamic_secret_lease,
+)
+from rest_framework.views import APIView
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.exceptions import PermissionDenied
+from rest_framework.response import Response
+from rest_framework import status
+from djangorestframework_camel_case.render import (
+    CamelCaseJSONRenderer,
+)
+from rest_framework.exceptions import PermissionDenied, NotFound
+
+
+class DynamicSecretsView(APIView):
+    authentication_classes = [PhaseTokenAuthentication]
+    permission_classes = [IsAuthenticated, IsIPAllowed]
+    renderer_classes = [
+        CamelCaseJSONRenderer,
+    ]
+
+    def initial(self, request, *args, **kwargs):
+        super().initial(request, *args, **kwargs)
+
+        # Determine the action based on the request method
+        action = METHOD_TO_ACTION.get(request.method)
+        if not action:
+            raise PermissionDenied(f"Unsupported HTTP method: {request.method}")
+
+        # Perform permission check
+        account = None
+        if request.auth["auth_type"] == "User":
+            account = request.auth["org_member"].user
+        elif request.auth["auth_type"] == "ServiceAccount":
+            account = request.auth["service_account"]
+
+        if account is not None:
+            env = request.auth["environment"]
+            organisation = env.app.organisation
+
+            if not user_has_permission(
+                account,
+                action,
+                "Secrets",
+                organisation,
+                True,
+                request.auth.get("service_account") is not None,
+            ):
+                raise PermissionDenied(
+                    f"You don't have permission to {action} secrets in this environment."
+                )
+
+    def get(self, request, *args, **kwargs):
+        env = request.auth["environment"]
+
+        # Check if SSE is enabled for this environment
+        if not env.app.sse_enabled:
+            return Response({"error": "SSE is not enabled for this App"}, status=400)
+
+        ip_address, user_agent = get_resolver_request_meta(request)
+
+        dynamic_secrets_filter = {
+            "environment": env,
+            "deleted_at": None,
+        }
+
+        try:
+            path = request.GET.get("path")
+            if path:
+                path = normalize_path_string(path)
+                dynamic_secrets_filter["path"] = path
+        except:
+            pass
+
+        # Filter by secret id
+        secret_id = request.GET.get("id")
+        if secret_id:
+            dynamic_secrets_filter["id"] = secret_id
+
+        # Filter by secret name
+        secret_name = request.GET.get("name")
+        if secret_name:
+            dynamic_secrets_filter["name"] = secret_name
+
+        dynamic_secrets = DynamicSecret.objects.filter(**dynamic_secrets_filter)
+
+        # 2. Create leases for each secret
+        if request.auth["service_account_token"] is not None:
+            service_account = request.auth["service_account_token"].service_account
+        dynamic_leases = [
+            create_dynamic_secret_lease(
+                secret,
+                organisation_member=request.auth["org_member"],
+                service_account=service_account,
+            )[0]
+            for secret in dynamic_secrets
+        ]
+
+        if len(dynamic_leases) > 0:
+            from ee.integrations.secrets.dynamic.serializers import (
+                DynamicSecretLeaseSerializer,
+            )
+
+            dynamic_serializer = DynamicSecretLeaseSerializer(
+                dynamic_leases, many=True, context={"sse": True}
+            )
+
+        return Response(
+            {
+                "dynamicSecrets": (
+                    dynamic_serializer.data if len(dynamic_leases) > 0 else []
+                ),
+            },
+            status=status.HTTP_200_OK,
+        )
+
+
+class DynamicSecretLeaseView(APIView):
+    authentication_classes = [PhaseTokenAuthentication]
+    permission_classes = [IsAuthenticated, IsIPAllowed]
+    renderer_classes = [CamelCaseJSONRenderer]
+
+    def _get_account_and_org(self, request):
+        account = None
+        if request.auth["auth_type"] == "User":
+            account = request.auth["org_member"].user
+        elif request.auth["auth_type"] == "ServiceAccount":
+            account = request.auth["service_account"]
+        env = request.auth["environment"] if account is not None else None
+        organisation = env.app.organisation if env is not None else None
+        return account, organisation
+
+    def _get_lease_or_404(self, lease_id: str) -> DynamicSecretLease:
+        try:
+            return DynamicSecretLease.objects.get(id=lease_id)
+        except DynamicSecretLease.DoesNotExist:
+            raise NotFound("Lease not found")
+
+    def _assert_can_act_on_lease(self, request, lease: DynamicSecretLease, action: str):
+        # action: "update" for renew, "delete" for revoke
+        account, organisation = self._get_account_and_org(request)
+        lease_holder = lease.organisation_member or lease.service_account
+        if (
+            lease_holder
+            and hasattr(lease_holder, "id")
+            and lease_holder.id == getattr(account, "id", None)
+        ):
+            return
+        if not user_has_permission(
+            account,
+            action,
+            "DynamicSecretLeases",
+            organisation,
+            True,
+            request.auth.get("service_account") is not None,
+        ):
+            raise PermissionDenied(
+                f"You don't have permission to {action} leases for other accounts."
+            )
+
+    # List leases
+    def get(self, request, *args, **kwargs):
+        secret_id = request.query_params.get("secret_id")
+        if not secret_id:
+            return Response({"error": "secret_id is required"}, status=400)
+
+        account, organisation = self._get_account_and_org(request)
+
+        if not user_has_permission(
+            account,
+            "read",
+            "Secrets",
+            organisation,
+            True,
+            request.auth.get("service_account") is not None,
+        ):
+            raise PermissionDenied(
+                f"You don't have permission to read secrets in this environment."
+            )
+
+        try:
+            secret = DynamicSecret.objects.get(id=secret_id)
+        except DynamicSecret.DoesNotExist:
+            return Response({"error": "Secret not found"}, status=404)
+
+        leases_filter = {"secret": secret}
+
+        # only return own leases if no permission to view all leases
+        if not user_has_permission(
+            account,
+            "read",
+            "DynamicSecretLeases",
+            organisation,
+            True,
+            request.auth.get("service_account") is not None,
+        ):
+            if request.auth["org_member"] is not None:
+                leases_filter["organisation_member"] = request.auth["org_member"]
+            elif request.auth["service_account_token"] is not None:
+                leases_filter["service_account"] = request.auth[
+                    "service_account_token"
+                ]["service_account"]
+
+        leases = DynamicSecretLease.objects.filter(secret=secret).order_by(
+            "-created_at"
+        )
+        serializer = DynamicSecretLeaseSerializer(
+            leases, many=True, context={"sse": False}
+        )
+        return Response(serializer.data, status=status.HTTP_200_OK)
+
+    # Renew
+    def put(self, request, *args, **kwargs):
+        lease_id = request.data.get("lease_id")
+        ttl = request.data.get("ttl", 3600)
+        if not lease_id:
+            return Response({"error": "lease_id is required"}, status=400)
+
+        lease = self._get_lease_or_404(lease_id)
+        self._assert_can_act_on_lease(request, lease, action="update")
+
+        try:
+            lease = renew_dynamic_secret_lease(lease, ttl)
+        except Exception as e:
+            return Response({"error": str(e)}, status=400)
+
+        return Response(status=status.HTTP_200_OK)
+
+    # Revoke
+    def delete(self, request, *args, **kwargs):
+        lease_id = request.data.get("lease_id") or request.query_params.get("lease_id")
+        if not lease_id:
+            return Response({"error": "lease_id is required"}, status=400)
+
+        lease = self._get_lease_or_404(lease_id)
+        self._assert_can_act_on_lease(request, lease, action="delete")
+
+        if lease.secret.provider == "aws":
+            revoke_aws_dynamic_secret_lease(lease.id, manual=True)
+
+        return Response(status=status.HTTP_200_OK)
diff --git a/backend/ee/integrations/secrets/dynamic/serializers.py b/backend/ee/integrations/secrets/dynamic/serializers.py
index 39ad8aa7b..df7cf2fe3 100644
--- a/backend/ee/integrations/secrets/dynamic/serializers.py
+++ b/backend/ee/integrations/secrets/dynamic/serializers.py
@@ -1,4 +1,4 @@
-from api.models import DynamicSecretLease
+from api.models import DynamicSecretLease, DynamicSecret
 from api.utils.crypto import decrypt_asymmetric
 from api.utils.secrets import get_environment_keys
 from rest_framework import serializers
@@ -25,6 +25,9 @@ class Meta:
         ]
 
     def get_credentials(self, obj):
+        with_credentials = self.context.get("with_credentials", False)
+        if not with_credentials:
+            return []
         sse = self.context.get("sse")
         credentials = obj.credentials or {}
         key_map = obj.secret.key_map if obj.secret else []
@@ -49,3 +52,61 @@ def get_credentials(self, obj):
                 if key_name and value:
                     result.append({"key": key_name, "value": value})
         return result
+
+
+class DynamicSecretSerializer(serializers.ModelSerializer):
+    lease = serializers.SerializerMethodField()
+    key_map = serializers.SerializerMethodField()
+
+    class Meta:
+        model = DynamicSecret
+        fields = [
+            "id",
+            "name",
+            "description",
+            "environment",
+            "folder",
+            "path",
+            "default_ttl",
+            "max_ttl",
+            "provider",
+            "key_map",
+            "created_at",
+            "updated_at",
+            "deleted_at",
+            "lease",
+        ]
+
+    def get_key_map(self, obj):
+        sse = self.context.get("sse")
+        entries = obj.key_map or []
+        if not sse:
+            return entries
+
+        # Decrypt key_name for each entry using environment keys
+        env_pubkey, env_privkey = get_environment_keys(obj.environment.id)
+        decrypted = []
+        for entry in entries:
+            # keep other fields (e.g., id, key_digest) intact
+            out = dict(entry) if isinstance(entry, dict) else {}
+            key_name_encrypted = out.get("key_name")
+            if key_name_encrypted:
+                try:
+                    out["key_name"] = decrypt_asymmetric(
+                        key_name_encrypted, env_privkey, env_pubkey
+                    )
+                except Exception:
+                    # If decryption fails, fall back to stored value
+                    pass
+            decrypted.append(out)
+        return decrypted
+
+    def get_lease(self, obj):
+        lease_id = self.context.get("lease_id")
+        if not lease_id:
+            return None
+        try:
+            lease = obj.leases.get(id=lease_id)
+        except (obj.leases.model.DoesNotExist, AttributeError):
+            return None
+        return DynamicSecretLeaseSerializer(lease, context=self.context).data
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index dcabf962c..5a0608859 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -186,12 +186,12 @@ def create_dynamic_secret_lease(
 
 def renew_dynamic_secret_lease(lease, ttl):
     if timedelta(seconds=ttl) > lease.secret.max_ttl:
-        raise GraphQLError(
+        raise Exception(
             "The specified TTL exceeds the maximum TTL for this dynamic secret."
         )
 
     if lease.expires_at <= timezone.now():
-        raise GraphQLError("This lease has expired and cannot be renewed")
+        raise Exception("This lease has expired and cannot be renewed")
 
     else:
         lease.expires_at = timezone.now() + timedelta(seconds=ttl)
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx b/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
index 123b54581..0a598cd80 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
@@ -14,10 +14,13 @@ export const DynamicSecret = ({ secret }: { secret: DynamicSecretType }) => {
   return (
     <div className="p-2 ring-1 ring-inset ring-neutral-400/20 flex flex-col gap-4 w-full rounded-lg group justify-between bg-zinc-100 dark:bg-zinc-800">
       <div>
-        <div className="text-base text-zinc-900 dark:text-zinc-100 flex items-center gap-1 px-1">
-          <ProviderIcon providerId={secret.provider} /> {secret.name}
+        <div className="font-mono text-neutral-500 text-xs">{secret.path}</div>
+        <div>
+          <div className="text-base text-zinc-900 dark:text-zinc-100 flex items-center gap-1 px-1">
+            <ProviderIcon providerId={secret.provider} /> {secret.name}
+          </div>
+          <div className="text-sm text-neutral-500 px-1">{secret.description}</div>
         </div>
-        <div className="text-sm text-neutral-500 px-1">{secret.description}</div>
       </div>
 
       <div className="relative group flex items-center justify-between w-full">
diff --git a/frontend/components/common/Avatar.tsx b/frontend/components/common/Avatar.tsx
index 0fc0f36ae..1262e3244 100644
--- a/frontend/components/common/Avatar.tsx
+++ b/frontend/components/common/Avatar.tsx
@@ -22,7 +22,7 @@ export const Avatar = ({ member, serviceAccount, user, size, showTitle = true }:
   const [useFallBack, setUseFallBack] = useState(false)
 
   const sizes = {
-    sm: 'h-5 w-5 text-[8px]',
+    sm: 'h-5 w-5 text-[10px]',
     md: 'h-8 w-8 text-2xs',
     lg: 'h-12 w-12 text-base',
     xl: 'h-20 w-20 text-4xl',

From 089a3864dd2083ad2d543fa674196e5654278c46 Mon Sep 17 00:00:00 2001
From: Rohan Chaturvedi <rohan.chaturvedi@protonmail.com>
Date: Mon, 8 Sep 2025 14:31:23 +0530
Subject: [PATCH 044/117] Potential fix for code scanning alert no. 21:
 Information exposure through an exception

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 backend/ee/integrations/secrets/dynamic/rest/views.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index de6b73356..d4047d37a 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -247,8 +247,11 @@ def put(self, request, *args, **kwargs):
         try:
             lease = renew_dynamic_secret_lease(lease, ttl)
         except Exception as e:
-            return Response({"error": str(e)}, status=400)
-
+            logger.exception("Failed to renew dynamic secret lease (lease_id=%s)", lease_id)
+            return Response(
+                {"error": "An internal error occurred while renewing the lease."},
+                status=400,
+            )
         return Response(status=status.HTTP_200_OK)
 
     # Revoke

From 68d81b2280faaacc5256a4daacd490431ba86e9b Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 8 Sep 2025 14:34:25 +0530
Subject: [PATCH 045/117] fix: logger

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/integrations/secrets/dynamic/rest/views.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index d4047d37a..a6612bbd0 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -35,6 +35,9 @@
     CamelCaseJSONRenderer,
 )
 from rest_framework.exceptions import PermissionDenied, NotFound
+import logging
+
+logger = logging.getLogger(__name__)
 
 
 class DynamicSecretsView(APIView):
@@ -247,7 +250,9 @@ def put(self, request, *args, **kwargs):
         try:
             lease = renew_dynamic_secret_lease(lease, ttl)
         except Exception as e:
-            logger.exception("Failed to renew dynamic secret lease (lease_id=%s)", lease_id)
+            logger.exception(
+                "Failed to renew dynamic secret lease (lease_id=%s)", lease_id
+            )
             return Response(
                 {"error": "An internal error occurred while renewing the lease."},
                 status=400,

From f564bff74372afeca7f730f06487df97af298ad0 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 8 Sep 2025 18:19:48 +0530
Subject: [PATCH 046/117] feat: misc updates and cleanup

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../ee/integrations/secrets/dynamic/utils.py  |   6 +
 .../[environment]/[[...path]]/page.tsx        |  23 ++-
 .../integrations/dynamic-secrets/page.tsx     |   2 +-
 .../settings/organisation/PlanInfo.tsx        |   2 +-
 .../settings/organisation/UpsellDialog.tsx    | 176 ++++++++++--------
 .../secrets/dynamic/AWSCredentials.tsx        |   0
 .../dynamic}/CreateDynamicSecretDialog.tsx    |   6 +-
 .../secrets/dynamic/CreateLeaseDialog.tsx     |   1 -
 .../dynamic/DeleteDynamicSecretDialog.tsx     |   0
 .../secrets/dynamic}/DynamicSecret.tsx        |   4 +-
 .../secrets/dynamic/DynamicSecretRow.tsx      |   2 +-
 .../components}/secrets/dynamic/LeaseCard.tsx |   0
 .../secrets/dynamic/ManageLeasesDialog.tsx    |   0
 .../secrets/dynamic/RenewLeaseDialog.tsx      |   0
 .../secrets/dynamic/RevokeLeaseDialog.tsx     |   0
 .../dynamic}/UpdateDynamicSecretDialog.tsx    |   0
 16 files changed, 129 insertions(+), 93 deletions(-)
 rename frontend/{components/environments => ee/components}/secrets/dynamic/AWSCredentials.tsx (100%)
 rename frontend/{app/[team]/integrations/dynamic-secrets/_components => ee/components/secrets/dynamic}/CreateDynamicSecretDialog.tsx (98%)
 rename frontend/{components/environments => ee/components}/secrets/dynamic/CreateLeaseDialog.tsx (98%)
 rename frontend/{components/environments => ee/components}/secrets/dynamic/DeleteDynamicSecretDialog.tsx (100%)
 rename frontend/{app/[team]/integrations/dynamic-secrets/_components => ee/components/secrets/dynamic}/DynamicSecret.tsx (90%)
 rename frontend/{components/environments => ee/components}/secrets/dynamic/DynamicSecretRow.tsx (94%)
 rename frontend/{components/environments => ee/components}/secrets/dynamic/LeaseCard.tsx (100%)
 rename frontend/{components/environments => ee/components}/secrets/dynamic/ManageLeasesDialog.tsx (100%)
 rename frontend/{components/environments => ee/components}/secrets/dynamic/RenewLeaseDialog.tsx (100%)
 rename frontend/{components/environments => ee/components}/secrets/dynamic/RevokeLeaseDialog.tsx (100%)
 rename frontend/{app/[team]/integrations/dynamic-secrets/_components => ee/components/secrets/dynamic}/UpdateDynamicSecretDialog.tsx (100%)

diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index 5a0608859..dd8e3c3c9 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -98,6 +98,12 @@ def create_dynamic_secret(
     Used by both GraphQL resolvers and REST API.
     """
 
+    Organisation = apps.get_model("api", "Organisation")
+
+    org = environment.app.organisation
+    if not org.plan == Organisation.ENTERPRISE_PLAN:
+        raise Exception("Dynamic secrets are only available on the Enterprise plan.")
+
     # --- ensure name is unique in this environment and path ---
     if DynamicSecret.objects.filter(
         environment=environment,
diff --git a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
index 8344f995c..8344d93fa 100644
--- a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
+++ b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
@@ -1,6 +1,7 @@
 'use client'
 
 import {
+  ApiOrganisationPlanChoices,
   DynamicSecretType,
   EnvironmentType,
   SecretFolderType,
@@ -71,8 +72,10 @@ import EnvFileDropZone from '@/components/environments/secrets/import/EnvFileDro
 import SingleEnvImportDialog from '@/components/environments/secrets/import/SingleEnvImportDialog'
 import { useWarnIfUnsavedChanges } from '@/hooks/warnUnsavedChanges'
 import { FaBolt } from 'react-icons/fa6'
-import { CreateDynamicSecretDialog } from '@/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog'
-import { DynamicSecretRow } from '@/components/environments/secrets/dynamic/DynamicSecretRow'
+import { CreateDynamicSecretDialog } from '@/ee/components/secrets/dynamic/CreateDynamicSecretDialog'
+import { DynamicSecretRow } from '@/ee/components/secrets/dynamic/DynamicSecretRow'
+import { PlanLabel } from '@/components/settings/organisation/PlanLabel'
+import { UpsellDialog } from '@/components/settings/organisation/UpsellDialog'
 
 export default function EnvironmentPath({
   params,
@@ -101,6 +104,7 @@ export default function EnvironmentPath({
 
   const importDialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
   const dynamicSecretDialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
+  const upsellDialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
 
   const [sort, setSort] = useState<SortOption>('-created')
 
@@ -838,6 +842,8 @@ export default function EnvironmentPath({
       true
     )
 
+    const allowDynamicSecrets = organisation?.plan === ApiOrganisationPlanChoices.En
+
     if (!userCanCreateSecrets) return <></>
     return (
       <SplitButton
@@ -845,8 +851,16 @@ export default function EnvironmentPath({
         onClick={() => handleAddSecret(true)}
         menuContent={
           <div className="w-max flex flex-col items-start gap-1">
-            <Button variant="secondary" onClick={() => dynamicSecretDialogRef.current?.openModal()}>
-              <FaBolt /> Dynamic Secret
+            <Button
+              variant="secondary"
+              onClick={() =>
+                allowDynamicSecrets
+                  ? dynamicSecretDialogRef.current?.openModal()
+                  : upsellDialogRef.current?.openModal()
+              }
+            >
+              <FaBolt /> Dynamic Secret{' '}
+              {!allowDynamicSecrets && <PlanLabel plan={ApiOrganisationPlanChoices.En} />}
             </Button>
 
             <Button variant="secondary" onClick={() => setFolderMenuIsOpen(true)}>
@@ -1083,6 +1097,7 @@ export default function EnvironmentPath({
               path={secretPath}
               ref={dynamicSecretDialogRef}
             />
+            <UpsellDialog ref={upsellDialogRef} title="Upgrade to Enterprise" />
 
             {organisation &&
               filteredFolders.map((folder: SecretFolderType) => (
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/page.tsx b/frontend/app/[team]/integrations/dynamic-secrets/page.tsx
index 0fc3ca4db..ba4c5ba2f 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/page.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/page.tsx
@@ -8,7 +8,7 @@ import { FaBan } from 'react-icons/fa6'
 import { GetDynamicSecrets } from '@/graphql/queries/secrets/dynamic/getDynamicSecrets.gql'
 import { useQuery } from '@apollo/client'
 import { DynamicSecretType } from '@/apollo/graphql'
-import { DynamicSecret } from './_components/DynamicSecret'
+import { DynamicSecret } from '../../../../ee/components/secrets/dynamic/DynamicSecret'
 
 export default function DynamicSecrets({ params }: { params: { team: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
diff --git a/frontend/components/settings/organisation/PlanInfo.tsx b/frontend/components/settings/organisation/PlanInfo.tsx
index e23556f25..2ad0abc62 100644
--- a/frontend/components/settings/organisation/PlanInfo.tsx
+++ b/frontend/components/settings/organisation/PlanInfo.tsx
@@ -129,7 +129,7 @@ export const PlanInfo = () => {
                       <div className="whitespace-nowrap">Compare plans</div>
                     </Button>
                   </Link>
-                  {userCanUpdateBilling && <UpsellDialog />}
+                  {userCanUpdateBilling && <UpsellDialog buttonLabel="Upgrade" />}
                 </div>
               )}
             </div>
diff --git a/frontend/components/settings/organisation/UpsellDialog.tsx b/frontend/components/settings/organisation/UpsellDialog.tsx
index 95cd35e1a..5937763ae 100644
--- a/frontend/components/settings/organisation/UpsellDialog.tsx
+++ b/frontend/components/settings/organisation/UpsellDialog.tsx
@@ -4,101 +4,113 @@ import { organisationContext } from '@/contexts/organisationContext'
 import { GetOrganisationPlan } from '@/graphql/queries/organisation/getOrganisationPlan.gql'
 import { isCloudHosted } from '@/utils/appConfig'
 import { useQuery } from '@apollo/client'
-import { ReactNode, useContext, useRef } from 'react'
+import { ReactNode, useContext, useRef, forwardRef, useImperativeHandle } from 'react'
 import dynamic from 'next/dynamic'
 import { userHasPermission } from '@/utils/access/permissions'
 import { EmptyState } from '@/components/common/EmptyState'
 import { FaBan } from 'react-icons/fa6'
 
-export const UpsellDialog = ({
-  title,
-  buttonLabel,
-  buttonVariant,
-}: {
+export type UpsellDialogHandle = {
+  openModal: () => void
+  closeModal: () => void
+}
+
+interface UpsellDialogProps {
   title?: string
   buttonLabel?: ReactNode
   buttonVariant?: 'primary' | 'secondary' | 'outline' | 'danger'
-}) => {
-  const { activeOrganisation } = useContext(organisationContext)
+}
 
-  const userCanUpdateBilling = activeOrganisation
-    ? userHasPermission(activeOrganisation.role?.permissions, 'Billing', 'update')
-    : false
+export const UpsellDialog = forwardRef<UpsellDialogHandle, UpsellDialogProps>(
+  ({ title, buttonLabel, buttonVariant }, ref) => {
+    const { activeOrganisation } = useContext(organisationContext)
 
-  const dialogRef = useRef<{ closeModal: () => void }>(null)
+    const userCanUpdateBilling = activeOrganisation
+      ? userHasPermission(activeOrganisation.role?.permissions, 'Billing', 'update')
+      : false
 
-  const closeModal = () => dialogRef?.current?.closeModal()
+    const dialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
 
-  // Dynamically import UpgradeDialog only if the app is cloud-hosted
-  const UpgradeDialog = isCloudHosted() ? dynamic(() => import('@/ee/billing/UpgradeDialog')) : null
+    const openModal = () => dialogRef.current?.openModal()
+    const closeModal = () => dialogRef.current?.closeModal()
 
-  const { data, loading } = useQuery(GetOrganisationPlan, {
-    variables: { organisationId: activeOrganisation?.id },
-    skip: !activeOrganisation,
-    fetchPolicy: 'cache-and-network',
-  })
+    useImperativeHandle(ref, () => ({ openModal, closeModal }), [])
 
-  if (!activeOrganisation || loading) return <></>
+    // Dynamically import UpgradeDialog only if the app is cloud-hosted
+    const UpgradeDialog = isCloudHosted()
+      ? dynamic(() => import('@/ee/billing/UpgradeDialog'))
+      : null
 
-  return (
-    <GenericDialog
-      title={
-        title ||
-        `Upgrade to ${activeOrganisation.plan === ApiOrganisationPlanChoices.Fr ? (isCloudHosted() ? 'Pro' : 'Enterprise') : 'Enterprise'}`
-      }
-      buttonVariant={buttonVariant || 'primary'}
-      buttonContent={buttonLabel || 'Upgrade'}
-      size="sm"
-      onClose={() => {}}
-      ref={dialogRef}
-    >
-      <div className="space-y-4">
-        <div className="text-neutral-500">
-          Get access to all the features in Phase{' '}
-          {activeOrganisation.plan === ApiOrganisationPlanChoices.Fr
-            ? isCloudHosted()
-              ? 'Pro'
-              : 'Enterprise'
-            : 'Enterprise'}
-        </div>
-        {isCloudHosted() ? (
-          UpgradeDialog && userCanUpdateBilling ? (
-            <UpgradeDialog
-              userCount={data.organisationPlan?.seatsUsed?.total}
-              onSuccess={closeModal}
-            />
-          ) : (
-            <EmptyState
-              title="Access restricted"
-              subtitle="You don't have the permissions required to update billing information in this organisation. Please contact an administrator to upgrade your organisation plan."
-              graphic={
-                <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
-                  <FaBan />
-                </div>
-              }
-            >
-              <></>
-            </EmptyState>
-          )
-        ) : (
-          <div className="text-zinc-900 dark:text-zinc-100">
-            Please contact us at{' '}
-            <a href="mailto:info@phase.dev" className="text-emerald-500 hover:text-emerald-600">
-              info@phase.dev
-            </a>{' '}
-            or get in touch via{' '}
-            <a
-              href="https://slack.phase.dev"
-              className="text-emerald-500 hover:text-emerald-600"
-              target="_blank"
-              rel="noreferrer"
-            >
-              Slack
-            </a>{' '}
-            to request an upgrade.
+    const { data, loading } = useQuery(GetOrganisationPlan, {
+      variables: { organisationId: activeOrganisation?.id },
+      skip: !activeOrganisation,
+      fetchPolicy: 'cache-and-network',
+    })
+
+    if (!activeOrganisation || loading) return <></>
+
+    return (
+      <GenericDialog
+        title={
+          title ||
+          `Upgrade to ${activeOrganisation.plan === ApiOrganisationPlanChoices.Fr ? (isCloudHosted() ? 'Pro' : 'Enterprise') : 'Enterprise'}`
+        }
+        buttonVariant={buttonVariant || 'primary'}
+        buttonContent={buttonLabel}
+        size="sm"
+        onClose={() => {}}
+        ref={dialogRef}
+      >
+        <div className="space-y-4">
+          <div className="text-neutral-500">
+            Get access to all the features in Phase{' '}
+            {activeOrganisation.plan === ApiOrganisationPlanChoices.Fr
+              ? isCloudHosted()
+                ? 'Pro'
+                : 'Enterprise'
+              : 'Enterprise'}
           </div>
-        )}
-      </div>
-    </GenericDialog>
-  )
-}
+          {isCloudHosted() ? (
+            UpgradeDialog && userCanUpdateBilling ? (
+              <UpgradeDialog
+                userCount={data.organisationPlan?.seatsUsed?.total}
+                onSuccess={closeModal}
+              />
+            ) : (
+              <EmptyState
+                title="Access restricted"
+                subtitle="You don't have the permissions required to update billing information in this organisation. Please contact an administrator to upgrade your organisation plan."
+                graphic={
+                  <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                    <FaBan />
+                  </div>
+                }
+              >
+                <></>
+              </EmptyState>
+            )
+          ) : (
+            <div className="text-zinc-900 dark:text-zinc-100">
+              Please contact us at{' '}
+              <a href="mailto:info@phase.dev" className="text-emerald-500 hover:text-emerald-600">
+                info@phase.dev
+              </a>{' '}
+              or get in touch via{' '}
+              <a
+                href="https://slack.phase.dev"
+                className="text-emerald-500 hover:text-emerald-600"
+                target="_blank"
+                rel="noreferrer"
+              >
+                Slack
+              </a>{' '}
+              to request an upgrade.
+            </div>
+          )}
+        </div>
+      </GenericDialog>
+    )
+  }
+)
+
+UpsellDialog.displayName = 'UpsellDialog'
diff --git a/frontend/components/environments/secrets/dynamic/AWSCredentials.tsx b/frontend/ee/components/secrets/dynamic/AWSCredentials.tsx
similarity index 100%
rename from frontend/components/environments/secrets/dynamic/AWSCredentials.tsx
rename to frontend/ee/components/secrets/dynamic/AWSCredentials.tsx
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
similarity index 98%
rename from frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
rename to frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index ae1b298d7..4463f8d92 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -8,6 +8,7 @@ import {
   ProviderCredentialsType,
   KeyMapInput,
   DynamicSecretType,
+  ApiOrganisationPlanChoices,
 } from '@/apollo/graphql'
 import { GetDynamicSecretProviders } from '@/graphql/queries/secrets/dynamic/getProviders.gql'
 import { CreateNewAWSDynamicSecret } from '@/graphql/mutations/environments/secrets/dynamic/createDynamicSecret.gql'
@@ -22,7 +23,7 @@ import { toUpper } from 'lodash'
 import { useMutation, useQuery } from '@apollo/client'
 import { Card } from '@/components/common/Card'
 import { ProviderIcon } from '@/components/syncing/ProviderIcon'
-import { FaArrowRightLong } from 'react-icons/fa6'
+import { FaArrowRightLong, FaPlus } from 'react-icons/fa6'
 import { MdOutlinePassword } from 'react-icons/md'
 import { camelCase } from 'lodash'
 import { toast } from 'react-toastify'
@@ -30,6 +31,9 @@ import { EnableSSEDialog } from '@/components/apps/EnableSSEDialog'
 import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
 import { Textarea } from '@/components/common/TextArea'
 import { encryptAsymmetric } from '@/utils/crypto'
+import { PlanLabel } from '@/components/settings/organisation/PlanLabel'
+import { UpsellDialog } from '@/components/settings/organisation/UpsellDialog'
+import { isCloudHosted } from '@/utils/appConfig'
 
 type CreateDynamicSecretDialogRef = {
   openModal: () => void
diff --git a/frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
similarity index 98%
rename from frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx
rename to frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
index 867b59010..694e1e60e 100644
--- a/frontend/components/environments/secrets/dynamic/CreateLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
@@ -4,7 +4,6 @@ import { Button } from '@/components/common/Button'
 import CopyButton from '@/components/common/CopyButton'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Input } from '@/components/common/Input'
-import { Textarea } from '@/components/common/TextArea'
 import { organisationContext } from '@/contexts/organisationContext'
 import { CreateDynamicSecretLease } from '@/graphql/mutations/environments/secrets/dynamic/createLease.gql'
 import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
diff --git a/frontend/components/environments/secrets/dynamic/DeleteDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
similarity index 100%
rename from frontend/components/environments/secrets/dynamic/DeleteDynamicSecretDialog.tsx
rename to frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx b/frontend/ee/components/secrets/dynamic/DynamicSecret.tsx
similarity index 90%
rename from frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
rename to frontend/ee/components/secrets/dynamic/DynamicSecret.tsx
index 0a598cd80..8401dc9a1 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/_components/DynamicSecret.tsx
+++ b/frontend/ee/components/secrets/dynamic/DynamicSecret.tsx
@@ -1,6 +1,6 @@
 import { DynamicSecretType } from '@/apollo/graphql'
-import { DeleteDynamicSecretDialog } from '@/components/environments/secrets/dynamic/DeleteDynamicSecretDialog'
-import { ManageLeasesDialog } from '@/components/environments/secrets/dynamic/ManageLeasesDialog'
+import { DeleteDynamicSecretDialog } from '@/ee/components/secrets/dynamic/DeleteDynamicSecretDialog'
+import { ManageLeasesDialog } from '@/ee/components/secrets/dynamic/ManageLeasesDialog'
 import { ProviderIcon } from '@/components/syncing/ProviderIcon'
 import { Button } from '@/components/common/Button'
 import { organisationContext } from '@/contexts/organisationContext'
diff --git a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
similarity index 94%
rename from frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
rename to frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
index 86d1ece21..1d4a4b5f0 100644
--- a/frontend/components/environments/secrets/dynamic/DynamicSecretRow.tsx
+++ b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
@@ -4,7 +4,7 @@ import { FaBolt } from 'react-icons/fa6'
 import { CreateLeaseDialog } from './CreateLeaseDialog'
 import { ManageLeasesDialog } from './ManageLeasesDialog'
 import { DeleteDynamicSecretDialog } from './DeleteDynamicSecretDialog'
-import { UpdateDynamicSecretDialog } from '@/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog'
+import { UpdateDynamicSecretDialog } from '@/ee/components/secrets/dynamic/UpdateDynamicSecretDialog'
 import { randomString } from '@/utils/copy'
 
 export const DynamicSecretRow = ({
diff --git a/frontend/components/environments/secrets/dynamic/LeaseCard.tsx b/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
similarity index 100%
rename from frontend/components/environments/secrets/dynamic/LeaseCard.tsx
rename to frontend/ee/components/secrets/dynamic/LeaseCard.tsx
diff --git a/frontend/components/environments/secrets/dynamic/ManageLeasesDialog.tsx b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
similarity index 100%
rename from frontend/components/environments/secrets/dynamic/ManageLeasesDialog.tsx
rename to frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
diff --git a/frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
similarity index 100%
rename from frontend/components/environments/secrets/dynamic/RenewLeaseDialog.tsx
rename to frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
diff --git a/frontend/components/environments/secrets/dynamic/RevokeLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
similarity index 100%
rename from frontend/components/environments/secrets/dynamic/RevokeLeaseDialog.tsx
rename to frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
diff --git a/frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
similarity index 100%
rename from frontend/app/[team]/integrations/dynamic-secrets/_components/UpdateDynamicSecretDialog.tsx
rename to frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx

From 584d217e5070da737d19790e7106f92fe2c30b93 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 8 Sep 2025 21:50:26 +0530
Subject: [PATCH 047/117] fix: tailwind content path

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/tailwind.config.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/frontend/tailwind.config.js b/frontend/tailwind.config.js
index 361939386..4f6467c54 100644
--- a/frontend/tailwind.config.js
+++ b/frontend/tailwind.config.js
@@ -4,6 +4,7 @@ module.exports = {
     './app/**/*.{js,ts,jsx,tsx}',
     './pages/**/*.{js,ts,jsx,tsx}',
     './components/**/*.{js,ts,jsx,tsx}',
+    './ee/**/*.{js,ts,jsx,tsx,mdx}',
   ],
   safelist: ['border-t-neutral-500', 'border-t-amber-500', 'border-t-emerald-500', 'border-t-8'],
   darkMode: 'class',

From 5d09b56555ba1ca068b06a719cf63923bf1cc625 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Tue, 9 Sep 2025 13:02:02 +0530
Subject: [PATCH 048/117] fix: dyanmic secret provider titlte on light theme

---
 .../components/secrets/dynamic/CreateDynamicSecretDialog.tsx  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index 4463f8d92..358a2e64a 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -226,7 +226,9 @@ export const CreateDynamicSecretDialog = forwardRef<
                   <ProviderIcon providerId={provider.id} />
                 </div>
                 <div>
-                  <div className="text-xl font-semibold">{provider.name}</div>
+                  <div className="text-xl font-semibold text-zinc-900 dark:text-zinc-100">
+                    {provider.name}
+                  </div>
                   <div className="text-neutral-500">
                     Set up a dynamic secret for {provider.name}
                   </div>

From ffb47431b54bae2ea518a6573ae99ea04e0a08a9 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Tue, 9 Sep 2025 13:11:40 +0530
Subject: [PATCH 049/117] fix: add vertical space between add service
 credentials button

---
 .../ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index 358a2e64a..3be205d8e 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -271,7 +271,7 @@ export const CreateDynamicSecretDialog = forwardRef<
               {/* Step 2: Config */}
               {activeStep === 0 && (
                 <div className="space-y-4 divide-y divide-neutral-500/40 text-sm">
-                  <div>
+                  <div className="mt-2">
                     <ProviderCredentialPicker
                       credential={formData.credential}
                       setCredential={(cred) => setFormData({ ...formData, credential: cred })}

From 4bc01d2a830203b5ca0d815f5a555e17d59ee071 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Tue, 9 Sep 2025 14:40:23 +0530
Subject: [PATCH 050/117] fix: update label for username template in dynamic
 secret providers

---
 backend/ee/integrations/secrets/dynamic/providers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/ee/integrations/secrets/dynamic/providers.py b/backend/ee/integrations/secrets/dynamic/providers.py
index 888de58d7..f2fc05199 100644
--- a/backend/ee/integrations/secrets/dynamic/providers.py
+++ b/backend/ee/integrations/secrets/dynamic/providers.py
@@ -18,7 +18,7 @@ class DynamicSecretProviders:
         "config_map": [
             {
                 "id": "username_template",
-                "label": "Username template",
+                "label": "IAM Username template",
                 "input_type": "string",
                 "required": True,
                 "default": "{{ random }}",

From 51712a918ae774beb8bc8cb92117f0918dba19db Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 10 Sep 2025 14:33:54 +0530
Subject: [PATCH 051/117] fix: update dynamic secret row styling to be more
 consistent with static secrets

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/DynamicSecretRow.tsx          | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
index 1d4a4b5f0..b925c1901 100644
--- a/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
+++ b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
@@ -6,6 +6,7 @@ import { ManageLeasesDialog } from './ManageLeasesDialog'
 import { DeleteDynamicSecretDialog } from './DeleteDynamicSecretDialog'
 import { UpdateDynamicSecretDialog } from '@/ee/components/secrets/dynamic/UpdateDynamicSecretDialog'
 import { randomString } from '@/utils/copy'
+import { MaskedTextarea } from '@/components/common/MaskedTextarea'
 
 export const DynamicSecretRow = ({
   secret,
@@ -19,7 +20,7 @@ export const DynamicSecretRow = ({
   const KEY_BASE_STYLE = 'w-full font-mono custom bg-transparent transition ease p-1 ph-no-capture'
 
   return (
-    <div className="p-2 ring-1 ring-inset ring-neutral-400/20 flex w-full rounded-lg group">
+    <div className="p-2 flex w-full rounded-lg group">
       <div className="w-1/3">
         <div className="text-2xs text-emerald-500 flex items-center gap-1 bg-emerald-400/10 rounded-full w-min whitespace-nowrap px-1">
           <FaBolt /> {secret.name}
@@ -33,14 +34,14 @@ export const DynamicSecretRow = ({
         </div>
       </div>
       <div className="w-2/3 px-6 relative group">
-        <div className="absolute flex flex-col gap-2 pointer-events-none group-hover:opacity-0 transition ease">
+        <div className="absolute flex flex-col gap-2 pointer-events-none group-hover:opacity-0 transition ease pl-4">
           {keyMap.map((k) => (
-            <input
-              className="custom outline-none font-mono bg-transparent"
+            <MaskedTextarea
+              className={clsx(KEY_BASE_STYLE)}
+              value={`value-${k.keyName}`}
+              expanded={false}
+              isRevealed={false}
               key={`value-${k.keyName}`}
-              readOnly
-              type="password"
-              value={randomString()}
             />
           ))}
         </div>

From f04383d410b3287d4c7615e610d2f74b3fcc7b02 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 10 Sep 2025 14:49:48 +0530
Subject: [PATCH 052/117] feat: add reveal toggle for AWS credentials in
 dynamic secrets

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/AWSCredentials.tsx        | 43 ++++++++++++++++---
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/AWSCredentials.tsx b/frontend/ee/components/secrets/dynamic/AWSCredentials.tsx
index 2ea710c3e..228581286 100644
--- a/frontend/ee/components/secrets/dynamic/AWSCredentials.tsx
+++ b/frontend/ee/components/secrets/dynamic/AWSCredentials.tsx
@@ -1,6 +1,10 @@
 import { DynamicSecretLeaseType, KeyMap } from '@/apollo/graphql'
+import { Button } from '@/components/common/Button'
 import CopyButton from '@/components/common/CopyButton'
 import { Input } from '@/components/common/Input'
+import clsx from 'clsx'
+import { useState } from 'react'
+import { FaRegEyeSlash, FaRegEye } from 'react-icons/fa6'
 
 export const AWSCredentials = ({
   lease,
@@ -9,51 +13,80 @@ export const AWSCredentials = ({
   lease: DynamicSecretLeaseType
   keyMap: KeyMap[]
 }) => {
-  if (!lease.credentials) return <></>
-
   const credentialKeyName = (credentialId: string) =>
     keyMap.find((key) => key.id === credentialId)?.keyName ?? credentialId
 
+  const [reveal, setReveal] = useState({
+    accessKeyId: false,
+    secretAccessKey: false,
+    username: false,
+  })
+
+  const toggle = (k: keyof typeof reveal) => setReveal((s) => ({ ...s, [k]: !s[k] }))
+
+  if (!lease.credentials) return <></>
+
   return (
     <>
       <div className="relative">
         <Input
-          type="password"
           value={lease.credentials.accessKeyId || ''}
           setValue={() => {}}
           readOnly
           label={credentialKeyName('access_key_id')}
           labelClassName="font-mono"
+          className={clsx(
+            'cursor-text ph-no-capture font-mono',
+            reveal.accessKeyId ? 'text-security-none' : 'text-security-disc'
+          )}
         />
         <div className="absolute right-2 top-9">
+          <Button variant="outline" onClick={() => toggle('accessKeyId')}>
+            {reveal.accessKeyId ? <FaRegEyeSlash /> : <FaRegEye />}
+            {reveal.accessKeyId ? 'Hide' : 'Show'}
+          </Button>
           <CopyButton value={lease.credentials.accessKeyId || ''} />
         </div>
       </div>
 
       <div className="relative">
         <Input
-          type="password"
           value={lease.credentials.secretAccessKey || ''}
           setValue={() => {}}
           readOnly
           label={credentialKeyName('secret_access_key')}
           labelClassName="font-mono"
+          className={clsx(
+            'cursor-text ph-no-capture font-mono',
+            reveal.secretAccessKey ? 'text-security-none' : 'text-security-disc'
+          )}
         />
         <div className="absolute right-2 top-9">
+          <Button variant="outline" onClick={() => toggle('secretAccessKey')}>
+            {reveal.secretAccessKey ? <FaRegEyeSlash /> : <FaRegEye />}
+            {reveal.secretAccessKey ? 'Hide' : 'Show'}
+          </Button>
           <CopyButton value={lease.credentials.secretAccessKey || ''} />
         </div>
       </div>
 
       <div className="relative">
         <Input
-          type="password"
           value={lease.credentials.username || ''}
           setValue={() => {}}
           readOnly
           label={credentialKeyName('username')}
           labelClassName="font-mono"
+          className={clsx(
+            'cursor-text ph-no-capture font-mono',
+            reveal.username ? 'text-security-none' : 'text-security-disc'
+          )}
         />
         <div className="absolute right-2 top-9">
+          <Button variant="outline" onClick={() => toggle('username')}>
+            {reveal.username ? <FaRegEyeSlash /> : <FaRegEye />}
+            {reveal.username ? 'Hide' : 'Show'}
+          </Button>
           <CopyButton value={lease.credentials.username || ''} />
         </div>
       </div>

From 20107aaa5ff7cbafb41d072f3811cc8edbf56daa Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 10 Sep 2025 21:47:18 +0530
Subject: [PATCH 053/117] feat: log lease events with actors and metadata

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/views/secrets.py                  |   6 +-
 .../integrations/secrets/dynamic/aws/utils.py | 106 ++++++++++++++++--
 .../secrets/dynamic/graphene/mutations.py     |  13 ++-
 .../secrets/dynamic/graphene/types.py         |  17 ++-
 .../secrets/dynamic/rest/views.py             |  27 ++++-
 .../ee/integrations/secrets/dynamic/utils.py  |  62 +++++++++-
 6 files changed, 213 insertions(+), 18 deletions(-)

diff --git a/backend/api/views/secrets.py b/backend/api/views/secrets.py
index f78ec4858..5b77a1d09 100644
--- a/backend/api/views/secrets.py
+++ b/backend/api/views/secrets.py
@@ -186,10 +186,11 @@ def get(self, request, *args, **kwargs):
                 leases_by_secret_id = {}
                 for ds in dynamic_secrets_qs:
                     try:
-                        lease, _job = create_dynamic_secret_lease(
+                        lease, _ = create_dynamic_secret_lease(
                             ds,
                             organisation_member=request.auth.get("org_member"),
                             service_account=service_account,
+                            request=request,
                         )
                         leases_by_secret_id[ds.id] = str(lease.id)
                     except Exception as e:
@@ -579,10 +580,11 @@ def get(self, request, *args, **kwargs):
                 leases_by_secret_id = {}
                 for ds in dynamic_secrets_qs:
                     try:
-                        lease, _job = create_dynamic_secret_lease(
+                        lease, _ = create_dynamic_secret_lease(
                             ds,
                             organisation_member=request.auth.get("org_member"),
                             service_account=service_account,
+                            request=request,
                         )
                         leases_by_secret_id[ds.id] = str(lease.id)
                     except Exception as e:
diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index 8e05c94cd..c1b50c0ee 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -1,11 +1,12 @@
 from django.utils import timezone
 from django.core.exceptions import ValidationError
 
-from api.models import DynamicSecret
+from api.models import DynamicSecret, DynamicSecretLeaseEvent
 from api.utils.crypto import decrypt_asymmetric, encrypt_asymmetric, get_server_keypair
 from api.utils.syncing.aws.auth import get_aws_sts_session
 from api.utils.secrets import get_environment_keys
 
+from api.utils.rest import get_resolver_request_meta
 from backend.utils.secrets import get_secret
 from ee.integrations.secrets.dynamic.providers import DynamicSecretProviders
 import logging
@@ -425,7 +426,13 @@ def create_aws_dynamic_secret_lease(
     return lease, lease_data
 
 
-def revoke_aws_dynamic_secret_lease(lease_id, manual=False):
+def revoke_aws_dynamic_secret_lease(
+    lease_id,
+    manual=False,
+    request=None,
+    organisation_member=None,
+    service_account=None,
+):
     """
     Delete IAM user and all associated credentials.
 
@@ -442,8 +449,20 @@ def revoke_aws_dynamic_secret_lease(lease_id, manual=False):
         logger.info(f"Lease {lease.id} already revoked at {lease.revoked_at}")
         return
 
+    logger.info(f"Revoking lease {lease.id} (manual={manual})")
+
     iam_client, _ = get_iam_client(lease.secret)
 
+    meta = {
+        "action": "revoke",
+        "provider": "aws",
+        "source": "manual" if manual else "scheduled",
+        "deleted_access_keys": [],
+        "detached_policies": [],
+        "deleted_inline_policies": [],
+        "removed_groups": [],
+    }
+
     try:
         # Decrypt username
         env_pubkey, env_privkey = get_environment_keys(lease.secret.environment.id)
@@ -456,7 +475,8 @@ def revoke_aws_dynamic_secret_lease(lease_id, manual=False):
             iam_client.delete_access_key(
                 UserName=username, AccessKeyId=key["AccessKeyId"]
             )
-            logger.info(f"Deleted access key {key['AccessKeyId']} for user {username}")
+            logger.info(f"Deleted access key for user")
+            meta["deleted_access_keys"].append(key["AccessKeyId"])
 
         # Detach all managed policies
         attached_policies = iam_client.list_attached_user_policies(UserName=username)
@@ -464,13 +484,15 @@ def revoke_aws_dynamic_secret_lease(lease_id, manual=False):
             iam_client.detach_user_policy(
                 UserName=username, PolicyArn=policy["PolicyArn"]
             )
-            logger.info(f"Detached policy {policy['PolicyArn']} from user {username}")
+            logger.info(f"Detached policy from user")
+            meta["detached_policies"].append(policy["PolicyArn"])
 
         # Delete all inline policies
         inline_policies = iam_client.list_user_policies(UserName=username)
         for policy_name in inline_policies["PolicyNames"]:
             iam_client.delete_user_policy(UserName=username, PolicyName=policy_name)
-            logger.info(f"Deleted inline policy {policy_name} from user {username}")
+            logger.info(f"Deleted inline policy from user")
+            meta["deleted_inline_policies"].append(policy_name)
 
         # Remove user from all groups
         groups_resp = iam_client.list_groups_for_user(UserName=username)
@@ -478,11 +500,12 @@ def revoke_aws_dynamic_secret_lease(lease_id, manual=False):
             iam_client.remove_user_from_group(
                 UserName=username, GroupName=group["GroupName"]
             )
-            logger.info(f"Removed user {username} from group {group['GroupName']}")
+            logger.info(f"Removed user from group")
+            meta["removed_groups"].append(group["GroupName"])
 
         # Finally, delete the user
         iam_client.delete_user(UserName=username)
-        logger.info(f"Successfully deleted IAM user: {username}")
+        logger.info(f"Successfully deleted IAM user")
 
         if manual:
             lease.status = DynamicSecretLease.REVOKED
@@ -492,14 +515,81 @@ def revoke_aws_dynamic_secret_lease(lease_id, manual=False):
         lease.revoked_at = timezone.now()
         lease.save()
 
+        # Add request metadata if available
+        ip_address = user_agent = None
+        if request is not None:
+            try:
+                ip_address, user_agent = get_resolver_request_meta(request)
+
+                logger.info(f"Created revoke event for lease {lease.id}")
+            except Exception:
+                logger.error(
+                    "Failed to read request meta for lease event", exc_info=True
+                )
+                pass
+
+        DynamicSecretLeaseEvent.objects.create(
+            lease=lease,
+            event_type=DynamicSecretLease.REVOKED,
+            organisation_member=organisation_member,
+            service_account=service_account,
+            ip_address=ip_address,
+            user_agent=user_agent,
+            metadata=meta,
+        )
+
         return True
 
     except iam_client.exceptions.NoSuchEntityException:
-        logger.warning(f"User {username} does not exist, treating as already revoked")
+        logger.warning(
+            f"User {meta.get('username', '<unknown>')} does not exist, treating as already revoked"
+        )
+        # Emit event to reflect attempted revoke on missing user
+        meta["outcome"] = "user_absent"
+        try:
+            DynamicSecretLeaseEvent.objects.create(
+                lease=lease,
+                event_type=DynamicSecretLease.REVOKED,
+                organisation_member=organisation_member,
+                service_account=service_account,
+                ip_address=ip_address,
+                user_agent=user_agent,
+                metadata=meta,
+            )
+        except Exception as e:
+            logger.warning(f"Failed to create revoke event for lease {lease.id}: {e}")
         return True
     except ClientError as e:
         logger.error(f"AWS client error deleting user: {str(e)}")
+        meta["outcome"] = "error"
+        meta["error"] = str(e)
+        try:
+            DynamicSecretLeaseEvent.objects.create(
+                lease=lease,
+                event_type=DynamicSecretLease.REVOKED,
+                organisation_member=organisation_member,
+                service_account=service_account,
+                ip_address=ip_address,
+                user_agent=user_agent,
+                metadata=meta,
+            )
+        except Exception:
+            pass
         raise ValidationError(f"AWS client error deleting user: {str(e)}")
     except Exception as e:
         logger.error(f"Unexpected error deleting user: {str(e)}")
+        meta["outcome"] = "error"
+        meta["error"] = str(e)
+        try:
+            DynamicSecretLeaseEvent.objects.create(
+                lease=lease,
+                event_type=DynamicSecretLease.REVOKED,
+                organisation_member=organisation_member,
+                service_account=service_account,
+                ip_address=ip_address,
+                user_agent=user_agent,
+                metadata=meta,
+            )
+        except Exception:
+            pass
         raise Exception(f"Unexpected error deleting user: {str(e)}")
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
index 2b904eb3f..93b60f8a4 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
@@ -96,7 +96,7 @@ def mutate(
         # create lease
         lease_name = secret.name if name is None else name
         lease, lease_data = create_dynamic_secret_lease(
-            secret, lease_name, ttl, org_member
+            secret, lease_name, ttl, org_member, request=info.context
         )
         lease._credentials = AwsCredentialsType(
             access_key_id=lease_data["access_key_id"],
@@ -145,7 +145,9 @@ def mutate(
         if not user_can_access_environment(user.userId, lease.secret.environment.id):
             raise GraphQLError("You don't have access to this environment")
 
-        lease = renew_dynamic_secret_lease(lease, ttl)
+        lease = renew_dynamic_secret_lease(
+            lease, ttl, request=info.context, organisation_member=org_member
+        )
 
         return RenewLeaseMutation(lease=lease)
 
@@ -189,6 +191,11 @@ def mutate(
 
         else:
             if lease.secret.provider == "aws":
-                revoke_aws_dynamic_secret_lease(lease.id, manual=True)
+                revoke_aws_dynamic_secret_lease(
+                    lease.id,
+                    organisation_member=org_member,
+                    manual=True,
+                    request=info.context,
+                )
 
         return RevokeLeaseMutation(lease=lease)
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/types.py b/backend/ee/integrations/secrets/dynamic/graphene/types.py
index 0e302ec81..a3786ce9d 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/types.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/types.py
@@ -1,4 +1,9 @@
-from api.models import DynamicSecret, DynamicSecretLease, OrganisationMember
+from api.models import (
+    DynamicSecret,
+    DynamicSecretLease,
+    DynamicSecretLeaseEvent,
+    OrganisationMember,
+)
 from api.utils.access.permissions import user_has_permission
 import graphene
 from graphene_django import DjangoObjectType
@@ -90,9 +95,16 @@ def resolve_leases(self, info):
         return self.leases.filter(**filter).order_by("-created_at")
 
 
+class DynamicSecretLeaseEventType(DjangoObjectType):
+    class Meta:
+        model = DynamicSecretLeaseEvent
+        fields = "__all__"
+
+
 class DynamicSecretLeaseType(DjangoObjectType):
 
     credentials = graphene.Field(LeaseCredentialsUnion)
+    events = graphene.List(DynamicSecretLeaseEventType)
 
     class Meta:
         model = DynamicSecretLease
@@ -100,3 +112,6 @@ class Meta:
 
     def resolve_credentials(self, info):
         return getattr(self, "_credentials", None)
+
+    def resolve_events(self, info):
+        return self.events.all().order_by("created_at")
diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index a6612bbd0..7cffaf082 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -120,6 +120,7 @@ def get(self, request, *args, **kwargs):
                 secret,
                 organisation_member=request.auth["org_member"],
                 service_account=service_account,
+                request=request,
             )[0]
             for secret in dynamic_secrets
         ]
@@ -247,8 +248,19 @@ def put(self, request, *args, **kwargs):
         lease = self._get_lease_or_404(lease_id)
         self._assert_can_act_on_lease(request, lease, action="update")
 
+        if request.auth["auth_type"] == "User":
+            org_member = request.auth["org_member"].user
+        elif request.auth["auth_type"] == "ServiceAccount":
+            service_account = request.auth["service_account"]
+
         try:
-            lease = renew_dynamic_secret_lease(lease, ttl)
+            lease = renew_dynamic_secret_lease(
+                lease,
+                ttl,
+                request=request,
+                organisation_member=org_member,
+                service_account=service_account,
+            )
         except Exception as e:
             logger.exception(
                 "Failed to renew dynamic secret lease (lease_id=%s)", lease_id
@@ -268,7 +280,18 @@ def delete(self, request, *args, **kwargs):
         lease = self._get_lease_or_404(lease_id)
         self._assert_can_act_on_lease(request, lease, action="delete")
 
+        if request.auth["auth_type"] == "User":
+            org_member = request.auth["org_member"].user
+        elif request.auth["auth_type"] == "ServiceAccount":
+            service_account = request.auth["service_account"]
+
         if lease.secret.provider == "aws":
-            revoke_aws_dynamic_secret_lease(lease.id, manual=True)
+            revoke_aws_dynamic_secret_lease(
+                lease.id,
+                manual=True,
+                request=request,
+                organisation_member=org_member,
+                service_account=service_account,
+            )
 
         return Response(status=status.HTTP_200_OK)
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index dd8e3c3c9..6e60509a8 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -7,6 +7,8 @@
     get_environment_keys,
 )
 from api.utils.crypto import decrypt_asymmetric
+from api.models import DynamicSecretLease, DynamicSecretLeaseEvent
+from api.utils.rest import get_resolver_request_meta
 from ee.integrations.secrets.dynamic.aws.utils import (
     create_aws_dynamic_secret_lease,
 )
@@ -169,7 +171,12 @@ def create_dynamic_secret(
 
 
 def create_dynamic_secret_lease(
-    secret, lease_name=None, ttl=None, organisation_member=None, service_account=None
+    secret,
+    lease_name=None,
+    ttl=None,
+    organisation_member=None,
+    service_account=None,
+    request=None,
 ):
     try:
         lease_name = lease_name or secret.name
@@ -183,6 +190,28 @@ def create_dynamic_secret_lease(
                 ttl_seconds=ttl,
             )
 
+            # Record creation event with request metadata (if available)
+            ip_address, user_agent = (None, None)
+            if request is not None:
+                try:
+                    ip_address, user_agent = get_resolver_request_meta(request)
+                except Exception:
+                    logger.debug(
+                        "Failed to read request meta for lease event", exc_info=True
+                    )
+
+            DynamicSecretLeaseEvent.objects.create(
+                lease=lease,
+                event_type=DynamicSecretLease.CREATED,
+                organisation_member=(
+                    organisation_member if organisation_member else None
+                ),
+                service_account=service_account if service_account else None,
+                ip_address=ip_address,
+                user_agent=user_agent,
+                metadata={"action": "create", "ttl": ttl},
+            )
+
             return lease, lease_data
 
     except ValidationError as e:
@@ -190,7 +219,13 @@ def create_dynamic_secret_lease(
         raise GraphQLError(e.message)
 
 
-def renew_dynamic_secret_lease(lease, ttl):
+def renew_dynamic_secret_lease(
+    lease,
+    ttl,
+    request=None,
+    organisation_member=None,
+    service_account=None,
+):
     if timedelta(seconds=ttl) > lease.secret.max_ttl:
         raise Exception(
             "The specified TTL exceeds the maximum TTL for this dynamic secret."
@@ -220,6 +255,29 @@ def renew_dynamic_secret_lease(lease, ttl):
     # enqueue a new revocation job
     schedule_lease_revocation(lease)
 
+    # record renewal event
+    ip_address, user_agent = (None, None)
+    if request is not None:
+        try:
+            ip_address, user_agent = get_resolver_request_meta(request)
+        except Exception:
+            logger.debug(
+                "Failed to read request meta for lease renewal event", exc_info=True
+            )
+
+    try:
+        DynamicSecretLeaseEvent.objects.create(
+            lease=lease,
+            event_type=DynamicSecretLease.RENEWED,
+            organisation_member=organisation_member,
+            service_account=service_account,
+            ip_address=ip_address,
+            user_agent=user_agent,
+            metadata={"action": "renew", "ttl": ttl},
+        )
+    except Exception as e:
+        logger.warning(f"Failed to create renewal event for lease {lease.id}: {e}")
+
     return lease
 
 

From 240689cfad3896e5257285bfbae575955e13231c Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 10 Sep 2025 21:47:33 +0530
Subject: [PATCH 054/117] chore: regenerate schema and types

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/apollo/gql.ts                        |  12 +-
 frontend/apollo/graphql.ts                    |  38 +-
 frontend/apollo/schema.graphql                | 499 +++++++++++++++---
 .../secrets/dynamic/getSecretLeases.gql       |  19 +
 4 files changed, 482 insertions(+), 86 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index b81930a76..f94c9e426 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -117,9 +117,9 @@ const documents = {
     "query GetOrganisationPlan($organisationId: ID!) {\n  organisationPlan(organisationId: $organisationId) {\n    name\n    maxUsers\n    maxApps\n    maxEnvsPerApp\n    seatsUsed {\n      users\n      serviceAccounts\n      total\n    }\n    seatLimit\n    appCount\n  }\n}": types.GetOrganisationPlanDocument,
     "query GetRoles($orgId: ID!) {\n  roles(orgId: $orgId) {\n    id\n    name\n    description\n    color\n    permissions\n    isDefault\n  }\n}": types.GetRolesDocument,
     "query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}": types.VerifyInviteDocument,
-    "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetDynamicSecretsDocument,
+    "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetDynamicSecretsDocument,
     "query GetDynamicSecretProviders {\n  dynamicSecretProviders {\n    id\n    name\n    credentials\n    configMap\n  }\n}": types.GetDynamicSecretProvidersDocument,
-    "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n    }\n  }\n}": types.GetDynamicSecretLeasesDocument,
+    "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n      }\n    }\n  }\n}": types.GetDynamicSecretLeasesDocument,
     "query GetAppEnvironments($appId: ID!, $memberId: ID, $memberType: MemberType) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppEnvironmentsDocument,
     "query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppSecretsDocument,
     "query GetAppSecretsLogs($appId: ID!, $start: BigInt, $end: BigInt, $eventTypes: [String], $memberId: ID, $memberType: MemberType, $environmentId: ID) {\n  secretLogs(\n    appId: $appId\n    start: $start\n    end: $end\n    eventTypes: $eventTypes\n    memberId: $memberId\n    memberType: $memberType\n    environmentId: $environmentId\n  ) {\n    logs {\n      id\n      path\n      key\n      value\n      tags {\n        id\n        name\n        color\n      }\n      version\n      comment\n      timestamp\n      ipAddress\n      userAgent\n      user {\n        email\n        username\n        fullName\n        avatarUrl\n      }\n      serviceToken {\n        id\n        name\n      }\n      serviceAccount {\n        id\n        name\n        deletedAt\n      }\n      serviceAccountToken {\n        id\n        name\n        deletedAt\n      }\n      eventType\n      environment {\n        id\n        envType\n        name\n      }\n      secret {\n        id\n        path\n      }\n    }\n    count\n  }\n  environmentKeys(appId: $appId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    environment {\n      id\n    }\n  }\n}": types.GetAppSecretsLogsDocument,
@@ -130,7 +130,7 @@ const documents = {
     "query GetSecretHistory($appId: ID!, $envId: ID!, $id: ID!) {\n  secrets(envId: $envId, id: $id) {\n    id\n    history {\n      id\n      key\n      value\n      path\n      tags {\n        id\n        name\n        color\n      }\n      version\n      comment\n      timestamp\n      ipAddress\n      userAgent\n      user {\n        email\n        username\n        fullName\n        avatarUrl\n      }\n      serviceToken {\n        id\n        name\n      }\n      serviceAccount {\n        id\n        name\n        deletedAt\n      }\n      eventType\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n}": types.GetSecretHistoryDocument,
     "query GetEnvSecretsKV($envId: ID!) {\n  folders(envId: $envId, path: \"/\") {\n    id\n    name\n  }\n  secrets(envId: $envId, path: \"/\") {\n    id\n    key\n    value\n    comment\n    path\n  }\n  environmentKeys(environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n}": types.GetEnvSecretsKvDocument,
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
-    "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
+    "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
     "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
@@ -591,7 +591,7 @@ export function graphql(source: "query VerifyInvite($inviteId: ID!) {\n  validat
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -599,7 +599,7 @@ export function graphql(source: "query GetDynamicSecretProviders {\n  dynamicSec
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n    }\n  }\n}"];
+export function graphql(source: "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n      }\n    }\n  }\n}"): (typeof documents)["query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -643,7 +643,7 @@ export function graphql(source: "query GetSecretTags($orgId: ID!) {\n  secretTag
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index b62fa0905..ca10b1a98 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -124,6 +124,19 @@ export enum ApiActivatedPhaseLicensePlanChoices {
   Pr = 'PR'
 }
 
+export enum ApiDynamicSecretLeaseEventEventTypeChoices {
+  /** Active */
+  Active = 'ACTIVE',
+  /** Created */
+  Created = 'CREATED',
+  /** Expired */
+  Expired = 'EXPIRED',
+  /** Renewed */
+  Renewed = 'RENEWED',
+  /** Revoked */
+  Revoked = 'REVOKED'
+}
+
 export enum ApiDynamicSecretLeaseStatusChoices {
   /** Active */
   Active = 'ACTIVE',
@@ -530,6 +543,19 @@ export type DeleteUserTokenMutation = {
 
 export type DynamicSecretConfigUnion = AwsConfigType;
 
+export type DynamicSecretLeaseEventType = {
+  __typename?: 'DynamicSecretLeaseEventType';
+  createdAt: Scalars['DateTime']['output'];
+  eventType: ApiDynamicSecretLeaseEventEventTypeChoices;
+  id: Scalars['ID']['output'];
+  ipAddress?: Maybe<Scalars['String']['output']>;
+  lease: DynamicSecretLeaseType;
+  metadata: Scalars['JSONString']['output'];
+  organisationMember?: Maybe<OrganisationMemberType>;
+  serviceAccount?: Maybe<ServiceAccountType>;
+  userAgent?: Maybe<Scalars['String']['output']>;
+};
+
 export type DynamicSecretLeaseType = {
   __typename?: 'DynamicSecretLeaseType';
   cleanupJobId: Scalars['String']['output'];
@@ -537,6 +563,7 @@ export type DynamicSecretLeaseType = {
   credentials?: Maybe<LeaseCredentialsUnion>;
   deletedAt?: Maybe<Scalars['DateTime']['output']>;
   description: Scalars['String']['output'];
+  events?: Maybe<Array<Maybe<DynamicSecretLeaseEventType>>>;
   expiresAt?: Maybe<Scalars['DateTime']['output']>;
   id: Scalars['String']['output'];
   name: Scalars['String']['output'];
@@ -3302,6 +3329,7 @@ export type GetDynamicSecretsQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
   appId?: InputMaybe<Scalars['ID']['input']>;
   envId?: InputMaybe<Scalars['ID']['input']>;
+  path?: InputMaybe<Scalars['String']['input']>;
 }>;
 
 
@@ -3318,7 +3346,7 @@ export type GetDynamicSecretLeasesQueryVariables = Exact<{
 }>;
 
 
-export type GetDynamicSecretLeasesQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, leases: Array<{ __typename?: 'DynamicSecretLeaseType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null, revokedAt?: any | null, status: ApiDynamicSecretLeaseStatusChoices, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null }> } | null> | null };
+export type GetDynamicSecretLeasesQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, leases: Array<{ __typename?: 'DynamicSecretLeaseType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null, revokedAt?: any | null, status: ApiDynamicSecretLeaseStatusChoices, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null, events?: Array<{ __typename?: 'DynamicSecretLeaseEventType', id: string, eventType: ApiDynamicSecretLeaseEventEventTypeChoices, createdAt: any, metadata: any } | null> | null }> } | null> | null };
 
 export type GetAppEnvironmentsQueryVariables = Exact<{
   appId: Scalars['ID']['input'];
@@ -3412,7 +3440,7 @@ export type GetSecretsQueryVariables = Exact<{
 }>;
 
 
-export type GetSecretsQuery = { __typename?: 'Query', secrets?: Array<{ __typename?: 'SecretType', id: string, key: string, value: string, path: string, comment: string, createdAt?: any | null, updatedAt: any, tags: Array<{ __typename?: 'SecretTagType', id: string, name: string, color: string }>, override?: { __typename?: 'PersonalSecretType', value?: string | null, isActive: boolean } | null, environment: { __typename?: 'EnvironmentType', id: string, app: { __typename?: 'AppMembershipType', id: string } } } | null> | null, folders?: Array<{ __typename?: 'SecretFolderType', id: string, name: string, path: string, createdAt?: any | null, folderCount?: number | null, secretCount?: number | null } | null> | null, appEnvironments?: Array<{ __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices, identityKey: string, app: { __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean } } | null> | null, environmentKeys?: Array<{ __typename?: 'EnvironmentKeyType', id: string, identityKey: string, wrappedSeed: string, wrappedSalt: string } | null> | null, envSyncs?: Array<{ __typename?: 'EnvironmentSyncType', id: string, options: any, isActive: boolean, status: ApiEnvironmentSyncStatusChoices, lastSync?: any | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices }, serviceInfo?: { __typename?: 'ServiceType', id?: string | null, name?: string | null } | null } | null> | null, dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, name: string, description: string, provider: ApiDynamicSecretProviderChoices, defaultTtlSeconds?: number | null, maxTtlSeconds?: number | null, createdAt?: any | null, keyMap?: Array<{ __typename?: 'KeyMap', id?: string | null, keyName?: string | null } | null> | null, config?: { __typename?: 'AWSConfigType', usernameTemplate: string, groups?: Array<string | null> | null, iamPath?: string | null, permissionBoundaryArn?: string | null, policyArns?: Array<string | null> | null, policyDocument?: any | null } | null, authentication?: { __typename?: 'ProviderCredentialsType', id: string, name: string } | null } | null> | null };
+export type GetSecretsQuery = { __typename?: 'Query', secrets?: Array<{ __typename?: 'SecretType', id: string, key: string, value: string, path: string, comment: string, createdAt?: any | null, updatedAt: any, tags: Array<{ __typename?: 'SecretTagType', id: string, name: string, color: string }>, override?: { __typename?: 'PersonalSecretType', value?: string | null, isActive: boolean } | null, environment: { __typename?: 'EnvironmentType', id: string, app: { __typename?: 'AppMembershipType', id: string } } } | null> | null, folders?: Array<{ __typename?: 'SecretFolderType', id: string, name: string, path: string, createdAt?: any | null, folderCount?: number | null, secretCount?: number | null } | null> | null, appEnvironments?: Array<{ __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices, identityKey: string, app: { __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean } } | null> | null, environmentKeys?: Array<{ __typename?: 'EnvironmentKeyType', id: string, identityKey: string, wrappedSeed: string, wrappedSalt: string } | null> | null, envSyncs?: Array<{ __typename?: 'EnvironmentSyncType', id: string, options: any, isActive: boolean, status: ApiEnvironmentSyncStatusChoices, lastSync?: any | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices }, serviceInfo?: { __typename?: 'ServiceType', id?: string | null, name?: string | null } | null } | null> | null, dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, name: string, path: string, description: string, provider: ApiDynamicSecretProviderChoices, defaultTtlSeconds?: number | null, maxTtlSeconds?: number | null, createdAt?: any | null, keyMap?: Array<{ __typename?: 'KeyMap', id?: string | null, keyName?: string | null } | null> | null, config?: { __typename?: 'AWSConfigType', usernameTemplate: string, groups?: Array<string | null> | null, iamPath?: string | null, permissionBoundaryArn?: string | null, policyArns?: Array<string | null> | null, policyDocument?: any | null } | null, authentication?: { __typename?: 'ProviderCredentialsType', id: string, name: string } | null } | null> | null };
 
 export type GetServiceTokensQueryVariables = Exact<{
   appId: Scalars['ID']['input'];
@@ -3692,9 +3720,9 @@ export const GetOrganisationMembersDocument = {"kind":"Document","definitions":[
 export const GetOrganisationPlanDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationPlan"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationPlan"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"seatLimit"}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationPlanQuery, GetOrganisationPlanQueryVariables>;
 export const GetRolesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetRoles"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"roles"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"isDefault"}}]}}]}}]} as unknown as DocumentNode<GetRolesQuery, GetRolesQueryVariables>;
 export const VerifyInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"VerifyInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateInvite"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"organisation"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"invitedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<VerifyInviteQuery, VerifyInviteQueryVariables>;
-export const GetDynamicSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretsQuery, GetDynamicSecretsQueryVariables>;
+export const GetDynamicSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretsQuery, GetDynamicSecretsQueryVariables>;
 export const GetDynamicSecretProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"configMap"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretProvidersQuery, GetDynamicSecretProvidersQueryVariables>;
-export const GetDynamicSecretLeasesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretLeases"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"leases"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretLeasesQuery, GetDynamicSecretLeasesQueryVariables>;
+export const GetDynamicSecretLeasesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretLeases"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"leases"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"events"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"metadata"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretLeasesQuery, GetDynamicSecretLeasesQueryVariables>;
 export const GetAppEnvironmentsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppEnvironments"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppEnvironmentsQuery, GetAppEnvironmentsQueryVariables>;
 export const GetAppSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppSecretsQuery, GetAppSecretsQueryVariables>;
 export const GetAppSecretsLogsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecretsLogs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretLogs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}},{"kind":"Argument","name":{"kind":"Name","value":"eventTypes"},"value":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"logs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"version"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"username"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secret"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppSecretsLogsQuery, GetAppSecretsLogsQueryVariables>;
@@ -3705,7 +3733,7 @@ export const GetOrgSecretKeysDocument = {"kind":"Document","definitions":[{"kind
 export const GetSecretHistoryDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretHistory"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"version"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"username"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}}]}}]} as unknown as DocumentNode<GetSecretHistoryQuery, GetSecretHistoryQueryVariables>;
 export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetEnvSecretsKV"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"StringValue","value":"/","block":false}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"StringValue","value":"/","block":false}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}}]}}]} as unknown as DocumentNode<GetEnvSecretsKvQuery, GetEnvSecretsKvQueryVariables>;
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
-export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
+export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
 export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 6cec7aac4..056d01283 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -13,9 +13,22 @@ type Query {
   validateInvite(inviteId: ID): OrganisationMemberInviteType
   apps(organisationId: ID, appId: ID): [AppType]
   kmsLogs(appId: ID, start: BigInt, end: BigInt): KMSLogsResponseType
-  secretLogs(appId: ID, start: BigInt, end: BigInt, eventTypes: [String], memberId: ID, memberType: MemberType, environmentId: ID): SecretLogsResponseType
+  secretLogs(
+    appId: ID
+    start: BigInt
+    end: BigInt
+    eventTypes: [String]
+    memberId: ID
+    memberType: MemberType
+    environmentId: ID
+  ): SecretLogsResponseType
   appActivityChart(appId: ID, period: TimeRange): [ChartDataPointType]
-  appEnvironments(appId: ID, environmentId: ID, memberId: ID, memberType: MemberType): [EnvironmentType]
+  appEnvironments(
+    appId: ID
+    environmentId: ID
+    memberId: ID
+    memberType: MemberType
+  ): [EnvironmentType]
   appUsers(appId: ID): [OrganisationMemberType]
   appServiceAccounts(appId: ID): [ServiceAccountType]
   secrets(envId: ID, path: String, id: ID): [SecretType]
@@ -49,7 +62,11 @@ type Query {
   testVaultCreds(credentialId: ID): Boolean
   testNomadCreds(credentialId: ID): Boolean
   validateAwsAssumeRoleAuth: AWSValidationResultType
-  validateAwsAssumeRoleCredentials(roleArn: String!, region: String, externalId: String): AWSValidationResultType
+  validateAwsAssumeRoleCredentials(
+    roleArn: String!
+    region: String
+    externalId: String
+  ): AWSValidationResultType
   stripeCheckoutDetails(stripeSessionId: String!): StripeCheckoutDetails
   stripeSubscriptionDetails(organisationId: ID): StripeSubscriptionDetails
   stripeCustomerPortalUrl(organisationId: ID!): String
@@ -78,13 +95,19 @@ value as specified by
 scalar DateTime
 
 enum ApiOrganisationPlanChoices {
-  """Free"""
+  """
+  Free
+  """
   FR
 
-  """Pro"""
+  """
+  Pro
+  """
   PR
 
-  """Enterprise"""
+  """
+  Enterprise
+  """
   EN
 }
 
@@ -185,16 +208,24 @@ type EnvironmentType {
 }
 
 enum ApiEnvironmentEnvTypeChoices {
-  """Development"""
+  """
+  Development
+  """
   DEV
 
-  """Staging"""
+  """
+  Staging
+  """
   STAGING
 
-  """Production"""
+  """
+  Production
+  """
   PROD
 
-  """Custom"""
+  """
+  Custom
+  """
   CUSTOM
 }
 
@@ -316,16 +347,24 @@ type ServiceAccountTokenType {
 }
 
 enum ApiSecretEventEventTypeChoices {
-  """Create"""
+  """
+  Create
+  """
   C
 
-  """Read"""
+  """
+  Read
+  """
   R
 
-  """Update"""
+  """
+  Update
+  """
   U
 
-  """Delete"""
+  """
+  Delete
+  """
   D
 }
 
@@ -372,19 +411,29 @@ type ProviderType {
 }
 
 enum ApiEnvironmentSyncStatusChoices {
-  """In progress"""
+  """
+  In progress
+  """
   IN_PROGRESS
 
-  """Completed"""
+  """
+  Completed
+  """
   COMPLETED
 
-  """cancelled"""
+  """
+  cancelled
+  """
   CANCELLED
 
-  """Timed out"""
+  """
+  Timed out
+  """
   TIMED_OUT
 
-  """Failed"""
+  """
+  Failed
+  """
   FAILED
 }
 
@@ -405,19 +454,29 @@ type EnvironmentSyncEventType {
 }
 
 enum ApiEnvironmentSyncEventStatusChoices {
-  """In progress"""
+  """
+  In progress
+  """
   IN_PROGRESS
 
-  """Completed"""
+  """
+  Completed
+  """
   COMPLETED
 
-  """cancelled"""
+  """
+  cancelled
+  """
   CANCELLED
 
-  """Timed out"""
+  """
+  Timed out
+  """
   TIMED_OUT
 
-  """Failed"""
+  """
+  Failed
+  """
   FAILED
 }
 
@@ -480,13 +539,19 @@ type ActivatedPhaseLicenseType {
 }
 
 enum ApiActivatedPhaseLicensePlanChoices {
-  """Free"""
+  """
+  Free
+  """
   FR
 
-  """Pro"""
+  """
+  Pro
+  """
   PR
 
-  """Enterprise"""
+  """
+  Enterprise
+  """
   EN
 }
 
@@ -541,9 +606,13 @@ type KMSLogType implements Node {
   longitude: Float
 }
 
-"""An object with an ID"""
+"""
+An object with an ID
+"""
 interface Node {
-  """The ID of the object"""
+  """
+  The ID of the object
+  """
   id: ID!
 }
 
@@ -796,7 +865,9 @@ type DynamicSecretType {
   path: String!
   authentication: ProviderCredentialsType
 
-  """Which provider this secret is associated with."""
+  """
+  Which provider this secret is associated with.
+  """
   provider: ApiDynamicSecretProviderChoices!
   config: DynamicSecretConfigUnion
   keyMap: [KeyMap]
@@ -809,7 +880,9 @@ type DynamicSecretType {
 }
 
 enum ApiDynamicSecretProviderChoices {
-  """AWS"""
+  """
+  AWS
+  """
   AWS
 }
 
@@ -838,7 +911,9 @@ type DynamicSecretLeaseType {
   serviceAccount: ServiceAccountType
   ttl: Float!
 
-  """Current status of the lease"""
+  """
+  Current status of the lease
+  """
   status: ApiDynamicSecretLeaseStatusChoices!
   credentials: LeaseCredentialsUnion
   createdAt: DateTime
@@ -847,22 +922,33 @@ type DynamicSecretLeaseType {
   revokedAt: DateTime
   deletedAt: DateTime
   cleanupJobId: String!
+  events: [DynamicSecretLeaseEventType]
 }
 
 enum ApiDynamicSecretLeaseStatusChoices {
-  """Created"""
+  """
+  Created
+  """
   CREATED
 
-  """Active"""
+  """
+  Active
+  """
   ACTIVE
 
-  """Renewed"""
+  """
+  Renewed
+  """
   RENEWED
 
-  """Revoked"""
+  """
+  Revoked
+  """
   REVOKED
 
-  """Expired"""
+  """
+  Expired
+  """
   EXPIRED
 }
 
@@ -874,63 +960,293 @@ type AwsCredentialsType {
   username: String
 }
 
+type DynamicSecretLeaseEventType {
+  id: ID!
+  lease: DynamicSecretLeaseType!
+  eventType: ApiDynamicSecretLeaseEventEventTypeChoices!
+  organisationMember: OrganisationMemberType
+  serviceAccount: ServiceAccountType
+  ipAddress: String
+  userAgent: String
+  metadata: JSONString!
+  createdAt: DateTime!
+}
+
+enum ApiDynamicSecretLeaseEventEventTypeChoices {
+  """
+  Created
+  """
+  CREATED
+
+  """
+  Active
+  """
+  ACTIVE
+
+  """
+  Renewed
+  """
+  RENEWED
+
+  """
+  Revoked
+  """
+  REVOKED
+
+  """
+  Expired
+  """
+  EXPIRED
+}
+
 type Mutation {
-  createOrganisation(id: ID!, identityKey: String!, name: String!, wrappedKeyring: String!, wrappedRecovery: String!): CreateOrganisationMutation
-  bulkInviteOrganisationMembers(invites: [InviteInput]!, orgId: ID!): BulkInviteOrganisationMembersMutation
-  createOrganisationMember(identityKey: String!, inviteId: ID!, orgId: ID!, wrappedKeyring: String, wrappedRecovery: String): CreateOrganisationMemberMutation
+  createOrganisation(
+    id: ID!
+    identityKey: String!
+    name: String!
+    wrappedKeyring: String!
+    wrappedRecovery: String!
+  ): CreateOrganisationMutation
+  bulkInviteOrganisationMembers(
+    invites: [InviteInput]!
+    orgId: ID!
+  ): BulkInviteOrganisationMembersMutation
+  createOrganisationMember(
+    identityKey: String!
+    inviteId: ID!
+    orgId: ID!
+    wrappedKeyring: String
+    wrappedRecovery: String
+  ): CreateOrganisationMemberMutation
   deleteOrganisationMember(memberId: ID!): DeleteOrganisationMemberMutation
   updateOrganisationMemberRole(memberId: ID!, roleId: ID!): UpdateOrganisationMemberRole
-  updateMemberWrappedSecrets(orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
+  updateMemberWrappedSecrets(
+    orgId: ID!
+    wrappedKeyring: String!
+    wrappedRecovery: String!
+  ): UpdateUserWrappedSecretsMutation
   deleteInvitation(inviteId: ID!): DeleteInviteMutation
-  createApp(appSeed: String!, appToken: String!, appVersion: Int!, id: ID!, identityKey: String!, name: String!, organisationId: ID!, wrappedKeyShare: String!): CreateAppMutation
+  createApp(
+    appSeed: String!
+    appToken: String!
+    appVersion: Int!
+    id: ID!
+    identityKey: String!
+    name: String!
+    organisationId: ID!
+    wrappedKeyShare: String!
+  ): CreateAppMutation
   rotateAppKeys(appToken: String!, id: ID!, wrappedKeyShare: String!): RotateAppKeysMutation
   deleteApp(id: ID!): DeleteAppMutation
   updateAppName(id: ID!, name: String!): UpdateAppNameMutation
-  addAppMember(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): AddAppMemberMutation
+  addAppMember(
+    appId: ID
+    envKeys: [EnvironmentKeyInput]
+    memberId: ID
+    memberType: MemberType
+  ): AddAppMemberMutation
   bulkAddAppMembers(appId: ID!, members: [AppMemberInputType]!): BulkAddAppMembersMutation
   removeAppMember(appId: ID, memberId: ID, memberType: MemberType): RemoveAppMemberMutation
-  updateMemberEnvironmentScope(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): UpdateMemberEnvScopeMutation
-  createEnvironment(adminKeys: [EnvironmentKeyInput], environmentData: EnvironmentInput!, wrappedSalt: String, wrappedSeed: String): CreateEnvironmentMutation
+  updateMemberEnvironmentScope(
+    appId: ID
+    envKeys: [EnvironmentKeyInput]
+    memberId: ID
+    memberType: MemberType
+  ): UpdateMemberEnvScopeMutation
+  createEnvironment(
+    adminKeys: [EnvironmentKeyInput]
+    environmentData: EnvironmentInput!
+    wrappedSalt: String
+    wrappedSeed: String
+  ): CreateEnvironmentMutation
   deleteEnvironment(environmentId: ID!): DeleteEnvironmentMutation
   renameEnvironment(environmentId: ID!, name: String!): RenameEnvironmentMutation
   swapEnvironmentOrder(environment1Id: ID!, environment2Id: ID!): SwapEnvironmentOrderMutation
-  createEnvironmentKey(envId: ID!, identityKey: String!, userId: ID, wrappedSalt: String!, wrappedSeed: String!): CreateEnvironmentKeyMutation
-  createEnvironmentToken(envId: ID!, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateEnvironmentTokenMutation
-  createCustomRole(color: String, description: String, name: String, organisationId: ID!, permissions: JSONString): CreateCustomRoleMutation
-  updateCustomRole(color: String, description: String, id: ID!, name: String, permissions: JSONString): UpdateCustomRoleMutation
+  createEnvironmentKey(
+    envId: ID!
+    identityKey: String!
+    userId: ID
+    wrappedSalt: String!
+    wrappedSeed: String!
+  ): CreateEnvironmentKeyMutation
+  createEnvironmentToken(
+    envId: ID!
+    identityKey: String!
+    name: String!
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateEnvironmentTokenMutation
+  createCustomRole(
+    color: String
+    description: String
+    name: String
+    organisationId: ID!
+    permissions: JSONString
+  ): CreateCustomRoleMutation
+  updateCustomRole(
+    color: String
+    description: String
+    id: ID!
+    name: String
+    permissions: JSONString
+  ): UpdateCustomRoleMutation
   deleteCustomRole(id: ID!): DeleteCustomRoleMutation
-  createNetworkAccessPolicy(allowedIps: String!, isGlobal: Boolean!, name: String, organisationId: ID!): CreateNetworkAccessPolicyMutation
+  createNetworkAccessPolicy(
+    allowedIps: String!
+    isGlobal: Boolean!
+    name: String
+    organisationId: ID!
+  ): CreateNetworkAccessPolicyMutation
   updateNetworkAccessPolicy(policyInputs: [UpdatePolicyInput]): UpdateNetworkAccessPolicyMutation
   deleteNetworkAccessPolicy(id: ID!): DeleteNetworkAccessPolicyMutation
-  updateAccountNetworkAccessPolicies(accountInputs: [AccountPolicyInput], organisationId: ID!): UpdateAccountNetworkAccessPolicies
-  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
-  enableServiceAccountThirdPartyAuth(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountThirdPartyAuthMutation
-  updateServiceAccountHandlers(handlers: [ServiceAccountHandlerInput], organisationId: ID): UpdateServiceAccountHandlersMutation
+  updateAccountNetworkAccessPolicies(
+    accountInputs: [AccountPolicyInput]
+    organisationId: ID!
+  ): UpdateAccountNetworkAccessPolicies
+  createServiceAccount(
+    handlers: [ServiceAccountHandlerInput]
+    identityKey: String
+    name: String
+    organisationId: ID
+    roleId: ID
+    serverWrappedKeyring: String
+    serverWrappedRecovery: String
+  ): CreateServiceAccountMutation
+  enableServiceAccountThirdPartyAuth(
+    serverWrappedKeyring: String
+    serverWrappedRecovery: String
+    serviceAccountId: ID
+  ): EnableServiceAccountThirdPartyAuthMutation
+  updateServiceAccountHandlers(
+    handlers: [ServiceAccountHandlerInput]
+    organisationId: ID
+  ): UpdateServiceAccountHandlersMutation
   updateServiceAccount(name: String, roleId: ID, serviceAccountId: ID): UpdateServiceAccountMutation
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
-  createServiceAccountToken(expiry: BigInt, identityKey: String!, name: String!, serviceAccountId: ID, token: String!, wrappedKeyShare: String!): CreateServiceAccountTokenMutation
+  createServiceAccountToken(
+    expiry: BigInt
+    identityKey: String!
+    name: String!
+    serviceAccountId: ID
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
   initEnvSync(appId: ID, envKeys: [EnvironmentKeyInput]): InitEnvSync
   deleteEnvSync(syncId: ID): DeleteSync
   triggerSync(syncId: ID): TriggerSync
   toggleSyncActive(syncId: ID): ToggleSyncActive
   updateSyncAuthentication(credentialId: ID, syncId: ID): UpdateSyncAuthentication
-  createProviderCredentials(credentials: JSONString, name: String, orgId: ID, provider: String): CreateProviderCredentials
-  updateProviderCredentials(credentialId: ID, credentials: JSONString, name: String): UpdateProviderCredentials
+  createProviderCredentials(
+    credentials: JSONString
+    name: String
+    orgId: ID
+    provider: String
+  ): CreateProviderCredentials
+  updateProviderCredentials(
+    credentialId: ID
+    credentials: JSONString
+    name: String
+  ): UpdateProviderCredentials
   deleteProviderCredentials(credentialId: ID): DeleteProviderCredentials
-  createCloudflarePagesSync(credentialId: ID, deploymentId: ID, envId: ID, path: String, projectEnv: String, projectName: String): CreateCloudflarePagesSync
-  createCloudflareWorkersSync(credentialId: ID, envId: ID, path: String, workerName: String): CreateCloudflareWorkersSync
-  createAwsSecretSync(credentialId: ID, envId: ID, kmsId: String, path: String, secretName: String): CreateAWSSecretsManagerSync
-  createGhActionsSync(credentialId: ID, envId: ID, owner: String, path: String, repoName: String): CreateGitHubActionsSync
-  createVaultSync(credentialId: ID, engine: String, envId: ID, path: String, vaultPath: String): CreateVaultSync
-  createNomadSync(credentialId: ID, envId: ID, nomadNamespace: String, nomadPath: String, path: String): CreateNomadSync
-  createGitlabCiSync(credentialId: ID, envId: ID, isGroup: Boolean, masked: Boolean, path: String, protected: Boolean, resourceId: String, resourcePath: String): CreateGitLabCISync
-  createRailwaySync(credentialId: ID, envId: ID, path: String, railwayEnvironment: RailwayResourceInput, railwayProject: RailwayResourceInput, railwayService: RailwayResourceInput): CreateRailwaySync
-  createVercelSync(credentialId: ID, envId: ID, environment: String, path: String, projectId: String, projectName: String, secretType: String, teamId: String, teamName: String): CreateVercelSync
-  createRenderSync(credentialId: ID, envId: ID, path: String, resourceId: String, resourceName: String, resourceType: RenderResourceType, secretFileName: String): CreateRenderSync
-  createUserToken(expiry: BigInt, identityKey: String!, name: String!, orgId: ID!, token: String!, wrappedKeyShare: String!): CreateUserTokenMutation
+  createCloudflarePagesSync(
+    credentialId: ID
+    deploymentId: ID
+    envId: ID
+    path: String
+    projectEnv: String
+    projectName: String
+  ): CreateCloudflarePagesSync
+  createCloudflareWorkersSync(
+    credentialId: ID
+    envId: ID
+    path: String
+    workerName: String
+  ): CreateCloudflareWorkersSync
+  createAwsSecretSync(
+    credentialId: ID
+    envId: ID
+    kmsId: String
+    path: String
+    secretName: String
+  ): CreateAWSSecretsManagerSync
+  createGhActionsSync(
+    credentialId: ID
+    envId: ID
+    owner: String
+    path: String
+    repoName: String
+  ): CreateGitHubActionsSync
+  createVaultSync(
+    credentialId: ID
+    engine: String
+    envId: ID
+    path: String
+    vaultPath: String
+  ): CreateVaultSync
+  createNomadSync(
+    credentialId: ID
+    envId: ID
+    nomadNamespace: String
+    nomadPath: String
+    path: String
+  ): CreateNomadSync
+  createGitlabCiSync(
+    credentialId: ID
+    envId: ID
+    isGroup: Boolean
+    masked: Boolean
+    path: String
+    protected: Boolean
+    resourceId: String
+    resourcePath: String
+  ): CreateGitLabCISync
+  createRailwaySync(
+    credentialId: ID
+    envId: ID
+    path: String
+    railwayEnvironment: RailwayResourceInput
+    railwayProject: RailwayResourceInput
+    railwayService: RailwayResourceInput
+  ): CreateRailwaySync
+  createVercelSync(
+    credentialId: ID
+    envId: ID
+    environment: String
+    path: String
+    projectId: String
+    projectName: String
+    secretType: String
+    teamId: String
+    teamName: String
+  ): CreateVercelSync
+  createRenderSync(
+    credentialId: ID
+    envId: ID
+    path: String
+    resourceId: String
+    resourceName: String
+    resourceType: RenderResourceType
+    secretFileName: String
+  ): CreateRenderSync
+  createUserToken(
+    expiry: BigInt
+    identityKey: String!
+    name: String!
+    orgId: ID!
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateUserTokenMutation
   deleteUserToken(tokenId: ID!): DeleteUserTokenMutation
-  createServiceToken(appId: ID!, environmentKeys: [EnvironmentKeyInput], expiry: BigInt, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateServiceTokenMutation
+  createServiceToken(
+    appId: ID!
+    environmentKeys: [EnvironmentKeyInput]
+    expiry: BigInt
+    identityKey: String!
+    name: String!
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateServiceTokenMutation
   deleteServiceToken(tokenId: ID!): DeleteServiceTokenMutation
   createSecretFolder(envId: ID, name: String, path: String): CreateSecretFolderMutation
   deleteSecretFolder(folderId: ID): DeleteSecretFolderMutation
@@ -945,20 +1261,53 @@ type Mutation {
   createOverride(overrideData: PersonalSecretInput): CreatePersonalSecretMutation
   removeOverride(secretId: ID): DeletePersonalSecretMutation
   createLockbox(input: LockboxInput): CreateLockboxMutation
-  createSubscriptionCheckoutSession(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum): CreateSubscriptionCheckoutSession
+  createSubscriptionCheckoutSession(
+    billingPeriod: BillingPeriodEnum
+    organisationId: ID!
+    planType: PlanTypeEnum
+  ): CreateSubscriptionCheckoutSession
   deletePaymentMethod(organisationId: ID, paymentMethodId: String): DeletePaymentMethodMutation
   cancelSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
   resumeSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
-  modifySubscription(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum, subscriptionId: String!): UpdateSubscriptionResponse
+  modifySubscription(
+    billingPeriod: BillingPeriodEnum
+    organisationId: ID!
+    planType: PlanTypeEnum
+    subscriptionId: String!
+  ): UpdateSubscriptionResponse
   createSetupIntent(organisationId: ID): CreateSetupIntentMutation
   setDefaultPaymentMethod(
     organisationId: ID
 
-    """Payment Method ID to set as default"""
+    """
+    Payment Method ID to set as default
+    """
     paymentMethodId: String!
   ): SetDefaultPaymentMethodMutation
-  createAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, environmentId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): CreateAWSDynamicSecretMutation
-  updateAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, dynamicSecretId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): UpdateAWSDynamicSecretMutation
+  createAwsDynamicSecret(
+    authenticationId: ID
+    config: AWSConfigInput!
+    defaultTtl: Int
+    description: String
+    environmentId: ID!
+    keyMap: [KeyMapInput]!
+    maxTtl: Int
+    name: String!
+    organisationId: ID!
+    path: String
+  ): CreateAWSDynamicSecretMutation
+  updateAwsDynamicSecret(
+    authenticationId: ID
+    config: AWSConfigInput!
+    defaultTtl: Int
+    description: String
+    dynamicSecretId: ID!
+    keyMap: [KeyMapInput]!
+    maxTtl: Int
+    name: String!
+    organisationId: ID!
+    path: String
+  ): UpdateAWSDynamicSecretMutation
   deleteDynamicSecret(secretId: ID!): DeleteDynamicSecretMutation
   createDynamicSecretLease(name: String, secretId: ID!, ttl: Int): LeaseDynamicSecret
   renewDynamicSecretLease(leaseId: ID!, ttl: Int): RenewLeaseMutation
@@ -1401,4 +1750,4 @@ type RenewLeaseMutation {
 
 type RevokeLeaseMutation {
   lease: DynamicSecretLeaseType
-}
\ No newline at end of file
+}
diff --git a/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql b/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql
index a71b05f3c..03541a37b 100644
--- a/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql
+++ b/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql
@@ -19,6 +19,25 @@ query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {
         id
         name
       }
+      events {
+        id
+        eventType
+        createdAt
+        metadata
+        ipAddress
+        userAgent
+        organisationMember {
+          id
+          fullName
+          email
+          avatarUrl
+          self
+        }
+        serviceAccount {
+          id
+          name
+        }
+      }
     }
   }
 }

From c33044434730e52376e3a147d775ec159324e764 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 10 Sep 2025 21:47:47 +0530
Subject: [PATCH 055/117] feat: render lease event history

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../components/secrets/dynamic/LeaseCard.tsx  |  38 ++--
 .../secrets/dynamic/LeaseHistoryDialog.tsx    |  26 +++
 .../secrets/dynamic/LeaseTimeLine.tsx         | 213 ++++++++++++++++++
 3 files changed, 263 insertions(+), 14 deletions(-)
 create mode 100644 frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx
 create mode 100644 frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx

diff --git a/frontend/ee/components/secrets/dynamic/LeaseCard.tsx b/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
index 780e33876..9b6149b3d 100644
--- a/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
+++ b/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
@@ -1,5 +1,6 @@
 import {
   ApiDynamicSecretLeaseStatusChoices,
+  DynamicSecretLeaseEventType,
   DynamicSecretLeaseType,
   DynamicSecretType,
 } from '@/apollo/graphql'
@@ -11,6 +12,7 @@ import { FaBan } from 'react-icons/fa6'
 import { FiRefreshCw } from 'react-icons/fi'
 import { RenewLeaseDialog } from './RenewLeaseDialog'
 import { RevokeLeaseDialog } from './RevokeLeaseDialog'
+import { LeaseHistoryDialog } from './LeaseHistoryDialog'
 
 export const LeaseCard = ({
   secret,
@@ -54,13 +56,16 @@ export const LeaseCard = ({
 
   return (
     <div className="grid grid-cols-5 text-sm py-2" key={lease.id}>
-      <div className="col-span-2">
+      <div className="col-span-2 space-y-2">
         <div className="flex items-center gap-1">{leaseStatusBadge(lease.status)}</div>
-        <div className="font-medium text-sm text-zinc-900 dark:text-zinc-100">{lease.name}</div>
-        <div className="font-mono text-2xs text-neutral-500">{lease.id}</div>
+        <div>
+          {' '}
+          <div className="font-medium text-sm text-zinc-900 dark:text-zinc-100">{lease.name}</div>
+          <div className="font-mono text-2xs text-neutral-500">{lease.id}</div>
+        </div>
       </div>
 
-      <div className="space-y-1 col-span-2 text-xs">
+      <div className="space-y-0 col-span-2 text-xs">
         <div className="text-neutral-500 flex items-center gap-1">
           Created {relativeTimeFromDates(new Date(lease.createdAt))}
           {(lease.organisationMember || lease.serviceAccount) && (
@@ -79,16 +84,21 @@ export const LeaseCard = ({
             </div>
           )}
         </div>
-        {isRevoked ? (
-          <div className="text-red-400">
-            {`${lease.status == ApiDynamicSecretLeaseStatusChoices.Expired ? 'Expire' : 'Revoke'}${isRevoked ? 'd' : 's'}`}{' '}
-            {relativeTimeFromDates(new Date(lease.revokedAt))}
-          </div>
-        ) : (
-          <div className="text-neutral-500">
-            Expires {relativeTimeFromDates(new Date(lease.expiresAt))}
-          </div>
-        )}
+        <div className="flex justify-start">
+          <LeaseHistoryDialog lease={lease} />
+        </div>
+        <div className="flex justify-between items-center">
+          {isRevoked ? (
+            <div className="text-red-400">
+              {`${lease.status == ApiDynamicSecretLeaseStatusChoices.Expired ? 'Expire' : 'Revoke'}${isRevoked ? 'd' : 's'}`}{' '}
+              {relativeTimeFromDates(new Date(lease.revokedAt))}
+            </div>
+          ) : (
+            <div className="text-neutral-500">
+              Expires {relativeTimeFromDates(new Date(lease.expiresAt))}
+            </div>
+          )}
+        </div>
       </div>
       <div className={clsx('flex flex-col gap-2 items-end', isRevoked ? 'pt-9' : '')}>
         {!isRevoked && <RenewLeaseDialog secret={secret} lease={lease} />}
diff --git a/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx b/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx
new file mode 100644
index 000000000..c92e75eb3
--- /dev/null
+++ b/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx
@@ -0,0 +1,26 @@
+import { DynamicSecretLeaseEventType, DynamicSecretLeaseType } from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { LeaseEventTimeline } from './LeaseTimeLine'
+import { FaClockRotateLeft } from 'react-icons/fa6'
+import { BsThreeDotsVertical } from 'react-icons/bs'
+
+export const LeaseHistoryDialog = ({ lease }: { lease: DynamicSecretLeaseType }) => {
+  return (
+    <GenericDialog
+      title="Lease History"
+      buttonVariant="ghost"
+      buttonContent={
+        <div className="flex items-center gap-1 text-2xs">
+          <BsThreeDotsVertical /> History
+        </div>
+      }
+    >
+      <div className="space-y-4">
+        <div className="text-neutral-500 text-sm">
+          Chronologic history of events related to this lease
+        </div>
+        <LeaseEventTimeline lease={lease} className="max-h-[80vh] overflow-y-auto" />
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx b/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
new file mode 100644
index 000000000..e3556de84
--- /dev/null
+++ b/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
@@ -0,0 +1,213 @@
+import {
+  DynamicSecretLeaseEventType,
+  DynamicSecretLeaseType,
+  OrganisationMemberType,
+  ServiceAccountType,
+} from '@/apollo/graphql'
+import { Avatar } from '@/components/common/Avatar'
+import { relativeTimeFromDates } from '@/utils/time'
+import clsx from 'clsx'
+import React from 'react'
+
+type Props = {
+  lease: DynamicSecretLeaseType
+  className?: string
+  maxHeight?: number | string // e.g., 480 or '32rem'
+}
+
+const toTitleCase = (s: string) => (s ? s.charAt(0).toUpperCase() + s.slice(1).toLowerCase() : s)
+
+const getEventTypeColor = (eventType?: string) => {
+  switch ((eventType || '').toUpperCase()) {
+    case 'CREATED':
+      return 'bg-blue-500'
+    case 'RENEWED':
+      return 'bg-emerald-500'
+    case 'REVOKED':
+      return 'bg-red-500'
+    default:
+      return 'bg-neutral-400'
+  }
+}
+
+const getDisplayEventText = (
+  eventType?: string,
+  metadata?: unknown,
+  normalize?: (m: unknown) => Record<string, unknown>
+) => {
+  const base = (eventType || '').toUpperCase()
+  const meta = normalize ? normalize(metadata) : {}
+  const source = String((meta as any)?.source || '').toLowerCase()
+
+  // If revoked by scheduler, show "Expired"
+  if (base === 'REVOKED' && source === 'scheduled') return 'Expired'
+
+  switch (base) {
+    case 'CREATED':
+      return 'Created'
+    case 'RENEWED':
+      return 'Renewed'
+    case 'REVOKED':
+      return 'Revoked'
+    default:
+      return toTitleCase(eventType || 'Event')
+  }
+}
+
+const EventActor = ({
+  member,
+  serviceAccount,
+}: {
+  member?: OrganisationMemberType | null
+  serviceAccount?: ServiceAccountType | null
+}) => {
+  if (member) {
+    return (
+      <div className="flex items-center gap-1 text-sm">
+        <Avatar member={member} size="sm" />
+        <span className="font-medium">
+          {member.self ? 'You' : member.fullName || member.email || 'Member'}
+        </span>
+      </div>
+    )
+  }
+  if (serviceAccount) {
+    return (
+      <div className="flex items-center gap-1 text-sm">
+        <Avatar serviceAccount={serviceAccount} size="sm" />
+        <span className="font-medium">{serviceAccount.name}</span>
+      </div>
+    )
+  }
+  return <span className="text-sm text-neutral-500">System</span>
+}
+
+const MetaRow = ({ k, v }: { k: string; v: unknown }) => {
+  const value =
+    typeof v === 'string'
+      ? v
+      : v == null
+        ? ''
+        : typeof v === 'object'
+          ? JSON.stringify(v)
+          : String(v)
+  return (
+    <div className="flex items-start gap-2 text-2xs text-neutral-600 dark:text-neutral-400">
+      <span className="uppercase tracking-wide text-neutral-500">{k}</span>
+      <span className="font-mono whitespace-pre-wrap break-words">{value}</span>
+    </div>
+  )
+}
+
+export const LeaseEventTimeline: React.FC<Props> = ({ lease, className }) => {
+  const events: DynamicSecretLeaseEventType[] =
+    (lease.events as DynamicSecretLeaseEventType[]) || []
+
+  const normalizeMetadata = (meta: unknown): Record<string, unknown> => {
+    if (!meta) return {}
+    if (typeof meta === 'string') {
+      try {
+        const parsed = JSON.parse(meta)
+        if (parsed && typeof parsed === 'object') return parsed as Record<string, unknown>
+        return { value: parsed }
+      } catch {
+        return { raw: meta }
+      }
+    }
+    if (typeof meta === 'object') {
+      return meta as Record<string, unknown>
+    }
+    return { value: meta }
+  }
+
+  // Derive active status and expiry
+  const now = new Date()
+  const revoked =
+    (lease as any).revokedAt || (lease.status && lease.status.toUpperCase() === 'REVOKED')
+  const expired =
+    (lease.status && lease.status.toUpperCase() === 'EXPIRED') ||
+    (lease.expiresAt ? new Date(lease.expiresAt) <= now : false)
+  const isActive = !revoked && !expired
+  const expiresAtDate = lease.expiresAt ? new Date(lease.expiresAt) : null
+
+  return (
+    <div className={clsx('w-full', className)}>
+      <div className="px-2">
+        <div className="space-y-4 pb-4 border-l border-zinc-300 dark:border-zinc-700">
+          {events?.length ? (
+            <>
+              {events.map((evt) => {
+                const ts = evt.createdAt ? new Date(evt.createdAt) : null
+                const chip = getEventTypeColor(evt.eventType as unknown as string)
+                return (
+                  <div
+                    key={evt.id || `${evt.eventType}-${evt.createdAt}`}
+                    className="pb-6 space-y-2"
+                  >
+                    <div className="flex flex-row items-center gap-2 -ml-1">
+                      <span className={clsx('h-2 w-2 rounded-full', chip)} />
+                      <div className="text-zinc-800 dark:text-zinc-200 font-semibold">
+                        {getDisplayEventText(
+                          evt.eventType as unknown as string,
+                          evt.metadata as unknown,
+                          normalizeMetadata
+                        )}
+                      </div>
+                      {ts && (
+                        <div className="text-neutral-500 text-sm" title={ts.toLocaleString()}>
+                          {relativeTimeFromDates(ts)}
+                        </div>
+                      )}
+                      <span className="text-neutral-500 text-sm">by</span>
+                      <div className="text-zinc-900 dark:text-zinc-100">
+                        <EventActor
+                          member={evt.organisationMember as any}
+                          serviceAccount={evt.serviceAccount as any}
+                        />
+                      </div>
+                    </div>
+
+                    {/* Metadata and request info */}
+                    <div className="pl-3 space-y-1 ">
+                      {(evt.ipAddress || evt.userAgent) && (
+                        <div className="space-y-1">
+                          {evt.ipAddress && <MetaRow k="IP" v={evt.ipAddress} />}
+                          {evt.userAgent && <MetaRow k="UA" v={evt.userAgent} />}
+                        </div>
+                      )}
+
+                      {(() => {
+                        const meta = normalizeMetadata(evt.metadata as unknown)
+                        return Object.entries(meta).map(([k, v]) => <MetaRow key={k} k={k} v={v} />)
+                      })()}
+                    </div>
+                  </div>
+                )
+              })}
+
+              {isActive && expiresAtDate && (
+                <>
+                  {/* Expires event */}
+                  <div className="pb-6 space-y-2">
+                    <div className="flex flex-row items-center gap-2 -ml-1">
+                      <span className="h-2 w-2 rounded-full bg-neutral-400" />
+                      <div className="text-zinc-500 font-semibold">Expires</div>
+                      <div
+                        className="text-neutral-500 text-sm"
+                        title={expiresAtDate.toLocaleString()}
+                      >
+                        {relativeTimeFromDates(expiresAtDate)}
+                      </div>
+                    </div>
+                  </div>
+                </>
+              )}
+            </>
+          ) : (
+            <div className="text-sm text-neutral-500 pl-3">No events yet.</div>
+          )}
+        </div>
+      </div>
+    </div>
+  )
+}

From 434147cff2e8cb44d39a60f3f58256856d699ad3 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 10 Sep 2025 21:48:12 +0530
Subject: [PATCH 056/117] feat: misc ux improvements to renew lease dialog

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/RenewLeaseDialog.tsx      | 37 ++++++++++++++-----
 1 file changed, 27 insertions(+), 10 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
index 6a72070bb..254dd47d7 100644
--- a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
@@ -3,7 +3,7 @@ import { Button } from '@/components/common/Button'
 import GenericDialog from '@/components/common/GenericDialog'
 import { leaseTtlButtons } from '@/utils/dynamicSecrets'
 import { relativeTimeFromDates } from '@/utils/time'
-import { useContext, useState } from 'react'
+import { useContext, useRef, useState } from 'react'
 import { FiRefreshCw } from 'react-icons/fi'
 import { RenewDynamicSecretLeaseOP } from '@/graphql/mutations/environments/secrets/dynamic/renewLease.gql'
 import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
@@ -28,8 +28,17 @@ export const RenewLeaseDialog = ({
     secret.maxTtlSeconds ? parseInt(button.seconds) <= secret.maxTtlSeconds : button
   )
 
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const closeModal = () => dialogRef.current?.closeModal()
+
   const [renewLease, { loading: renewIsPending }] = useMutation(RenewDynamicSecretLeaseOP)
 
+  const reset = () => {
+    setTtl(secret.defaultTtlSeconds!.toString())
+    setRenewedLease(null)
+  }
+
   const handleRenewLease = async () => {
     if (parseInt(ttl) > secret.maxTtlSeconds!) {
       toast.error(`The maximum allowed TTL for this secret is ${secret.maxTtlSeconds}`)
@@ -59,6 +68,8 @@ export const RenewLeaseDialog = ({
 
   return (
     <GenericDialog
+      ref={dialogRef}
+      onClose={reset}
       title="Renew lease"
       buttonVariant="secondary"
       buttonContent={
@@ -115,15 +126,21 @@ export const RenewLeaseDialog = ({
         )}
 
         <div className="flex items-center justify-end">
-          <Button
-            variant="primary"
-            icon={FiRefreshCw}
-            onClick={handleRenewLease}
-            isLoading={renewIsPending}
-          >
-            {' '}
-            Renew Lease
-          </Button>
+          {renewedLease ? (
+            <Button variant="secondary" onClick={closeModal}>
+              Close
+            </Button>
+          ) : (
+            <Button
+              variant="primary"
+              icon={FiRefreshCw}
+              onClick={handleRenewLease}
+              isLoading={renewIsPending}
+            >
+              {' '}
+              Renew Lease
+            </Button>
+          )}
         </div>
       </div>
     </GenericDialog>

From 2c829d09a007e4bca7058ebbe407664333249c01 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 11 Sep 2025 01:39:12 +0530
Subject: [PATCH 057/117] fix: clean up manage lease dialog header

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/ManageLeasesDialog.tsx           | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
index 82b9534bb..7bd7d74dd 100644
--- a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
@@ -59,15 +59,9 @@ export const ManageLeasesDialog = ({ secret }: { secret: DynamicSecretType }) =>
       onOpen={handleOpen}
       onClose={handleClose}
     >
-      <div className="space-y-6">
-        <div className="text-neutral-500 ">
-          Manage leases and configuration for this dynamic secret
-        </div>
-        <div className="flex items-center justify-between border-b border-neutral-500/40">
-          <div>
-            <div className="text-base font-semibold text-zinc-900 dark:text-zinc-100">Leases</div>
-            <div className="text-neutral-500 text-sm">Manage leases for this dynamic secret</div>
-          </div>
+      <div className="space-y-2">
+        <div className="text-neutral-500 text-sm">Manage leases for this dynamic secret</div>
+        <div className="flex items-center justify-end border-b border-neutral-500/40 pb-1">
           <Button variant="ghost" onClick={handleRefetch} icon={FiRefreshCw} isLoading={loading}>
             Refresh
           </Button>

From d84efb09773d82044210091c30a91e054dbe293b Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 11 Sep 2025 01:39:19 +0530
Subject: [PATCH 058/117] fix: typo

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx b/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx
index c92e75eb3..a7cbc22ce 100644
--- a/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx
@@ -17,7 +17,7 @@ export const LeaseHistoryDialog = ({ lease }: { lease: DynamicSecretLeaseType })
     >
       <div className="space-y-4">
         <div className="text-neutral-500 text-sm">
-          Chronologic history of events related to this lease
+          Chronological history of events related to this lease
         </div>
         <LeaseEventTimeline lease={lease} className="max-h-[80vh] overflow-y-auto" />
       </div>

From 5f3956527fdd848a29c54f9f0256c9293cfdc7f5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 11 Sep 2025 02:00:05 +0530
Subject: [PATCH 059/117] feat: replace 'system' placeholder with phase logo
 wordmark for server actions

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx b/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
index e3556de84..135c0c49d 100644
--- a/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
+++ b/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
@@ -5,6 +5,7 @@ import {
   ServiceAccountType,
 } from '@/apollo/graphql'
 import { Avatar } from '@/components/common/Avatar'
+import { LogoWordMark } from '@/components/common/LogoWordMark'
 import { relativeTimeFromDates } from '@/utils/time'
 import clsx from 'clsx'
 import React from 'react'
@@ -79,7 +80,11 @@ const EventActor = ({
       </div>
     )
   }
-  return <span className="text-sm text-neutral-500">System</span>
+  return (
+    <div className="text-sm text-neutral-500">
+      <LogoWordMark className="h-6 fill-zinc-900 dark:fill-zinc-100" />
+    </div>
+  )
 }
 
 const MetaRow = ({ k, v }: { k: string; v: unknown }) => {

From 135dd101f1b01887fc49c8ce13d570509c1d902f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 11 Sep 2025 14:07:29 +0530
Subject: [PATCH 060/117] feat: add empty state on integrations screen

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../integrations/dynamic-secrets/page.tsx     | 85 +++++++++++++------
 1 file changed, 60 insertions(+), 25 deletions(-)

diff --git a/frontend/app/[team]/integrations/dynamic-secrets/page.tsx b/frontend/app/[team]/integrations/dynamic-secrets/page.tsx
index ba4c5ba2f..cc4cfa793 100644
--- a/frontend/app/[team]/integrations/dynamic-secrets/page.tsx
+++ b/frontend/app/[team]/integrations/dynamic-secrets/page.tsx
@@ -4,16 +4,19 @@ import { EmptyState } from '@/components/common/EmptyState'
 import { organisationContext } from '@/contexts/organisationContext'
 import { userHasPermission } from '@/utils/access/permissions'
 import { useContext } from 'react'
-import { FaBan } from 'react-icons/fa6'
+import { FaBan, FaBolt } from 'react-icons/fa6'
 import { GetDynamicSecrets } from '@/graphql/queries/secrets/dynamic/getDynamicSecrets.gql'
+import { GetApps } from '@/graphql/queries/getApps.gql'
 import { useQuery } from '@apollo/client'
-import { DynamicSecretType } from '@/apollo/graphql'
+import { AppType, DynamicSecretType } from '@/apollo/graphql'
 import { DynamicSecret } from '../../../../ee/components/secrets/dynamic/DynamicSecret'
+import { AppsView } from '@/components/apps/AppsView'
 
 export default function DynamicSecrets({ params }: { params: { team: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
   // permissions
+  const userCanViewApps = userHasPermission(organisation?.role?.permissions, 'Apps', 'read')
   const userCanReadDynamicSecrets = organisation
     ? userHasPermission(organisation.role?.permissions, 'Secrets', 'read', true)
     : false
@@ -23,6 +26,16 @@ export default function DynamicSecrets({ params }: { params: { team: string } })
     skip: !organisation || !userCanReadDynamicSecrets,
   })
 
+  const { data: appsData, loading } = useQuery(GetApps, {
+    variables: {
+      organisationId: organisation?.id,
+    },
+    skip: !organisation || !userCanViewApps,
+    fetchPolicy: 'cache-and-network',
+  })
+
+  const apps = (appsData?.apps as AppType[]) ?? []
+
   // Group secrets by appId, then environmentId
   const groupedSecrets: Record<
     string,
@@ -71,31 +84,53 @@ export default function DynamicSecrets({ params }: { params: { team: string } })
           </div>
 
           {/* Grouped display */}
-          <div className="space-y-8 divide-y divide-neutral-400/20">
-            {Object.entries(groupedSecrets).map(([appId, appGroup]) => (
-              <div key={appId} className="space-y-1 py-4">
-                <div className="font-semibold text-lg">{appGroup.appName}</div>
-                <div className="flex flex-row gap-8 flex-1">
-                  {Object.entries(appGroup.environments)
-                    .sort(
-                      ([, aEnv], [, bEnv]) =>
-                        (aEnv.secrets[0]?.environment.index ?? 0) -
-                        (bEnv.secrets[0]?.environment.index ?? 0)
-                    )
-                    .map(([envId, envGroup]) => (
-                      <div key={envId} className="flex flex-col gap-2 min-w-[160px]">
-                        <div className="font-medium text-base text-neutral-700 dark:text-neutral-300 mb-2">
-                          {envGroup.envName}
+          {Object.entries(groupedSecrets).length > 0 ? (
+            <div className="space-y-8 divide-y divide-neutral-400/20">
+              {Object.entries(groupedSecrets).map(([appId, appGroup]) => (
+                <div key={appId} className="space-y-1 py-4">
+                  <div className="font-semibold text-lg">{appGroup.appName}</div>
+                  <div className="flex flex-row gap-8 flex-1">
+                    {Object.entries(appGroup.environments)
+                      .sort(
+                        ([, aEnv], [, bEnv]) =>
+                          (aEnv.secrets[0]?.environment.index ?? 0) -
+                          (bEnv.secrets[0]?.environment.index ?? 0)
+                      )
+                      .map(([envId, envGroup]) => (
+                        <div key={envId} className="flex flex-col gap-2 min-w-[160px]">
+                          <div className="font-medium text-base text-neutral-700 dark:text-neutral-300 mb-2">
+                            {envGroup.envName}
+                          </div>
+                          {envGroup.secrets.map((secret) => (
+                            <DynamicSecret key={secret.id} secret={secret} />
+                          ))}
                         </div>
-                        {envGroup.secrets.map((secret) => (
-                          <DynamicSecret key={secret.id} secret={secret} />
-                        ))}
-                      </div>
-                    ))}
+                      ))}
+                  </div>
                 </div>
-              </div>
-            ))}
-          </div>
+              ))}
+            </div>
+          ) : (
+            <div className="space-y-4">
+              <EmptyState
+                title="No Dynamic Secrets"
+                subtitle="There are no dynamic secrets in this organisation. Choose an App and Environment to create one."
+                graphic={
+                  <div className="text-neutral-300 dark:text-neutral-700 text-7xl">
+                    <FaBolt />
+                  </div>
+                }
+              >
+                <></>
+              </EmptyState>
+
+              {apps && (
+                <div>
+                  <AppsView apps={apps} loading={loading} />
+                </div>
+              )}
+            </div>
+          )}
         </div>
       ) : (
         <EmptyState

From cbbed785eeb07301999290a102c54b129de73ae9 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 11 Sep 2025 14:37:20 +0530
Subject: [PATCH 061/117] fix: misc bugfixes

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/aws/graphene/mutations.py    | 16 ++++++++++------
 .../integrations/secrets/dynamic/rest/views.py   |  6 ++++--
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
index 78e61bfe4..d127ba120 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
@@ -191,12 +191,16 @@ def mutate(
                 raise GraphQLError("Invalid authentication credentials")
 
         # --- ensure name is unique in this environment and path ---
-        if DynamicSecret.objects.filter(
-            environment=dynamic_secret.environment,
-            path=path,
-            name=name,
-            deleted_at=None,
-        ).exists():
+        if (
+            DynamicSecret.objects.filter(
+                environment=dynamic_secret.environment,
+                path=path,
+                name=name,
+                deleted_at=None,
+            )
+            .exclude(id=dynamic_secret_id)
+            .exists()
+        ):
             raise GraphQLError(
                 f"A dynamic secret with name '{name}' already exists at this path."
             )
diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index 7cffaf082..a55feb4c8 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -248,6 +248,7 @@ def put(self, request, *args, **kwargs):
         lease = self._get_lease_or_404(lease_id)
         self._assert_can_act_on_lease(request, lease, action="update")
 
+        org_member = service_account = None
         if request.auth["auth_type"] == "User":
             org_member = request.auth["org_member"].user
         elif request.auth["auth_type"] == "ServiceAccount":
@@ -258,8 +259,8 @@ def put(self, request, *args, **kwargs):
                 lease,
                 ttl,
                 request=request,
-                organisation_member=org_member,
-                service_account=service_account,
+                organisation_member=org_member or None,
+                service_account=service_account or None,
             )
         except Exception as e:
             logger.exception(
@@ -280,6 +281,7 @@ def delete(self, request, *args, **kwargs):
         lease = self._get_lease_or_404(lease_id)
         self._assert_can_act_on_lease(request, lease, action="delete")
 
+        org_member = service_account = None
         if request.auth["auth_type"] == "User":
             org_member = request.auth["org_member"].user
         elif request.auth["auth_type"] == "ServiceAccount":

From 56b1b3c9e47c5d1997fd0d9f733acdc7d8939691 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 12 Sep 2025 10:49:01 +0530
Subject: [PATCH 062/117] chore: cleanup urls

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/urls.py | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/backend/backend/urls.py b/backend/backend/urls.py
index 983386987..26f2c9087 100644
--- a/backend/backend/urls.py
+++ b/backend/backend/urls.py
@@ -13,8 +13,6 @@
     root_endpoint,
 )
 from api.views.kms import kms
-from ee.integrations.secrets.dynamic.rest.views import DynamicSecretsView
-
 
 CLOUD_HOSTED = settings.APP_HOST == "cloud"
 
@@ -33,10 +31,6 @@
     path("secrets/tokens/", secrets_tokens),
     path("oauth/github/callback", github_integration_callback),
     path("lockbox/<box_id>", LockboxView.as_view()),
-    # path(
-    #     "public/v1/secrets/dynamic/",
-    #     PublicDynamicSecretsView.as_view(),
-    # ),
     path(
         "public/v1/secrets/dynamic/",
         include("ee.integrations.secrets.dynamic.rest.urls"),

From faa46904199ad76b8ed238c4bb8cab36c9f109bf Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 12 Sep 2025 10:49:21 +0530
Subject: [PATCH 063/117] chore: update key map field default

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../0109_alter_dynamicsecret_key_map.py        | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 backend/api/migrations/0109_alter_dynamicsecret_key_map.py

diff --git a/backend/api/migrations/0109_alter_dynamicsecret_key_map.py b/backend/api/migrations/0109_alter_dynamicsecret_key_map.py
new file mode 100644
index 000000000..4b5c92372
--- /dev/null
+++ b/backend/api/migrations/0109_alter_dynamicsecret_key_map.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.2.22 on 2025-09-12 05:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0108_dynamicsecretlease_cleanup_job_id_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='dynamicsecret',
+            name='key_map',
+            field=models.JSONField(default=list, help_text="Provider-agnostic mapping of keys: [{'id': '<key_id>', 'key_name': '<encrypted_key_name>', 'key_digest': '<key_digest>'}, ...]"),
+        ),
+    ]

From 8cf1e6164ffc0235df9ea2bb85056b73374529da Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 12 Sep 2025 18:52:45 +0530
Subject: [PATCH 064/117] feat: extend PhaseTokenAuthentication to infer env
 from secret_id

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/auth.py | 77 ++++++++++++++++++++++++++++++---------------
 1 file changed, 51 insertions(+), 26 deletions(-)

diff --git a/backend/api/auth.py b/backend/api/auth.py
index 7439c356e..defd7f8f5 100644
--- a/backend/api/auth.py
+++ b/backend/api/auth.py
@@ -6,7 +6,7 @@
     get_token_type,
     token_is_expired_or_deleted,
 )
-from api.models import Environment
+from api.models import DynamicSecret, Environment, Secret
 from api.utils.access.permissions import (
     service_account_can_access_environment,
     user_can_access_environment,
@@ -44,34 +44,59 @@ def authenticate(self, request):
         if token_is_expired_or_deleted(auth_token):
             raise exceptions.AuthenticationFailed("Token expired or deleted")
 
-        env_id = request.headers.get("environment")
+        env = None
 
-        # Try resolving env from header
-        if env_id:
+        # Try resolving secret_id from header OR query params (supports Secret or DynamicSecret)
+        secret_id = request.headers.get("secret_id") or request.GET.get("secret_id")
+        if secret_id:
+            found = False
             try:
-                env = Environment.objects.get(id=env_id)
-            except Environment.DoesNotExist:
-                raise exceptions.AuthenticationFailed("Environment not found")
+                secret = Secret.objects.get(id=secret_id)
+                env = secret.environment
+                found = True
+            except Secret.DoesNotExist:
+                pass
+            if not found:
+                try:
+                    dyn_secret = DynamicSecret.objects.get(id=secret_id)
+                    env = dyn_secret.environment
+                    found = True
+                except DynamicSecret.DoesNotExist:
+                    pass
+            if not found:
+                raise exceptions.AuthenticationFailed("Secret not found")
+
+        # If env is still None, try resolving from header or query params
+        if env is None:
+            env_id = request.headers.get("environment")
+            # Try resolving env from header
+            if env_id:
+                try:
+                    env = Environment.objects.get(id=env_id)
+                except Environment.DoesNotExist:
+                    raise exceptions.AuthenticationFailed("Environment not found")
 
-        # Try resolving env from query params
-        else:
-            try:
-                app_id = request.GET.get("app_id")
-                env_name = request.GET.get("env")
-                if not app_id:
-                    raise exceptions.AuthenticationFailed("Missing app_id parameter")
-                if not env_name:
-                    raise exceptions.AuthenticationFailed("Missing env parameter")
-                env = Environment.objects.get(app_id=app_id, name__iexact=env_name)
-            except Environment.DoesNotExist:
-                # Check if the app exists to give a more specific error
-                App = apps.get_model("api", "App")
-                if not App.objects.filter(id=app_id).exists():
-                    raise exceptions.NotFound(f"App with ID {app_id} not found")
-                else:
-                    raise exceptions.NotFound(
-                        f"Environment '{env_name}' not found in App {app_id}"
-                    )
+            # Try resolving env from query params
+            else:
+                try:
+                    app_id = request.GET.get("app_id")
+                    env_name = request.GET.get("env")
+                    if not app_id:
+                        raise exceptions.AuthenticationFailed(
+                            "Missing app_id parameter"
+                        )
+                    if not env_name:
+                        raise exceptions.AuthenticationFailed("Missing env parameter")
+                    env = Environment.objects.get(app_id=app_id, name__iexact=env_name)
+                except Environment.DoesNotExist:
+                    # Check if the app exists to give a more specific error
+                    App = apps.get_model("api", "App")
+                    if not App.objects.filter(id=app_id).exists():
+                        raise exceptions.NotFound(f"App with ID {app_id} not found")
+                    else:
+                        raise exceptions.NotFound(
+                            f"Environment '{env_name}' not found in App {app_id}"
+                        )
 
         auth["environment"] = env
 

From 1606c061bc74b5739acdf064f9a23982c77f2507 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 12 Sep 2025 18:53:18 +0530
Subject: [PATCH 065/117] feat: add lease owner to serializer

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/serializers.py                    | 55 +++++++++++++++++++
 .../secrets/dynamic/serializers.py            | 34 ++++++++++++
 2 files changed, 89 insertions(+)

diff --git a/backend/api/serializers.py b/backend/api/serializers.py
index 7c8fd5d90..311376392 100644
--- a/backend/api/serializers.py
+++ b/backend/api/serializers.py
@@ -13,7 +13,9 @@
     EnvironmentKey,
     Lockbox,
     Organisation,
+    OrganisationMember,
     Secret,
+    ServiceAccount,
     ServiceToken,
     UserToken,
     PersonalSecret,
@@ -56,6 +58,59 @@ def create(self, validated_data):
             return Organisation(**validated_data)
 
 
+class OrganisationMemberSerializer(serializers.ModelSerializer):
+
+    username = serializers.CharField(source="user.username", read_only=True)
+    full_name = serializers.SerializerMethodField()
+    email = serializers.EmailField(source="user.email", read_only=True)
+    role = serializers.SerializerMethodField()
+
+    class Meta:
+        model = OrganisationMember
+        fields = [
+            "id",
+            "username",
+            "full_name",
+            "email",
+            "role",
+        ]
+        read_only_fields = fields
+
+    def get_full_name(self, obj):
+        social_acc = obj.user.socialaccount_set.first()
+        if social_acc:
+            return social_acc.extra_data.get("name")
+        return None
+
+    def get_role(self, obj):
+        r = getattr(obj, "role", None)
+        if not r:
+            return None
+        return {"id": r.id, "name": r.name}
+
+
+class ServiceAccountSerializer(serializers.ModelSerializer):
+
+    role = serializers.SerializerMethodField()
+
+    class Meta:
+        model = ServiceAccount
+        fields = [
+            "id",
+            "name",
+            "role",
+        ]
+        read_only_fields = fields
+
+    def get_role(self, obj):
+        if not obj.role:
+            return None
+        return {
+            "id": obj.role.id,
+            "name": obj.role.name,
+        }
+
+
 class PersonalSecretSerializer(serializers.ModelSerializer):
     value = serializers.SerializerMethodField()
 
diff --git a/backend/ee/integrations/secrets/dynamic/serializers.py b/backend/ee/integrations/secrets/dynamic/serializers.py
index df7cf2fe3..d4947800d 100644
--- a/backend/ee/integrations/secrets/dynamic/serializers.py
+++ b/backend/ee/integrations/secrets/dynamic/serializers.py
@@ -1,11 +1,16 @@
 from api.models import DynamicSecretLease, DynamicSecret
 from api.utils.crypto import decrypt_asymmetric
 from api.utils.secrets import get_environment_keys
+from api.serializers import (
+    OrganisationMemberSerializer,
+    ServiceAccountSerializer,
+)
 from rest_framework import serializers
 
 
 class DynamicSecretLeaseSerializer(serializers.ModelSerializer):
     credentials = serializers.SerializerMethodField()
+    owner = serializers.SerializerMethodField()
 
     class Meta:
         model = DynamicSecretLease
@@ -16,6 +21,7 @@ class Meta:
             "secret",
             "ttl",
             "status",
+            "owner",
             "credentials",
             "created_at",
             "renewed_at",
@@ -53,6 +59,34 @@ def get_credentials(self, obj):
                     result.append({"key": key_name, "value": value})
         return result
 
+    def get_owner(self, obj):
+        """
+        Return the lease owner serialized as either an OrganisationMember or ServiceAccount.
+        Shape:
+        {
+          "type": "organisation_member" | "service_account",
+          "data": <serialized owner object>
+        }
+        """
+        # Prefer explicit organisation member if present
+        org_member = getattr(obj, "organisation_member", None)
+        if org_member:
+            return {
+                "type": "organisation_member",
+                "data": OrganisationMemberSerializer(
+                    org_member, context=self.context
+                ).data,
+            }
+        service_account = getattr(obj, "service_account", None)
+        if service_account:
+            return {
+                "type": "service_account",
+                "data": ServiceAccountSerializer(
+                    service_account, context=self.context
+                ).data,
+            }
+        return None
+
 
 class DynamicSecretSerializer(serializers.ModelSerializer):
     lease = serializers.SerializerMethodField()

From 718856954547bafe1de0361db422980220aae805 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 12 Sep 2025 18:53:54 +0530
Subject: [PATCH 066/117] fix: add support for fetching dynamic secrets via
 public api without lease

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/rest/views.py             | 62 ++++++++++++-------
 1 file changed, 41 insertions(+), 21 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index a55feb4c8..b403f57ea 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -12,6 +12,7 @@
 )
 from ee.integrations.secrets.dynamic.serializers import (
     DynamicSecretLeaseSerializer,
+    DynamicSecretSerializer,
 )
 from api.utils.rest import (
     METHOD_TO_ACTION,
@@ -112,33 +113,52 @@ def get(self, request, *args, **kwargs):
 
         dynamic_secrets = DynamicSecret.objects.filter(**dynamic_secrets_filter)
 
+        # If lease header is present, generate a lease per secret
+        include_lease = (
+            "lease" in request.GET
+            and request.GET.get("lease", "false").lower() != "false"
+        )
+
         # 2. Create leases for each secret
         if request.auth["service_account_token"] is not None:
             service_account = request.auth["service_account_token"].service_account
-        dynamic_leases = [
-            create_dynamic_secret_lease(
-                secret,
-                organisation_member=request.auth["org_member"],
-                service_account=service_account,
-                request=request,
-            )[0]
-            for secret in dynamic_secrets
-        ]
-
-        if len(dynamic_leases) > 0:
-            from ee.integrations.secrets.dynamic.serializers import (
-                DynamicSecretLeaseSerializer,
-            )
-
-            dynamic_serializer = DynamicSecretLeaseSerializer(
-                dynamic_leases, many=True, context={"sse": True}
-            )
+        if include_lease:
+            leases_by_secret_id = {}
+            for ds in dynamic_secrets:
+                try:
+                    lease, _ = create_dynamic_secret_lease(
+                        ds,
+                        organisation_member=request.auth.get("org_member"),
+                        service_account=service_account,
+                        request=request,
+                    )
+                    leases_by_secret_id[ds.id] = str(lease.id)
+                except Exception as e:
+                    logger.error(
+                        f"Failed to create lease for dynamic secret {ds.id}: {e}"
+                    )
+
+            # Serialize each secret with its lease_id in context
+            dynamic_secrets_data = [
+                DynamicSecretSerializer(
+                    ds,
+                    context={
+                        "sse": True,
+                        "with_credentials": True,
+                        "lease_id": leases_by_secret_id.get(ds.id),
+                    },
+                ).data
+                for ds in dynamic_secrets
+            ]
+        else:
+            # Serialize without lease
+            dynamic_secrets_data = DynamicSecretSerializer(
+                dynamic_secrets, many=True, context={"sse": True}
+            ).data
 
         return Response(
             {
-                "dynamicSecrets": (
-                    dynamic_serializer.data if len(dynamic_leases) > 0 else []
-                ),
+                "dynamicSecrets": dynamic_secrets_data,
             },
             status=status.HTTP_200_OK,
         )

From eb815480de774fc1437020adf5eb8cc6c32d7b68 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 12 Sep 2025 18:54:17 +0530
Subject: [PATCH 067/117] fix: align value placeholders with key

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
index b925c1901..19ed9f45b 100644
--- a/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
+++ b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
@@ -34,7 +34,7 @@ export const DynamicSecretRow = ({
         </div>
       </div>
       <div className="w-2/3 px-6 relative group">
-        <div className="absolute flex flex-col gap-2 pointer-events-none group-hover:opacity-0 transition ease pl-4">
+        <div className="absolute flex flex-col gap-2 pointer-events-none group-hover:opacity-0 transition ease pl-4 pt-5">
           {keyMap.map((k) => (
             <MaskedTextarea
               className={clsx(KEY_BASE_STYLE)}

From 2b9d6034b950d581bbc002b3bbc5e25687cb41c7 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 14:41:31 +0530
Subject: [PATCH 068/117] fix: make exclude clause conditional for safety

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/utils/secrets.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/backend/api/utils/secrets.py b/backend/api/utils/secrets.py
index 0516f59b2..0ca1556e0 100644
--- a/backend/api/utils/secrets.py
+++ b/backend/api/utils/secrets.py
@@ -192,12 +192,15 @@ def check_for_duplicates_blind(secrets, environment):
             path = normalize_path_string(secret.get("path", "/"))
         except:
             path = "/"
-        dynamic_secrets = DynamicSecret.objects.filter(
+        dynamic_secrets_qs = DynamicSecret.objects.filter(
             environment=environment,
             path=path,
             deleted_at=None,
-        ).exclude(id=secret["dynamic_secret_id"])
-        for dyn_secret in dynamic_secrets:
+        )
+        exclude_id = secret.get("dynamic_secret_id")
+        if exclude_id:
+            dynamic_secrets_qs = dynamic_secrets_qs.exclude(id=exclude_id)
+        for dyn_secret in dynamic_secrets_qs:
             key_map = dyn_secret.key_map or []
             for entry in key_map:
                 key_digest = entry.get("key_digest")

From d3e5c05090ffd3ccb671347b17fc342755009e80 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 15:04:43 +0530
Subject: [PATCH 069/117] fix: clean up account assignment in dynamic secrets
 view

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../integrations/secrets/dynamic/rest/views.py  | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index b403f57ea..a0911ee57 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -120,15 +120,20 @@ def get(self, request, *args, **kwargs):
         )
 
         # 2. Create leases for each secret
-        if request.auth["service_account_token"] is not None:
-            service_account = request.auth["service_account_token"].service_account
+        service_account = org_member = None
+
+        if request.auth["auth_type"] == "User":
+            org_member = request.auth["org_member"]
+        elif request.auth["auth_type"] == "ServiceAccount":
+            service_account = request.auth["service_account"]
+
         if include_lease:
             leases_by_secret_id = {}
             for ds in dynamic_secrets:
                 try:
                     lease, _ = create_dynamic_secret_lease(
                         ds,
-                        organisation_member=request.auth.get("org_member"),
+                        organisation_member=org_member,
                         service_account=service_account,
                         request=request,
                     )
@@ -270,7 +275,7 @@ def put(self, request, *args, **kwargs):
 
         org_member = service_account = None
         if request.auth["auth_type"] == "User":
-            org_member = request.auth["org_member"].user
+            org_member = request.auth["org_member"]
         elif request.auth["auth_type"] == "ServiceAccount":
             service_account = request.auth["service_account"]
 
@@ -279,8 +284,8 @@ def put(self, request, *args, **kwargs):
                 lease,
                 ttl,
                 request=request,
-                organisation_member=org_member or None,
-                service_account=service_account or None,
+                organisation_member=org_member,
+                service_account=service_account,
             )
         except Exception as e:
             logger.exception(

From 6afd3b7543b90be0b5936c727fa02a86d3e18a53 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 15:08:42 +0530
Subject: [PATCH 070/117] feat: update leases fetch policy to cache-and-network

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../ee/components/secrets/dynamic/ManageLeasesDialog.tsx     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
index 7bd7d74dd..00e58bcc6 100644
--- a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
@@ -31,7 +31,10 @@ export const ManageLeasesDialog = ({ secret }: { secret: DynamicSecretType }) =>
   // Fetch leases when dialog is opened
   useEffect(() => {
     if (isOpen && organisation) {
-      fetchLeases({ variables: { secretId: secret.id, orgId: organisation?.id } })
+      fetchLeases({
+        variables: { secretId: secret.id, orgId: organisation?.id },
+        fetchPolicy: 'cache-and-network',
+      })
     }
   }, [isOpen, organisation, fetchLeases, secret.id])
 

From c2a2a0572d7583eae6d7ad2abfe9ded25036b38e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 18:32:08 +0530
Subject: [PATCH 071/117] fix: combine static and dynamic secrets into single
 response list

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/serializers.py                         |  4 ++++
 backend/api/views/secrets.py                       | 14 ++++++--------
 .../ee/integrations/secrets/dynamic/serializers.py |  5 +++++
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/backend/api/serializers.py b/backend/api/serializers.py
index 311376392..2bc1aae87 100644
--- a/backend/api/serializers.py
+++ b/backend/api/serializers.py
@@ -133,6 +133,7 @@ class SecretSerializer(serializers.ModelSerializer):
     comment = serializers.SerializerMethodField()
     tags = serializers.SerializerMethodField()
     override = serializers.SerializerMethodField()
+    type = serializers.SerializerMethodField()
 
     class Meta:
         model = Secret
@@ -182,6 +183,9 @@ def get_override(self, obj):
                 return None
         return None
 
+    def get_type(self, obj):
+        return "static"
+
 
 class EnvironmentSerializer(serializers.ModelSerializer):
     class Meta:
diff --git a/backend/api/views/secrets.py b/backend/api/views/secrets.py
index 5b77a1d09..a5d86f2e5 100644
--- a/backend/api/views/secrets.py
+++ b/backend/api/views/secrets.py
@@ -216,11 +216,10 @@ def get(self, request, *args, **kwargs):
                     dynamic_secrets_qs, many=True, context={"sse": False}
                 ).data
 
-        response_data = {
-            "secrets": serializer.data,
-        }
+        response_data = serializer.data
+
         if include_dynamic_secrets:
-            response_data["dynamicSecrets"] = dynamic_secrets_data
+            response_data.concat(dynamic_secrets_data)
 
         return Response(
             response_data,
@@ -610,11 +609,10 @@ def get(self, request, *args, **kwargs):
                     dynamic_secrets_qs, many=True, context={"sse": True}
                 ).data
 
-        response_data = {
-            "secrets": serializer.data,
-        }
+        response_data = serializer.data
+
         if include_dynamic_secrets:
-            response_data["dynamicSecrets"] = dynamic_secrets_data
+            response_data.append(dynamic_secrets_data)
 
         return Response(
             response_data,
diff --git a/backend/ee/integrations/secrets/dynamic/serializers.py b/backend/ee/integrations/secrets/dynamic/serializers.py
index d4947800d..e1a62ca4f 100644
--- a/backend/ee/integrations/secrets/dynamic/serializers.py
+++ b/backend/ee/integrations/secrets/dynamic/serializers.py
@@ -91,12 +91,14 @@ def get_owner(self, obj):
 class DynamicSecretSerializer(serializers.ModelSerializer):
     lease = serializers.SerializerMethodField()
     key_map = serializers.SerializerMethodField()
+    type = serializers.SerializerMethodField()
 
     class Meta:
         model = DynamicSecret
         fields = [
             "id",
             "name",
+            "type",
             "description",
             "environment",
             "folder",
@@ -144,3 +146,6 @@ def get_lease(self, obj):
         except (obj.leases.model.DoesNotExist, AttributeError):
             return None
         return DynamicSecretLeaseSerializer(lease, context=self.context).data
+
+    def get_type(self, obj):
+        return "dynamic"

From 9b37464d8fbf93248ab2ec26dee79c172238cbaa Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 18:35:02 +0530
Subject: [PATCH 072/117] fix: update return type for public api

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/integrations/secrets/dynamic/rest/views.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index a0911ee57..71d079a32 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -162,9 +162,7 @@ def get(self, request, *args, **kwargs):
             ).data
 
         return Response(
-            {
-                "dynamicSecrets": dynamic_secrets_data,
-            },
+            dynamic_secrets_data,
             status=status.HTTP_200_OK,
         )
 

From fc2379831a7a0a8e77fff4629a34276fed7813ef Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 19:26:35 +0530
Subject: [PATCH 073/117] fix: correctly fetch request meta, mark lease as
 revoked if user not found

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../integrations/secrets/dynamic/aws/utils.py | 31 +++++++++++--------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index c1b50c0ee..5648640bc 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -463,6 +463,17 @@ def revoke_aws_dynamic_secret_lease(
         "removed_groups": [],
     }
 
+    # Add request metadata if available
+    ip_address = user_agent = None
+    if request is not None:
+        try:
+            ip_address, user_agent = get_resolver_request_meta(request)
+
+            logger.info(f"Created revoke event for lease {lease.id}")
+        except Exception:
+            logger.error("Failed to read request meta for lease event", exc_info=True)
+            pass
+
     try:
         # Decrypt username
         env_pubkey, env_privkey = get_environment_keys(lease.secret.environment.id)
@@ -515,19 +526,6 @@ def revoke_aws_dynamic_secret_lease(
         lease.revoked_at = timezone.now()
         lease.save()
 
-        # Add request metadata if available
-        ip_address = user_agent = None
-        if request is not None:
-            try:
-                ip_address, user_agent = get_resolver_request_meta(request)
-
-                logger.info(f"Created revoke event for lease {lease.id}")
-            except Exception:
-                logger.error(
-                    "Failed to read request meta for lease event", exc_info=True
-                )
-                pass
-
         DynamicSecretLeaseEvent.objects.create(
             lease=lease,
             event_type=DynamicSecretLease.REVOKED,
@@ -546,6 +544,13 @@ def revoke_aws_dynamic_secret_lease(
         )
         # Emit event to reflect attempted revoke on missing user
         meta["outcome"] = "user_absent"
+        if manual:
+            lease.status = DynamicSecretLease.REVOKED
+        else:
+            lease.status = DynamicSecretLease.EXPIRED
+        lease.credentials = {}
+        lease.revoked_at = timezone.now()
+        lease.save()
         try:
             DynamicSecretLeaseEvent.objects.create(
                 lease=lease,

From 88992147fa717a59afe7573b59a58f2f942aff3e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 19:31:13 +0530
Subject: [PATCH 074/117] fix: enforce minimum ttl

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../ee/components/secrets/dynamic/CreateLeaseDialog.tsx  | 9 ++++++++-
 .../ee/components/secrets/dynamic/RenewLeaseDialog.tsx   | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
index 694e1e60e..2811285c8 100644
--- a/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
@@ -7,7 +7,7 @@ import { Input } from '@/components/common/Input'
 import { organisationContext } from '@/contexts/organisationContext'
 import { CreateDynamicSecretLease } from '@/graphql/mutations/environments/secrets/dynamic/createLease.gql'
 import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
-import { leaseTtlButtons } from '@/utils/dynamicSecrets'
+import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
 import { relativeTimeFromDates } from '@/utils/time'
 import { useMutation } from '@apollo/client'
 import { useContext, useState } from 'react'
@@ -37,6 +37,12 @@ export const CreateLeaseDialog = ({ secret }: { secret: DynamicSecretType }) =>
       toast.error(`The maximum allowed TTL for this secret is ${secret.maxTtlSeconds}`)
       return
     }
+
+    if (parseInt(ttl) <= MINIMUM_LEASE_TTL) {
+      toast.error(`TTL must be greater than ${MINIMUM_LEASE_TTL} seconds`)
+      return
+    }
+
     try {
       const result = await createLease({
         variables: { secretId: secret.id, ttl: parseInt(ttl), name },
@@ -117,6 +123,7 @@ export const CreateLeaseDialog = ({ secret }: { secret: DynamicSecretType }) =>
                 setValue={setTtl}
                 type="number"
                 label="TTL (seconds)"
+                min={MINIMUM_LEASE_TTL}
                 max={secret.maxTtlSeconds!}
                 required
               />
diff --git a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
index 254dd47d7..07aa07f5a 100644
--- a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
@@ -1,7 +1,7 @@
 import { DynamicSecretLeaseType, DynamicSecretType } from '@/apollo/graphql'
 import { Button } from '@/components/common/Button'
 import GenericDialog from '@/components/common/GenericDialog'
-import { leaseTtlButtons } from '@/utils/dynamicSecrets'
+import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
 import { relativeTimeFromDates } from '@/utils/time'
 import { useContext, useRef, useState } from 'react'
 import { FiRefreshCw } from 'react-icons/fi'
@@ -44,6 +44,12 @@ export const RenewLeaseDialog = ({
       toast.error(`The maximum allowed TTL for this secret is ${secret.maxTtlSeconds}`)
       return
     }
+
+    if (parseInt(ttl) <= MINIMUM_LEASE_TTL) {
+      toast.error(`TTL must be greater than ${MINIMUM_LEASE_TTL} seconds`)
+      return
+    }
+
     try {
       const result = await renewLease({
         variables: { leaseId: lease.id, ttl: parseInt(ttl) },
@@ -106,6 +112,7 @@ export const RenewLeaseDialog = ({
                 setValue={setTtl}
                 type="number"
                 label="TTL (seconds)"
+                min={MINIMUM_LEASE_TTL}
                 max={secret.maxTtlSeconds!}
                 required
               />

From cfdf207b1dce599e1ac1225f2326b77bed0761fd Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 19:56:38 +0530
Subject: [PATCH 075/117] feat: add masked state to provider keymap config

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/graphene/types.py         |   1 +
 .../integrations/secrets/dynamic/providers.py |   9 +-
 .../ee/integrations/secrets/dynamic/utils.py  |  10 +-
 frontend/apollo/gql.ts                        |   8 +-
 frontend/apollo/graphql.ts                    |   9 +-
 frontend/apollo/schema.graphql                | 480 +++---------------
 .../secrets/dynamic/AWSCredentials.tsx        |  52 +-
 .../secrets/dynamic/getDynamicSecrets.gql     |   1 +
 .../graphql/queries/secrets/getSecrets.gql    |   1 +
 9 files changed, 138 insertions(+), 433 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/graphene/types.py b/backend/ee/integrations/secrets/dynamic/graphene/types.py
index a3786ce9d..ac4ca4f4a 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/types.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/types.py
@@ -17,6 +17,7 @@
 class KeyMap(graphene.ObjectType):
     id = graphene.String()
     key_name = graphene.String()
+    masked = graphene.Boolean()
 
 
 class KeyMapInput(graphene.InputObjectType):
diff --git a/backend/ee/integrations/secrets/dynamic/providers.py b/backend/ee/integrations/secrets/dynamic/providers.py
index f2fc05199..2ed990498 100644
--- a/backend/ee/integrations/secrets/dynamic/providers.py
+++ b/backend/ee/integrations/secrets/dynamic/providers.py
@@ -3,16 +3,23 @@ class DynamicSecretProviders:
         "id": "aws",
         "name": "AWS IAM",
         "credentials": [
-            {"id": "username", "type": "string", "default_key_name": "AWS_USERNAME"},
+            {
+                "id": "username",
+                "type": "string",
+                "default_key_name": "AWS_IAM_USERNAME",
+                "masked": False,
+            },
             {
                 "id": "access_key_id",
                 "type": "string",
                 "default_key_name": "AWS_ACCESS_KEY_ID",
+                "masked": False,
             },
             {
                 "id": "secret_access_key",
                 "type": "string",
                 "default_key_name": "AWS_SECRET_ACCESS_KEY",
+                "masked": True,
             },
         ],
         "config_map": [
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index 6e60509a8..1cbcfefcf 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -75,8 +75,16 @@ def validate_key_map(key_map, provider, environment, path, dynamic_secret_id=Non
                 f"No key name provided for key id '{key_id}', and no default defined"
             )
 
+        # Get masked property from provider definition
+        masked = valid_creds[key_id].get("masked", True)  # default to masked
+
         validated_key_map.append(
-            {"id": key_id, "key_name": key_name, "key_digest": key_digest}
+            {
+                "id": key_id,
+                "key_name": key_name,
+                "key_digest": key_digest,
+                "masked": masked,
+            }
         )
 
     return validated_key_map
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index f94c9e426..44338bf52 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -117,9 +117,9 @@ const documents = {
     "query GetOrganisationPlan($organisationId: ID!) {\n  organisationPlan(organisationId: $organisationId) {\n    name\n    maxUsers\n    maxApps\n    maxEnvsPerApp\n    seatsUsed {\n      users\n      serviceAccounts\n      total\n    }\n    seatLimit\n    appCount\n  }\n}": types.GetOrganisationPlanDocument,
     "query GetRoles($orgId: ID!) {\n  roles(orgId: $orgId) {\n    id\n    name\n    description\n    color\n    permissions\n    isDefault\n  }\n}": types.GetRolesDocument,
     "query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}": types.VerifyInviteDocument,
-    "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetDynamicSecretsDocument,
+    "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetDynamicSecretsDocument,
     "query GetDynamicSecretProviders {\n  dynamicSecretProviders {\n    id\n    name\n    credentials\n    configMap\n  }\n}": types.GetDynamicSecretProvidersDocument,
-    "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n      }\n    }\n  }\n}": types.GetDynamicSecretLeasesDocument,
+    "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}": types.GetDynamicSecretLeasesDocument,
     "query GetAppEnvironments($appId: ID!, $memberId: ID, $memberType: MemberType) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppEnvironmentsDocument,
     "query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppSecretsDocument,
     "query GetAppSecretsLogs($appId: ID!, $start: BigInt, $end: BigInt, $eventTypes: [String], $memberId: ID, $memberType: MemberType, $environmentId: ID) {\n  secretLogs(\n    appId: $appId\n    start: $start\n    end: $end\n    eventTypes: $eventTypes\n    memberId: $memberId\n    memberType: $memberType\n    environmentId: $environmentId\n  ) {\n    logs {\n      id\n      path\n      key\n      value\n      tags {\n        id\n        name\n        color\n      }\n      version\n      comment\n      timestamp\n      ipAddress\n      userAgent\n      user {\n        email\n        username\n        fullName\n        avatarUrl\n      }\n      serviceToken {\n        id\n        name\n      }\n      serviceAccount {\n        id\n        name\n        deletedAt\n      }\n      serviceAccountToken {\n        id\n        name\n        deletedAt\n      }\n      eventType\n      environment {\n        id\n        envType\n        name\n      }\n      secret {\n        id\n        path\n      }\n    }\n    count\n  }\n  environmentKeys(appId: $appId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    environment {\n      id\n    }\n  }\n}": types.GetAppSecretsLogsDocument,
@@ -591,7 +591,7 @@ export function graphql(source: "query VerifyInvite($inviteId: ID!) {\n  validat
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -599,7 +599,7 @@ export function graphql(source: "query GetDynamicSecretProviders {\n  dynamicSec
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n      }\n    }\n  }\n}"): (typeof documents)["query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n      }\n    }\n  }\n}"];
+export function graphql(source: "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}"): (typeof documents)["query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index ca10b1a98..225124d78 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -801,6 +801,7 @@ export type KeyMap = {
   __typename?: 'KeyMap';
   id?: Maybe<Scalars['String']['output']>;
   keyName?: Maybe<Scalars['String']['output']>;
+  masked?: Maybe<Scalars['Boolean']['output']>;
 };
 
 export type KeyMapInput = {
@@ -3333,7 +3334,7 @@ export type GetDynamicSecretsQueryVariables = Exact<{
 }>;
 
 
-export type GetDynamicSecretsQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, name: string, path: string, description: string, provider: ApiDynamicSecretProviderChoices, defaultTtlSeconds?: number | null, maxTtlSeconds?: number | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, index: number, app: { __typename?: 'AppMembershipType', id: string, name: string } }, config?: { __typename?: 'AWSConfigType', usernameTemplate: string, iamPath?: string | null } | null, keyMap?: Array<{ __typename?: 'KeyMap', id?: string | null, keyName?: string | null } | null> | null, authentication?: { __typename?: 'ProviderCredentialsType', id: string, name: string } | null } | null> | null };
+export type GetDynamicSecretsQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, name: string, path: string, description: string, provider: ApiDynamicSecretProviderChoices, defaultTtlSeconds?: number | null, maxTtlSeconds?: number | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, index: number, app: { __typename?: 'AppMembershipType', id: string, name: string } }, config?: { __typename?: 'AWSConfigType', usernameTemplate: string, iamPath?: string | null } | null, keyMap?: Array<{ __typename?: 'KeyMap', id?: string | null, keyName?: string | null, masked?: boolean | null } | null> | null, authentication?: { __typename?: 'ProviderCredentialsType', id: string, name: string } | null } | null> | null };
 
 export type GetDynamicSecretProvidersQueryVariables = Exact<{ [key: string]: never; }>;
 
@@ -3346,7 +3347,7 @@ export type GetDynamicSecretLeasesQueryVariables = Exact<{
 }>;
 
 
-export type GetDynamicSecretLeasesQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, leases: Array<{ __typename?: 'DynamicSecretLeaseType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null, revokedAt?: any | null, status: ApiDynamicSecretLeaseStatusChoices, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null, events?: Array<{ __typename?: 'DynamicSecretLeaseEventType', id: string, eventType: ApiDynamicSecretLeaseEventEventTypeChoices, createdAt: any, metadata: any } | null> | null }> } | null> | null };
+export type GetDynamicSecretLeasesQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, leases: Array<{ __typename?: 'DynamicSecretLeaseType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null, revokedAt?: any | null, status: ApiDynamicSecretLeaseStatusChoices, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null, events?: Array<{ __typename?: 'DynamicSecretLeaseEventType', id: string, eventType: ApiDynamicSecretLeaseEventEventTypeChoices, createdAt: any, metadata: any, ipAddress?: string | null, userAgent?: string | null, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null } | null> | null }> } | null> | null };
 
 export type GetAppEnvironmentsQueryVariables = Exact<{
   appId: Scalars['ID']['input'];
@@ -3720,9 +3721,9 @@ export const GetOrganisationMembersDocument = {"kind":"Document","definitions":[
 export const GetOrganisationPlanDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationPlan"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationPlan"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"seatLimit"}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationPlanQuery, GetOrganisationPlanQueryVariables>;
 export const GetRolesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetRoles"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"roles"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"isDefault"}}]}}]}}]} as unknown as DocumentNode<GetRolesQuery, GetRolesQueryVariables>;
 export const VerifyInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"VerifyInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateInvite"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"organisation"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"invitedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<VerifyInviteQuery, VerifyInviteQueryVariables>;
-export const GetDynamicSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretsQuery, GetDynamicSecretsQueryVariables>;
+export const GetDynamicSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretsQuery, GetDynamicSecretsQueryVariables>;
 export const GetDynamicSecretProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"configMap"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretProvidersQuery, GetDynamicSecretProvidersQueryVariables>;
-export const GetDynamicSecretLeasesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretLeases"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"leases"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"events"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"metadata"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretLeasesQuery, GetDynamicSecretLeasesQueryVariables>;
+export const GetDynamicSecretLeasesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretLeases"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"leases"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"events"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"metadata"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretLeasesQuery, GetDynamicSecretLeasesQueryVariables>;
 export const GetAppEnvironmentsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppEnvironments"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppEnvironmentsQuery, GetAppEnvironmentsQueryVariables>;
 export const GetAppSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppSecretsQuery, GetAppSecretsQueryVariables>;
 export const GetAppSecretsLogsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecretsLogs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretLogs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}},{"kind":"Argument","name":{"kind":"Name","value":"eventTypes"},"value":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"logs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"version"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"username"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secret"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppSecretsLogsQuery, GetAppSecretsLogsQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 056d01283..ab04080be 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -13,22 +13,9 @@ type Query {
   validateInvite(inviteId: ID): OrganisationMemberInviteType
   apps(organisationId: ID, appId: ID): [AppType]
   kmsLogs(appId: ID, start: BigInt, end: BigInt): KMSLogsResponseType
-  secretLogs(
-    appId: ID
-    start: BigInt
-    end: BigInt
-    eventTypes: [String]
-    memberId: ID
-    memberType: MemberType
-    environmentId: ID
-  ): SecretLogsResponseType
+  secretLogs(appId: ID, start: BigInt, end: BigInt, eventTypes: [String], memberId: ID, memberType: MemberType, environmentId: ID): SecretLogsResponseType
   appActivityChart(appId: ID, period: TimeRange): [ChartDataPointType]
-  appEnvironments(
-    appId: ID
-    environmentId: ID
-    memberId: ID
-    memberType: MemberType
-  ): [EnvironmentType]
+  appEnvironments(appId: ID, environmentId: ID, memberId: ID, memberType: MemberType): [EnvironmentType]
   appUsers(appId: ID): [OrganisationMemberType]
   appServiceAccounts(appId: ID): [ServiceAccountType]
   secrets(envId: ID, path: String, id: ID): [SecretType]
@@ -62,11 +49,7 @@ type Query {
   testVaultCreds(credentialId: ID): Boolean
   testNomadCreds(credentialId: ID): Boolean
   validateAwsAssumeRoleAuth: AWSValidationResultType
-  validateAwsAssumeRoleCredentials(
-    roleArn: String!
-    region: String
-    externalId: String
-  ): AWSValidationResultType
+  validateAwsAssumeRoleCredentials(roleArn: String!, region: String, externalId: String): AWSValidationResultType
   stripeCheckoutDetails(stripeSessionId: String!): StripeCheckoutDetails
   stripeSubscriptionDetails(organisationId: ID): StripeSubscriptionDetails
   stripeCustomerPortalUrl(organisationId: ID!): String
@@ -95,19 +78,13 @@ value as specified by
 scalar DateTime
 
 enum ApiOrganisationPlanChoices {
-  """
-  Free
-  """
+  """Free"""
   FR
 
-  """
-  Pro
-  """
+  """Pro"""
   PR
 
-  """
-  Enterprise
-  """
+  """Enterprise"""
   EN
 }
 
@@ -208,24 +185,16 @@ type EnvironmentType {
 }
 
 enum ApiEnvironmentEnvTypeChoices {
-  """
-  Development
-  """
+  """Development"""
   DEV
 
-  """
-  Staging
-  """
+  """Staging"""
   STAGING
 
-  """
-  Production
-  """
+  """Production"""
   PROD
 
-  """
-  Custom
-  """
+  """Custom"""
   CUSTOM
 }
 
@@ -347,24 +316,16 @@ type ServiceAccountTokenType {
 }
 
 enum ApiSecretEventEventTypeChoices {
-  """
-  Create
-  """
+  """Create"""
   C
 
-  """
-  Read
-  """
+  """Read"""
   R
 
-  """
-  Update
-  """
+  """Update"""
   U
 
-  """
-  Delete
-  """
+  """Delete"""
   D
 }
 
@@ -411,29 +372,19 @@ type ProviderType {
 }
 
 enum ApiEnvironmentSyncStatusChoices {
-  """
-  In progress
-  """
+  """In progress"""
   IN_PROGRESS
 
-  """
-  Completed
-  """
+  """Completed"""
   COMPLETED
 
-  """
-  cancelled
-  """
+  """cancelled"""
   CANCELLED
 
-  """
-  Timed out
-  """
+  """Timed out"""
   TIMED_OUT
 
-  """
-  Failed
-  """
+  """Failed"""
   FAILED
 }
 
@@ -454,29 +405,19 @@ type EnvironmentSyncEventType {
 }
 
 enum ApiEnvironmentSyncEventStatusChoices {
-  """
-  In progress
-  """
+  """In progress"""
   IN_PROGRESS
 
-  """
-  Completed
-  """
+  """Completed"""
   COMPLETED
 
-  """
-  cancelled
-  """
+  """cancelled"""
   CANCELLED
 
-  """
-  Timed out
-  """
+  """Timed out"""
   TIMED_OUT
 
-  """
-  Failed
-  """
+  """Failed"""
   FAILED
 }
 
@@ -539,19 +480,13 @@ type ActivatedPhaseLicenseType {
 }
 
 enum ApiActivatedPhaseLicensePlanChoices {
-  """
-  Free
-  """
+  """Free"""
   FR
 
-  """
-  Pro
-  """
+  """Pro"""
   PR
 
-  """
-  Enterprise
-  """
+  """Enterprise"""
   EN
 }
 
@@ -606,13 +541,9 @@ type KMSLogType implements Node {
   longitude: Float
 }
 
-"""
-An object with an ID
-"""
+"""An object with an ID"""
 interface Node {
-  """
-  The ID of the object
-  """
+  """The ID of the object"""
   id: ID!
 }
 
@@ -865,9 +796,7 @@ type DynamicSecretType {
   path: String!
   authentication: ProviderCredentialsType
 
-  """
-  Which provider this secret is associated with.
-  """
+  """Which provider this secret is associated with."""
   provider: ApiDynamicSecretProviderChoices!
   config: DynamicSecretConfigUnion
   keyMap: [KeyMap]
@@ -880,9 +809,7 @@ type DynamicSecretType {
 }
 
 enum ApiDynamicSecretProviderChoices {
-  """
-  AWS
-  """
+  """AWS"""
   AWS
 }
 
@@ -900,6 +827,7 @@ type AWSConfigType {
 type KeyMap {
   id: String
   keyName: String
+  masked: Boolean
 }
 
 type DynamicSecretLeaseType {
@@ -911,9 +839,7 @@ type DynamicSecretLeaseType {
   serviceAccount: ServiceAccountType
   ttl: Float!
 
-  """
-  Current status of the lease
-  """
+  """Current status of the lease"""
   status: ApiDynamicSecretLeaseStatusChoices!
   credentials: LeaseCredentialsUnion
   createdAt: DateTime
@@ -926,29 +852,19 @@ type DynamicSecretLeaseType {
 }
 
 enum ApiDynamicSecretLeaseStatusChoices {
-  """
-  Created
-  """
+  """Created"""
   CREATED
 
-  """
-  Active
-  """
+  """Active"""
   ACTIVE
 
-  """
-  Renewed
-  """
+  """Renewed"""
   RENEWED
 
-  """
-  Revoked
-  """
+  """Revoked"""
   REVOKED
 
-  """
-  Expired
-  """
+  """Expired"""
   EXPIRED
 }
 
@@ -973,280 +889,79 @@ type DynamicSecretLeaseEventType {
 }
 
 enum ApiDynamicSecretLeaseEventEventTypeChoices {
-  """
-  Created
-  """
+  """Created"""
   CREATED
 
-  """
-  Active
-  """
+  """Active"""
   ACTIVE
 
-  """
-  Renewed
-  """
+  """Renewed"""
   RENEWED
 
-  """
-  Revoked
-  """
+  """Revoked"""
   REVOKED
 
-  """
-  Expired
-  """
+  """Expired"""
   EXPIRED
 }
 
 type Mutation {
-  createOrganisation(
-    id: ID!
-    identityKey: String!
-    name: String!
-    wrappedKeyring: String!
-    wrappedRecovery: String!
-  ): CreateOrganisationMutation
-  bulkInviteOrganisationMembers(
-    invites: [InviteInput]!
-    orgId: ID!
-  ): BulkInviteOrganisationMembersMutation
-  createOrganisationMember(
-    identityKey: String!
-    inviteId: ID!
-    orgId: ID!
-    wrappedKeyring: String
-    wrappedRecovery: String
-  ): CreateOrganisationMemberMutation
+  createOrganisation(id: ID!, identityKey: String!, name: String!, wrappedKeyring: String!, wrappedRecovery: String!): CreateOrganisationMutation
+  bulkInviteOrganisationMembers(invites: [InviteInput]!, orgId: ID!): BulkInviteOrganisationMembersMutation
+  createOrganisationMember(identityKey: String!, inviteId: ID!, orgId: ID!, wrappedKeyring: String, wrappedRecovery: String): CreateOrganisationMemberMutation
   deleteOrganisationMember(memberId: ID!): DeleteOrganisationMemberMutation
   updateOrganisationMemberRole(memberId: ID!, roleId: ID!): UpdateOrganisationMemberRole
-  updateMemberWrappedSecrets(
-    orgId: ID!
-    wrappedKeyring: String!
-    wrappedRecovery: String!
-  ): UpdateUserWrappedSecretsMutation
+  updateMemberWrappedSecrets(orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
   deleteInvitation(inviteId: ID!): DeleteInviteMutation
-  createApp(
-    appSeed: String!
-    appToken: String!
-    appVersion: Int!
-    id: ID!
-    identityKey: String!
-    name: String!
-    organisationId: ID!
-    wrappedKeyShare: String!
-  ): CreateAppMutation
+  createApp(appSeed: String!, appToken: String!, appVersion: Int!, id: ID!, identityKey: String!, name: String!, organisationId: ID!, wrappedKeyShare: String!): CreateAppMutation
   rotateAppKeys(appToken: String!, id: ID!, wrappedKeyShare: String!): RotateAppKeysMutation
   deleteApp(id: ID!): DeleteAppMutation
   updateAppName(id: ID!, name: String!): UpdateAppNameMutation
-  addAppMember(
-    appId: ID
-    envKeys: [EnvironmentKeyInput]
-    memberId: ID
-    memberType: MemberType
-  ): AddAppMemberMutation
+  addAppMember(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): AddAppMemberMutation
   bulkAddAppMembers(appId: ID!, members: [AppMemberInputType]!): BulkAddAppMembersMutation
   removeAppMember(appId: ID, memberId: ID, memberType: MemberType): RemoveAppMemberMutation
-  updateMemberEnvironmentScope(
-    appId: ID
-    envKeys: [EnvironmentKeyInput]
-    memberId: ID
-    memberType: MemberType
-  ): UpdateMemberEnvScopeMutation
-  createEnvironment(
-    adminKeys: [EnvironmentKeyInput]
-    environmentData: EnvironmentInput!
-    wrappedSalt: String
-    wrappedSeed: String
-  ): CreateEnvironmentMutation
+  updateMemberEnvironmentScope(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): UpdateMemberEnvScopeMutation
+  createEnvironment(adminKeys: [EnvironmentKeyInput], environmentData: EnvironmentInput!, wrappedSalt: String, wrappedSeed: String): CreateEnvironmentMutation
   deleteEnvironment(environmentId: ID!): DeleteEnvironmentMutation
   renameEnvironment(environmentId: ID!, name: String!): RenameEnvironmentMutation
   swapEnvironmentOrder(environment1Id: ID!, environment2Id: ID!): SwapEnvironmentOrderMutation
-  createEnvironmentKey(
-    envId: ID!
-    identityKey: String!
-    userId: ID
-    wrappedSalt: String!
-    wrappedSeed: String!
-  ): CreateEnvironmentKeyMutation
-  createEnvironmentToken(
-    envId: ID!
-    identityKey: String!
-    name: String!
-    token: String!
-    wrappedKeyShare: String!
-  ): CreateEnvironmentTokenMutation
-  createCustomRole(
-    color: String
-    description: String
-    name: String
-    organisationId: ID!
-    permissions: JSONString
-  ): CreateCustomRoleMutation
-  updateCustomRole(
-    color: String
-    description: String
-    id: ID!
-    name: String
-    permissions: JSONString
-  ): UpdateCustomRoleMutation
+  createEnvironmentKey(envId: ID!, identityKey: String!, userId: ID, wrappedSalt: String!, wrappedSeed: String!): CreateEnvironmentKeyMutation
+  createEnvironmentToken(envId: ID!, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateEnvironmentTokenMutation
+  createCustomRole(color: String, description: String, name: String, organisationId: ID!, permissions: JSONString): CreateCustomRoleMutation
+  updateCustomRole(color: String, description: String, id: ID!, name: String, permissions: JSONString): UpdateCustomRoleMutation
   deleteCustomRole(id: ID!): DeleteCustomRoleMutation
-  createNetworkAccessPolicy(
-    allowedIps: String!
-    isGlobal: Boolean!
-    name: String
-    organisationId: ID!
-  ): CreateNetworkAccessPolicyMutation
+  createNetworkAccessPolicy(allowedIps: String!, isGlobal: Boolean!, name: String, organisationId: ID!): CreateNetworkAccessPolicyMutation
   updateNetworkAccessPolicy(policyInputs: [UpdatePolicyInput]): UpdateNetworkAccessPolicyMutation
   deleteNetworkAccessPolicy(id: ID!): DeleteNetworkAccessPolicyMutation
-  updateAccountNetworkAccessPolicies(
-    accountInputs: [AccountPolicyInput]
-    organisationId: ID!
-  ): UpdateAccountNetworkAccessPolicies
-  createServiceAccount(
-    handlers: [ServiceAccountHandlerInput]
-    identityKey: String
-    name: String
-    organisationId: ID
-    roleId: ID
-    serverWrappedKeyring: String
-    serverWrappedRecovery: String
-  ): CreateServiceAccountMutation
-  enableServiceAccountThirdPartyAuth(
-    serverWrappedKeyring: String
-    serverWrappedRecovery: String
-    serviceAccountId: ID
-  ): EnableServiceAccountThirdPartyAuthMutation
-  updateServiceAccountHandlers(
-    handlers: [ServiceAccountHandlerInput]
-    organisationId: ID
-  ): UpdateServiceAccountHandlersMutation
+  updateAccountNetworkAccessPolicies(accountInputs: [AccountPolicyInput], organisationId: ID!): UpdateAccountNetworkAccessPolicies
+  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
+  enableServiceAccountThirdPartyAuth(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountThirdPartyAuthMutation
+  updateServiceAccountHandlers(handlers: [ServiceAccountHandlerInput], organisationId: ID): UpdateServiceAccountHandlersMutation
   updateServiceAccount(name: String, roleId: ID, serviceAccountId: ID): UpdateServiceAccountMutation
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
-  createServiceAccountToken(
-    expiry: BigInt
-    identityKey: String!
-    name: String!
-    serviceAccountId: ID
-    token: String!
-    wrappedKeyShare: String!
-  ): CreateServiceAccountTokenMutation
+  createServiceAccountToken(expiry: BigInt, identityKey: String!, name: String!, serviceAccountId: ID, token: String!, wrappedKeyShare: String!): CreateServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
   initEnvSync(appId: ID, envKeys: [EnvironmentKeyInput]): InitEnvSync
   deleteEnvSync(syncId: ID): DeleteSync
   triggerSync(syncId: ID): TriggerSync
   toggleSyncActive(syncId: ID): ToggleSyncActive
   updateSyncAuthentication(credentialId: ID, syncId: ID): UpdateSyncAuthentication
-  createProviderCredentials(
-    credentials: JSONString
-    name: String
-    orgId: ID
-    provider: String
-  ): CreateProviderCredentials
-  updateProviderCredentials(
-    credentialId: ID
-    credentials: JSONString
-    name: String
-  ): UpdateProviderCredentials
+  createProviderCredentials(credentials: JSONString, name: String, orgId: ID, provider: String): CreateProviderCredentials
+  updateProviderCredentials(credentialId: ID, credentials: JSONString, name: String): UpdateProviderCredentials
   deleteProviderCredentials(credentialId: ID): DeleteProviderCredentials
-  createCloudflarePagesSync(
-    credentialId: ID
-    deploymentId: ID
-    envId: ID
-    path: String
-    projectEnv: String
-    projectName: String
-  ): CreateCloudflarePagesSync
-  createCloudflareWorkersSync(
-    credentialId: ID
-    envId: ID
-    path: String
-    workerName: String
-  ): CreateCloudflareWorkersSync
-  createAwsSecretSync(
-    credentialId: ID
-    envId: ID
-    kmsId: String
-    path: String
-    secretName: String
-  ): CreateAWSSecretsManagerSync
-  createGhActionsSync(
-    credentialId: ID
-    envId: ID
-    owner: String
-    path: String
-    repoName: String
-  ): CreateGitHubActionsSync
-  createVaultSync(
-    credentialId: ID
-    engine: String
-    envId: ID
-    path: String
-    vaultPath: String
-  ): CreateVaultSync
-  createNomadSync(
-    credentialId: ID
-    envId: ID
-    nomadNamespace: String
-    nomadPath: String
-    path: String
-  ): CreateNomadSync
-  createGitlabCiSync(
-    credentialId: ID
-    envId: ID
-    isGroup: Boolean
-    masked: Boolean
-    path: String
-    protected: Boolean
-    resourceId: String
-    resourcePath: String
-  ): CreateGitLabCISync
-  createRailwaySync(
-    credentialId: ID
-    envId: ID
-    path: String
-    railwayEnvironment: RailwayResourceInput
-    railwayProject: RailwayResourceInput
-    railwayService: RailwayResourceInput
-  ): CreateRailwaySync
-  createVercelSync(
-    credentialId: ID
-    envId: ID
-    environment: String
-    path: String
-    projectId: String
-    projectName: String
-    secretType: String
-    teamId: String
-    teamName: String
-  ): CreateVercelSync
-  createRenderSync(
-    credentialId: ID
-    envId: ID
-    path: String
-    resourceId: String
-    resourceName: String
-    resourceType: RenderResourceType
-    secretFileName: String
-  ): CreateRenderSync
-  createUserToken(
-    expiry: BigInt
-    identityKey: String!
-    name: String!
-    orgId: ID!
-    token: String!
-    wrappedKeyShare: String!
-  ): CreateUserTokenMutation
+  createCloudflarePagesSync(credentialId: ID, deploymentId: ID, envId: ID, path: String, projectEnv: String, projectName: String): CreateCloudflarePagesSync
+  createCloudflareWorkersSync(credentialId: ID, envId: ID, path: String, workerName: String): CreateCloudflareWorkersSync
+  createAwsSecretSync(credentialId: ID, envId: ID, kmsId: String, path: String, secretName: String): CreateAWSSecretsManagerSync
+  createGhActionsSync(credentialId: ID, envId: ID, owner: String, path: String, repoName: String): CreateGitHubActionsSync
+  createVaultSync(credentialId: ID, engine: String, envId: ID, path: String, vaultPath: String): CreateVaultSync
+  createNomadSync(credentialId: ID, envId: ID, nomadNamespace: String, nomadPath: String, path: String): CreateNomadSync
+  createGitlabCiSync(credentialId: ID, envId: ID, isGroup: Boolean, masked: Boolean, path: String, protected: Boolean, resourceId: String, resourcePath: String): CreateGitLabCISync
+  createRailwaySync(credentialId: ID, envId: ID, path: String, railwayEnvironment: RailwayResourceInput, railwayProject: RailwayResourceInput, railwayService: RailwayResourceInput): CreateRailwaySync
+  createVercelSync(credentialId: ID, envId: ID, environment: String, path: String, projectId: String, projectName: String, secretType: String, teamId: String, teamName: String): CreateVercelSync
+  createRenderSync(credentialId: ID, envId: ID, path: String, resourceId: String, resourceName: String, resourceType: RenderResourceType, secretFileName: String): CreateRenderSync
+  createUserToken(expiry: BigInt, identityKey: String!, name: String!, orgId: ID!, token: String!, wrappedKeyShare: String!): CreateUserTokenMutation
   deleteUserToken(tokenId: ID!): DeleteUserTokenMutation
-  createServiceToken(
-    appId: ID!
-    environmentKeys: [EnvironmentKeyInput]
-    expiry: BigInt
-    identityKey: String!
-    name: String!
-    token: String!
-    wrappedKeyShare: String!
-  ): CreateServiceTokenMutation
+  createServiceToken(appId: ID!, environmentKeys: [EnvironmentKeyInput], expiry: BigInt, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateServiceTokenMutation
   deleteServiceToken(tokenId: ID!): DeleteServiceTokenMutation
   createSecretFolder(envId: ID, name: String, path: String): CreateSecretFolderMutation
   deleteSecretFolder(folderId: ID): DeleteSecretFolderMutation
@@ -1261,53 +976,20 @@ type Mutation {
   createOverride(overrideData: PersonalSecretInput): CreatePersonalSecretMutation
   removeOverride(secretId: ID): DeletePersonalSecretMutation
   createLockbox(input: LockboxInput): CreateLockboxMutation
-  createSubscriptionCheckoutSession(
-    billingPeriod: BillingPeriodEnum
-    organisationId: ID!
-    planType: PlanTypeEnum
-  ): CreateSubscriptionCheckoutSession
+  createSubscriptionCheckoutSession(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum): CreateSubscriptionCheckoutSession
   deletePaymentMethod(organisationId: ID, paymentMethodId: String): DeletePaymentMethodMutation
   cancelSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
   resumeSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
-  modifySubscription(
-    billingPeriod: BillingPeriodEnum
-    organisationId: ID!
-    planType: PlanTypeEnum
-    subscriptionId: String!
-  ): UpdateSubscriptionResponse
+  modifySubscription(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum, subscriptionId: String!): UpdateSubscriptionResponse
   createSetupIntent(organisationId: ID): CreateSetupIntentMutation
   setDefaultPaymentMethod(
     organisationId: ID
 
-    """
-    Payment Method ID to set as default
-    """
+    """Payment Method ID to set as default"""
     paymentMethodId: String!
   ): SetDefaultPaymentMethodMutation
-  createAwsDynamicSecret(
-    authenticationId: ID
-    config: AWSConfigInput!
-    defaultTtl: Int
-    description: String
-    environmentId: ID!
-    keyMap: [KeyMapInput]!
-    maxTtl: Int
-    name: String!
-    organisationId: ID!
-    path: String
-  ): CreateAWSDynamicSecretMutation
-  updateAwsDynamicSecret(
-    authenticationId: ID
-    config: AWSConfigInput!
-    defaultTtl: Int
-    description: String
-    dynamicSecretId: ID!
-    keyMap: [KeyMapInput]!
-    maxTtl: Int
-    name: String!
-    organisationId: ID!
-    path: String
-  ): UpdateAWSDynamicSecretMutation
+  createAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, environmentId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): CreateAWSDynamicSecretMutation
+  updateAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, dynamicSecretId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): UpdateAWSDynamicSecretMutation
   deleteDynamicSecret(secretId: ID!): DeleteDynamicSecretMutation
   createDynamicSecretLease(name: String, secretId: ID!, ttl: Int): LeaseDynamicSecret
   renewDynamicSecretLease(leaseId: ID!, ttl: Int): RenewLeaseMutation
@@ -1750,4 +1432,4 @@ type RenewLeaseMutation {
 
 type RevokeLeaseMutation {
   lease: DynamicSecretLeaseType
-}
+}
\ No newline at end of file
diff --git a/frontend/ee/components/secrets/dynamic/AWSCredentials.tsx b/frontend/ee/components/secrets/dynamic/AWSCredentials.tsx
index 228581286..356b1eeff 100644
--- a/frontend/ee/components/secrets/dynamic/AWSCredentials.tsx
+++ b/frontend/ee/components/secrets/dynamic/AWSCredentials.tsx
@@ -16,10 +16,15 @@ export const AWSCredentials = ({
   const credentialKeyName = (credentialId: string) =>
     keyMap.find((key) => key.id === credentialId)?.keyName ?? credentialId
 
+  const getInitialMaskedState = (credentialId: string) => {
+    const keyEntry = keyMap.find((key) => key.id === credentialId)
+    return keyEntry?.masked ?? true // default to masked if not specified
+  }
+
   const [reveal, setReveal] = useState({
-    accessKeyId: false,
-    secretAccessKey: false,
-    username: false,
+    accessKeyId: !getInitialMaskedState('access_key_id'),
+    secretAccessKey: !getInitialMaskedState('secret_access_key'),
+    username: !getInitialMaskedState('username'),
   })
 
   const toggle = (k: keyof typeof reveal) => setReveal((s) => ({ ...s, [k]: !s[k] }))
@@ -28,6 +33,26 @@ export const AWSCredentials = ({
 
   return (
     <>
+      <div className="relative">
+        <Input
+          value={lease.credentials.username || ''}
+          setValue={() => {}}
+          readOnly
+          label={credentialKeyName('username')}
+          labelClassName="font-mono"
+          className={clsx(
+            'cursor-text ph-no-capture font-mono',
+            reveal.username ? 'text-security-none' : 'text-security-disc'
+          )}
+        />
+        <div className="absolute right-2 top-9">
+          <Button variant="outline" onClick={() => toggle('username')}>
+            {reveal.username ? <FaRegEyeSlash /> : <FaRegEye />}
+            {reveal.username ? 'Hide' : 'Show'}
+          </Button>
+          <CopyButton value={lease.credentials.username || ''} />
+        </div>
+      </div>
       <div className="relative">
         <Input
           value={lease.credentials.accessKeyId || ''}
@@ -69,27 +94,6 @@ export const AWSCredentials = ({
           <CopyButton value={lease.credentials.secretAccessKey || ''} />
         </div>
       </div>
-
-      <div className="relative">
-        <Input
-          value={lease.credentials.username || ''}
-          setValue={() => {}}
-          readOnly
-          label={credentialKeyName('username')}
-          labelClassName="font-mono"
-          className={clsx(
-            'cursor-text ph-no-capture font-mono',
-            reveal.username ? 'text-security-none' : 'text-security-disc'
-          )}
-        />
-        <div className="absolute right-2 top-9">
-          <Button variant="outline" onClick={() => toggle('username')}>
-            {reveal.username ? <FaRegEyeSlash /> : <FaRegEye />}
-            {reveal.username ? 'Hide' : 'Show'}
-          </Button>
-          <CopyButton value={lease.credentials.username || ''} />
-        </div>
-      </div>
     </>
   )
 }
diff --git a/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql b/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql
index 30cb66914..8c005cf8e 100644
--- a/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql
+++ b/frontend/graphql/queries/secrets/dynamic/getDynamicSecrets.gql
@@ -23,6 +23,7 @@ query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {
     keyMap {
       id
       keyName
+      masked
     }
     defaultTtlSeconds
     maxTtlSeconds
diff --git a/frontend/graphql/queries/secrets/getSecrets.gql b/frontend/graphql/queries/secrets/getSecrets.gql
index aee554746..a75cfa205 100644
--- a/frontend/graphql/queries/secrets/getSecrets.gql
+++ b/frontend/graphql/queries/secrets/getSecrets.gql
@@ -74,6 +74,7 @@ query GetSecrets($appId: ID!, $envId: ID!, $path: String) {
     keyMap {
       id
       keyName
+      masked
     }
     config {
       ... on AWSConfigType {

From 8778f3b2ca4fa9bdda636026d9d4a1494fd3d0e7 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 19:59:27 +0530
Subject: [PATCH 076/117] fix: toast on lease revoke

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
index a34ea364a..18c4f2b18 100644
--- a/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
@@ -35,7 +35,7 @@ export const RevokeLeaseDialog = ({
         ],
       })
 
-      const revokedLeaseData = result.data?.revokeDynamicSecretLease?.lease.revokedAt
+      const revokedLeaseData = result.data?.revokeDynamicSecretLease?.lease
       if (revokedLeaseData) {
         toast.success('Revoked lease')
         dialogRef.current?.closeModal()

From f2a719699f1b615a2e4924a8c811935f61e6ca70 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 23:09:55 +0530
Subject: [PATCH 077/117] fix: allow 60 second TTL

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx | 4 ++--
 frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
index 2811285c8..1f65603ba 100644
--- a/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
@@ -38,8 +38,8 @@ export const CreateLeaseDialog = ({ secret }: { secret: DynamicSecretType }) =>
       return
     }
 
-    if (parseInt(ttl) <= MINIMUM_LEASE_TTL) {
-      toast.error(`TTL must be greater than ${MINIMUM_LEASE_TTL} seconds`)
+    if (parseInt(ttl) < MINIMUM_LEASE_TTL) {
+      toast.error(`TTL must be at least ${MINIMUM_LEASE_TTL} seconds`)
       return
     }
 
diff --git a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
index 07aa07f5a..58f295f8f 100644
--- a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
@@ -45,8 +45,8 @@ export const RenewLeaseDialog = ({
       return
     }
 
-    if (parseInt(ttl) <= MINIMUM_LEASE_TTL) {
-      toast.error(`TTL must be greater than ${MINIMUM_LEASE_TTL} seconds`)
+    if (parseInt(ttl) < MINIMUM_LEASE_TTL) {
+      toast.error(`TTL must be at least ${MINIMUM_LEASE_TTL} seconds`)
       return
     }
 

From 473d0c25900faf49a49060cf2957a9e2196e0227 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 23:10:41 +0530
Subject: [PATCH 078/117] fix: strip masked field to correctly cast type, fix
 key name format

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/CreateDynamicSecretDialog.tsx           | 4 +++-
 .../secrets/dynamic/UpdateDynamicSecretDialog.tsx           | 6 ++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index 3be205d8e..603efdf80 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -411,7 +411,9 @@ export const CreateDynamicSecretDialog = forwardRef<
                               setFormData((prev) => ({
                                 ...prev,
                                 keyMap: prev.keyMap.map((k) =>
-                                  k.id === key.id ? { ...k, keyName: val } : k
+                                  k.id === key.id
+                                    ? { ...k, keyName: val.replace(/ /g, '_').toUpperCase() }
+                                    : k
                                 ),
                               }))
                             }
diff --git a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
index bbe1ea167..966ba2df9 100644
--- a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
@@ -78,7 +78,7 @@ export const UpdateDynamicSecretDialog = forwardRef<
     function sanitize(obj: any): any {
       if (Array.isArray(obj)) return obj.map(sanitize)
       if (obj && typeof obj === 'object') {
-        const { __typename, ...rest } = obj
+        const { __typename, masked, ...rest } = obj
         return Object.fromEntries(Object.entries(rest).map(([k, v]) => [k, sanitize(v)]))
       }
       return obj
@@ -318,7 +318,9 @@ export const UpdateDynamicSecretDialog = forwardRef<
                         setFormData((prev) => ({
                           ...prev,
                           keyMap: prev.keyMap.map((k) =>
-                            k.id === key.id ? { ...k, keyName: val } : k
+                            k.id === key.id
+                              ? { ...k, keyName: val.replace(/ /g, '_').toUpperCase() }
+                              : k
                           ),
                         }))
                       }

From 4fcba952b20f2bf508d31376b0c4e01134d7e990 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 15 Sep 2025 23:20:54 +0530
Subject: [PATCH 079/117] fix: refetch dynamic secrets on create and delete

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/CreateDynamicSecretDialog.tsx        | 9 +++------
 .../secrets/dynamic/DeleteDynamicSecretDialog.tsx        | 6 +++++-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index 603efdf80..4f1f4078e 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -7,11 +7,10 @@ import {
   EnvironmentType,
   ProviderCredentialsType,
   KeyMapInput,
-  DynamicSecretType,
-  ApiOrganisationPlanChoices,
 } from '@/apollo/graphql'
 import { GetDynamicSecretProviders } from '@/graphql/queries/secrets/dynamic/getProviders.gql'
 import { CreateNewAWSDynamicSecret } from '@/graphql/mutations/environments/secrets/dynamic/createDynamicSecret.gql'
+import { GetDynamicSecrets } from '@/graphql/queries/secrets/dynamic/getDynamicSecrets.gql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Input } from '@/components/common/Input'
 import { Button } from '@/components/common/Button'
@@ -23,7 +22,7 @@ import { toUpper } from 'lodash'
 import { useMutation, useQuery } from '@apollo/client'
 import { Card } from '@/components/common/Card'
 import { ProviderIcon } from '@/components/syncing/ProviderIcon'
-import { FaArrowRightLong, FaPlus } from 'react-icons/fa6'
+import { FaArrowRightLong } from 'react-icons/fa6'
 import { MdOutlinePassword } from 'react-icons/md'
 import { camelCase } from 'lodash'
 import { toast } from 'react-toastify'
@@ -31,9 +30,6 @@ import { EnableSSEDialog } from '@/components/apps/EnableSSEDialog'
 import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
 import { Textarea } from '@/components/common/TextArea'
 import { encryptAsymmetric } from '@/utils/crypto'
-import { PlanLabel } from '@/components/settings/organisation/PlanLabel'
-import { UpsellDialog } from '@/components/settings/organisation/UpsellDialog'
-import { isCloudHosted } from '@/utils/appConfig'
 
 type CreateDynamicSecretDialogRef = {
   openModal: () => void
@@ -205,6 +201,7 @@ export const CreateDynamicSecretDialog = forwardRef<
           config: formData.config,
           keyMap: encryptedKeyMap,
         },
+        refetchQueries: [{ query: GetDynamicSecrets, variables: { orgId: organisation?.id } }],
       })
 
       toast.success('Created new dynamic secret')
diff --git a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
index 14c20f7e5..b0d12395d 100644
--- a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
@@ -2,6 +2,7 @@ import { DynamicSecretType, KeyMap } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { organisationContext } from '@/contexts/organisationContext'
 import { DeleteDynamicSecretOP } from '@/graphql/mutations/environments/secrets/dynamic/deleteDynamicSecret.gql'
+import { GetDynamicSecrets } from '@/graphql/queries/secrets/dynamic/getDynamicSecrets.gql'
 import { useMutation } from '@apollo/client'
 import { useContext, useRef } from 'react'
 import { FaTrashAlt } from 'react-icons/fa'
@@ -21,7 +22,10 @@ export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretTyp
   const keyMap: KeyMap[] = secret.keyMap as KeyMap[]
 
   const handleDelete = async () => {
-    await deleteSecret({ variables: { secretId: secret.id } })
+    await deleteSecret({
+      variables: { secretId: secret.id },
+      refetchQueries: [{ query: GetDynamicSecrets, variables: { orgId: organisation?.id } }],
+    })
     toast.success('Deleted dynamic secret')
   }
 

From 2a576f63935f6a15de3f729b53f22ca9625ff47f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 16 Sep 2025 12:02:04 +0530
Subject: [PATCH 080/117] fix: correctly handle groups config, handle both arns
 and group names

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/aws/graphene/mutations.py |  4 ++--
 .../secrets/dynamic/aws/graphene/types.py     |  4 ++--
 .../integrations/secrets/dynamic/aws/utils.py | 22 ++++++++++++++-----
 frontend/apollo/gql.ts                        |  4 ++--
 frontend/apollo/graphql.ts                    | 12 +++++-----
 frontend/apollo/schema.graphql                |  8 +++----
 .../dynamic/CreateDynamicSecretDialog.tsx     |  8 +++----
 7 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
index d127ba120..ccc510be6 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
@@ -32,8 +32,8 @@ class AWSConfigInput(graphene.InputObjectType):
     username_template = graphene.String(required=True)
     iam_path = graphene.String(required=False, default_value="/")
     permission_boundary_arn = graphene.String(required=False)
-    groups = graphene.List(graphene.String)
-    policy_arns = graphene.List(graphene.String)
+    groups = graphene.String(required=False)  # comma-separated
+    policy_arns = graphene.String(required=False)  # comma-separated
     policy_document = GenericScalar(required=False)
 
 
diff --git a/backend/ee/integrations/secrets/dynamic/aws/graphene/types.py b/backend/ee/integrations/secrets/dynamic/aws/graphene/types.py
index 81146a824..69d076910 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/graphene/types.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/graphene/types.py
@@ -7,8 +7,8 @@ class AWSConfigType(graphene.ObjectType):
     username_template = graphene.String(required=True)
     iam_path = graphene.String(required=False, default_value="/")
     permission_boundary_arn = graphene.String(required=False)
-    groups = graphene.List(graphene.String, required=False)
-    policy_arns = graphene.List(graphene.String, required=False)
+    groups = graphene.String(required=False)
+    policy_arns = graphene.String(required=False)
     policy_document = GenericScalar(required=False)  # JSON object
 
 
diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index 5648640bc..83ff84e9c 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -230,15 +230,26 @@ def create_temporary_user(user_config, iam_client):
             # If groups is a string (legacy), split by comma
             if isinstance(groups, str):
                 groups = [g.strip() for g in groups.split(",") if g.strip()]
-            for group_name in groups:
+            for group_identifier in groups:
                 try:
+                    # Handle both group names and ARNs
+                    if group_identifier.startswith("arn:aws:iam::"):
+                        # Extract group name from ARN
+                        # ARN format: arn:aws:iam::account-id:group/group-name
+                        group_name = group_identifier.split("/")[-1]
+                    else:
+                        # Assume it's already a group name
+                        group_name = group_identifier
+
                     iam_client.add_user_to_group(
                         GroupName=group_name, UserName=username
                     )
-                    logger.info(f"Added user {username} to group {group_name}")
+                    logger.info(
+                        f"Added user {username} to group {group_name} (from: {group_identifier})"
+                    )
                 except ClientError as e:
                     logger.error(
-                        f"Failed to add user {username} to group {group_name}: {str(e)}"
+                        f"Failed to add user {username} to group {group_identifier}: {str(e)}"
                     )
                     raise
 
@@ -511,8 +522,9 @@ def revoke_aws_dynamic_secret_lease(
             iam_client.remove_user_from_group(
                 UserName=username, GroupName=group["GroupName"]
             )
-            logger.info(f"Removed user from group")
-            meta["removed_groups"].append(group["GroupName"])
+            logger.info(f"Removed user {username} from group {group['GroupName']}")
+            # Store the ARN in metadata for better audit trail
+            meta["removed_groups"].append(group.get("Arn", group["GroupName"]))
 
         # Finally, delete the user
         iam_client.delete_user(UserName=username)
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 44338bf52..e7204e8e0 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -130,7 +130,7 @@ const documents = {
     "query GetSecretHistory($appId: ID!, $envId: ID!, $id: ID!) {\n  secrets(envId: $envId, id: $id) {\n    id\n    history {\n      id\n      key\n      value\n      path\n      tags {\n        id\n        name\n        color\n      }\n      version\n      comment\n      timestamp\n      ipAddress\n      userAgent\n      user {\n        email\n        username\n        fullName\n        avatarUrl\n      }\n      serviceToken {\n        id\n        name\n      }\n      serviceAccount {\n        id\n        name\n        deletedAt\n      }\n      eventType\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n}": types.GetSecretHistoryDocument,
     "query GetEnvSecretsKV($envId: ID!) {\n  folders(envId: $envId, path: \"/\") {\n    id\n    name\n  }\n  secrets(envId: $envId, path: \"/\") {\n    id\n    key\n    value\n    comment\n    path\n  }\n  environmentKeys(environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n}": types.GetEnvSecretsKvDocument,
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
-    "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
+    "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
     "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
@@ -643,7 +643,7 @@ export function graphql(source: "query GetSecretTags($orgId: ID!) {\n  secretTag
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 225124d78..a3bf9736b 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -48,20 +48,20 @@ export type Scalars = {
 };
 
 export type AwsConfigInput = {
-  groups?: InputMaybe<Array<InputMaybe<Scalars['String']['input']>>>;
+  groups?: InputMaybe<Scalars['String']['input']>;
   iamPath?: InputMaybe<Scalars['String']['input']>;
   permissionBoundaryArn?: InputMaybe<Scalars['String']['input']>;
-  policyArns?: InputMaybe<Array<InputMaybe<Scalars['String']['input']>>>;
+  policyArns?: InputMaybe<Scalars['String']['input']>;
   policyDocument?: InputMaybe<Scalars['GenericScalar']['input']>;
   usernameTemplate: Scalars['String']['input'];
 };
 
 export type AwsConfigType = {
   __typename?: 'AWSConfigType';
-  groups?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
+  groups?: Maybe<Scalars['String']['output']>;
   iamPath?: Maybe<Scalars['String']['output']>;
   permissionBoundaryArn?: Maybe<Scalars['String']['output']>;
-  policyArns?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
+  policyArns?: Maybe<Scalars['String']['output']>;
   policyDocument?: Maybe<Scalars['GenericScalar']['output']>;
   usernameTemplate: Scalars['String']['output'];
 };
@@ -3441,7 +3441,7 @@ export type GetSecretsQueryVariables = Exact<{
 }>;
 
 
-export type GetSecretsQuery = { __typename?: 'Query', secrets?: Array<{ __typename?: 'SecretType', id: string, key: string, value: string, path: string, comment: string, createdAt?: any | null, updatedAt: any, tags: Array<{ __typename?: 'SecretTagType', id: string, name: string, color: string }>, override?: { __typename?: 'PersonalSecretType', value?: string | null, isActive: boolean } | null, environment: { __typename?: 'EnvironmentType', id: string, app: { __typename?: 'AppMembershipType', id: string } } } | null> | null, folders?: Array<{ __typename?: 'SecretFolderType', id: string, name: string, path: string, createdAt?: any | null, folderCount?: number | null, secretCount?: number | null } | null> | null, appEnvironments?: Array<{ __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices, identityKey: string, app: { __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean } } | null> | null, environmentKeys?: Array<{ __typename?: 'EnvironmentKeyType', id: string, identityKey: string, wrappedSeed: string, wrappedSalt: string } | null> | null, envSyncs?: Array<{ __typename?: 'EnvironmentSyncType', id: string, options: any, isActive: boolean, status: ApiEnvironmentSyncStatusChoices, lastSync?: any | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices }, serviceInfo?: { __typename?: 'ServiceType', id?: string | null, name?: string | null } | null } | null> | null, dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, name: string, path: string, description: string, provider: ApiDynamicSecretProviderChoices, defaultTtlSeconds?: number | null, maxTtlSeconds?: number | null, createdAt?: any | null, keyMap?: Array<{ __typename?: 'KeyMap', id?: string | null, keyName?: string | null } | null> | null, config?: { __typename?: 'AWSConfigType', usernameTemplate: string, groups?: Array<string | null> | null, iamPath?: string | null, permissionBoundaryArn?: string | null, policyArns?: Array<string | null> | null, policyDocument?: any | null } | null, authentication?: { __typename?: 'ProviderCredentialsType', id: string, name: string } | null } | null> | null };
+export type GetSecretsQuery = { __typename?: 'Query', secrets?: Array<{ __typename?: 'SecretType', id: string, key: string, value: string, path: string, comment: string, createdAt?: any | null, updatedAt: any, tags: Array<{ __typename?: 'SecretTagType', id: string, name: string, color: string }>, override?: { __typename?: 'PersonalSecretType', value?: string | null, isActive: boolean } | null, environment: { __typename?: 'EnvironmentType', id: string, app: { __typename?: 'AppMembershipType', id: string } } } | null> | null, folders?: Array<{ __typename?: 'SecretFolderType', id: string, name: string, path: string, createdAt?: any | null, folderCount?: number | null, secretCount?: number | null } | null> | null, appEnvironments?: Array<{ __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices, identityKey: string, app: { __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean } } | null> | null, environmentKeys?: Array<{ __typename?: 'EnvironmentKeyType', id: string, identityKey: string, wrappedSeed: string, wrappedSalt: string } | null> | null, envSyncs?: Array<{ __typename?: 'EnvironmentSyncType', id: string, options: any, isActive: boolean, status: ApiEnvironmentSyncStatusChoices, lastSync?: any | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices }, serviceInfo?: { __typename?: 'ServiceType', id?: string | null, name?: string | null } | null } | null> | null, dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, name: string, path: string, description: string, provider: ApiDynamicSecretProviderChoices, defaultTtlSeconds?: number | null, maxTtlSeconds?: number | null, createdAt?: any | null, keyMap?: Array<{ __typename?: 'KeyMap', id?: string | null, keyName?: string | null, masked?: boolean | null } | null> | null, config?: { __typename?: 'AWSConfigType', usernameTemplate: string, groups?: string | null, iamPath?: string | null, permissionBoundaryArn?: string | null, policyArns?: string | null, policyDocument?: any | null } | null, authentication?: { __typename?: 'ProviderCredentialsType', id: string, name: string } | null } | null> | null };
 
 export type GetServiceTokensQueryVariables = Exact<{
   appId: Scalars['ID']['input'];
@@ -3734,7 +3734,7 @@ export const GetOrgSecretKeysDocument = {"kind":"Document","definitions":[{"kind
 export const GetSecretHistoryDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretHistory"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"version"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"username"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}}]}}]} as unknown as DocumentNode<GetSecretHistoryQuery, GetSecretHistoryQueryVariables>;
 export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetEnvSecretsKV"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"StringValue","value":"/","block":false}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"StringValue","value":"/","block":false}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}}]}}]} as unknown as DocumentNode<GetEnvSecretsKvQuery, GetEnvSecretsKvQueryVariables>;
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
-export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
+export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
 export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index ab04080be..e42dbcc90 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -819,8 +819,8 @@ type AWSConfigType {
   usernameTemplate: String!
   iamPath: String
   permissionBoundaryArn: String
-  groups: [String]
-  policyArns: [String]
+  groups: String
+  policyArns: String
   policyDocument: GenericScalar
 }
 
@@ -1404,8 +1404,8 @@ input AWSConfigInput {
   usernameTemplate: String!
   iamPath: String = "/"
   permissionBoundaryArn: String
-  groups: [String]
-  policyArns: [String]
+  groups: String
+  policyArns: String
   policyDocument: GenericScalar
 }
 
diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index 4f1f4078e..600ab2947 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -68,8 +68,8 @@ export const CreateDynamicSecretDialog = forwardRef<
       usernameTemplate: '{{random}}',
       iamPath: `/phase/`,
       permissionBoundaryArn: undefined,
-      groups: [],
-      policyArns: [],
+      groups: '',
+      policyArns: '',
       policyDocument: undefined,
     } as AwsConfigInput,
     keyMap: [] as KeyMapInput[],
@@ -88,8 +88,8 @@ export const CreateDynamicSecretDialog = forwardRef<
         usernameTemplate: '{{random}}',
         iamPath: `/phase/`,
         permissionBoundaryArn: undefined,
-        groups: [],
-        policyArns: [],
+        groups: '',
+        policyArns: '',
         policyDocument: undefined,
       } as AwsConfigInput,
       keyMap: [] as KeyMapInput[],

From 59dbfe4a5d72ab88b3f7edecae60a4ab17c541eb Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 16 Sep 2025 12:25:13 +0530
Subject: [PATCH 081/117] feat: add detailed logging, cleanup user if lease
 creation fails

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../integrations/secrets/dynamic/aws/utils.py | 439 ++++++++++++++++--
 1 file changed, 395 insertions(+), 44 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index 83ff84e9c..856d2aeb8 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -156,14 +156,24 @@ def create_temporary_user(user_config, iam_client):
             - ttl_seconds (int): Time to live in seconds
 
     Returns:
-        dict: User creation result with username and metadata
+        tuple: (user_result_dict, meta_dict) User creation result with username and metadata
     """
+    # Initialize metadata tracking
+    meta = {
+        "action": "create",
+        "provider": "aws",
+        "attached_policies": [],
+        "added_groups": [],
+        "tags_applied": [],
+    }
+
     try:
         # Generate unique username
         base_template = user_config.get(
             "username_template", "phase-dynamic-{{ random }}"
         )
         username = render_username_template(base_template)
+        meta["username"] = username
 
         # Prepare user creation parameters
         path = user_config.get("iam_user_path", "/") or "/"
@@ -180,15 +190,20 @@ def create_temporary_user(user_config, iam_client):
             "UserName": username,
             "Path": path,
         }
+        meta["iam_path"] = path
 
         # Add permission boundary if specified
         if user_config.get("permission_boundary_arn"):
             create_params["PermissionsBoundary"] = user_config[
                 "permission_boundary_arn"
             ]
+            meta["permission_boundary_arn"] = user_config["permission_boundary_arn"]
 
         # Create IAM user
         response = iam_client.create_user(**create_params)
+        logger.info(f"Created IAM user {username}")
+        meta["user_created"] = True
+        meta["user_arn"] = response["User"]["Arn"]
 
         # Add tags to track the user
         creation_time = datetime.utcnow()
@@ -196,15 +211,18 @@ def create_temporary_user(user_config, iam_client):
             seconds=user_config.get("ttl_seconds", 60)
         )
 
+        tags = [
+            {"Key": "CreatedBy", "Value": "phase-dynamic-secrets"},
+            {"Key": "CreationTime", "Value": creation_time.isoformat()},
+            {"Key": "ExpiryTime", "Value": expiry_time.isoformat()},
+            {"Key": "TTL", "Value": str(user_config.get("ttl_seconds", 60))},
+        ]
         iam_client.tag_user(
             UserName=username,
-            Tags=[
-                {"Key": "CreatedBy", "Value": "phase-dynamic-secrets"},
-                {"Key": "CreationTime", "Value": creation_time.isoformat()},
-                {"Key": "ExpiryTime", "Value": expiry_time.isoformat()},
-                {"Key": "TTL", "Value": str(user_config.get("ttl_seconds", 60))},
-            ],
+            Tags=tags,
         )
+        logger.info(f"Tagged IAM user {username}")
+        meta["tags_applied"] = [tag["Key"] for tag in tags]
 
         # Attach policies if specified
         policy_arns = user_config.get("policy_arns")
@@ -218,10 +236,17 @@ def create_temporary_user(user_config, iam_client):
                         UserName=username, PolicyArn=policy_arn
                     )
                     logger.info(f"Attached policy {policy_arn} to user {username}")
+                    meta["attached_policies"].append(policy_arn)
                 except ClientError as e:
                     logger.error(
                         f"Failed to attach policy {policy_arn} to user {username}: {str(e)}"
                     )
+                    meta["failed_policy_attachments"] = meta.get(
+                        "failed_policy_attachments", []
+                    )
+                    meta["failed_policy_attachments"].append(
+                        {"policy_arn": policy_arn, "error": str(e)}
+                    )
                     raise
 
         # Add user to specified groups
@@ -247,26 +272,42 @@ def create_temporary_user(user_config, iam_client):
                     logger.info(
                         f"Added user {username} to group {group_name} (from: {group_identifier})"
                     )
+                    meta["added_groups"].append(
+                        {"group_name": group_name, "group_identifier": group_identifier}
+                    )
                 except ClientError as e:
                     logger.error(
                         f"Failed to add user {username} to group {group_identifier}: {str(e)}"
                     )
+                    meta["failed_group_additions"] = meta.get(
+                        "failed_group_additions", []
+                    )
+                    meta["failed_group_additions"].append(
+                        {"group_identifier": group_identifier, "error": str(e)}
+                    )
                     raise
 
         logger.info(f"Successfully created temporary IAM user: {username}")
+        meta["outcome"] = "success"
 
-        return {
+        user_result = {
             "username": username,
             "arn": response["User"]["Arn"],
             "creation_time": creation_time.isoformat(),
             "expiry_time": expiry_time.isoformat(),
         }
 
+        return user_result, meta
+
     except ClientError as e:
         logger.error(f"AWS client error creating user: {str(e)}")
+        meta["outcome"] = "error"
+        meta["error"] = str(e)
         raise
     except Exception as e:
         logger.error(f"Unexpected error creating user: {str(e)}")
+        meta["outcome"] = "error"
+        meta["error"] = str(e)
         raise
 
 
@@ -278,25 +319,38 @@ def create_access_key(username, iam_client):
         username (str): IAM username
 
     Returns:
-        dict: Access key details
+        tuple: (access_key_dict, meta_dict) Access key details and metadata
     """
+    meta = {
+        "action": "create_access_key",
+        "username": username,
+    }
+
     try:
         response = iam_client.create_access_key(UserName=username)
         access_key = response["AccessKey"]
 
         logger.info(f"Successfully created access key for user: {username}")
+        meta["access_key_id"] = access_key["AccessKeyId"]
+        meta["outcome"] = "success"
 
-        return {
+        access_key_result = {
             "access_key_id": access_key["AccessKeyId"],
             "secret_access_key": access_key["SecretAccessKey"],
             "status": access_key["Status"],
         }
 
+        return access_key_result, meta
+
     except ClientError as e:
         logger.error(f"AWS client error creating access key: {str(e)}")
+        meta["outcome"] = "error"
+        meta["error"] = str(e)
         raise
     except Exception as e:
         logger.error(f"Unexpected error creating access key: {str(e)}")
+        meta["outcome"] = "error"
+        meta["error"] = str(e)
         raise
 
 
@@ -369,6 +423,12 @@ def create_aws_dynamic_secret_lease(
     """
     Create a new lease for dynamic AWS credentials.
     """
+    # Initialize combined metadata
+    combined_meta = {
+        "action": "create_lease",
+        "provider": "aws",
+        "ttl_seconds": ttl_seconds,
+    }
 
     lease_config = secret.config
 
@@ -380,6 +440,7 @@ def create_aws_dynamic_secret_lease(
         )
 
     iam_client, _ = get_iam_client(secret)
+    created_username = None  # Track if we created a user for cleanup
 
     # Build config for user creation
     user_config = {
@@ -391,50 +452,340 @@ def create_aws_dynamic_secret_lease(
         "ttl_seconds": ttl_seconds,
     }
 
-    user_result = create_temporary_user(user_config, iam_client)
-    username = user_result["username"]
+    try:
+        user_result, user_meta = create_temporary_user(user_config, iam_client)
+        combined_meta["user_creation"] = user_meta
+        username = user_result["username"]
+        created_username = username  # Mark that we created a user
 
-    # Create access key for the user
-    access_key_result = create_access_key(username, iam_client)
+        # Create access key for the user
+        access_key_result, access_key_meta = create_access_key(username, iam_client)
+        combined_meta["access_key_creation"] = access_key_meta
 
-    lease_data = {
-        "username": username,
-        "user_arn": user_result["arn"],
-        "access_key_id": access_key_result["access_key_id"],
-        "secret_access_key": access_key_result["secret_access_key"],
-        "creation_time": user_result["creation_time"],
-        "expiry_time": user_result["expiry_time"],
-        "ttl_seconds": user_config.get("ttl_seconds", 60),
+        lease_data = {
+            "username": username,
+            "user_arn": user_result["arn"],
+            "access_key_id": access_key_result["access_key_id"],
+            "secret_access_key": access_key_result["secret_access_key"],
+            "creation_time": user_result["creation_time"],
+            "expiry_time": user_result["expiry_time"],
+            "ttl_seconds": user_config.get("ttl_seconds", 60),
+        }
+
+        env_pubkey, _ = get_environment_keys(secret.environment.id)
+
+        encrypted_credentials = {
+            "access_key_id": encrypt_asymmetric(
+                access_key_result["access_key_id"], env_pubkey
+            ),
+            "secret_access_key": encrypt_asymmetric(
+                access_key_result["secret_access_key"], env_pubkey
+            ),
+            "username": encrypt_asymmetric(username, env_pubkey),
+        }
+
+        lease = DynamicSecretLease.objects.create(
+            secret=secret,
+            name=lease_name,
+            organisation_member=organisation_member,
+            service_account=service_account,
+            ttl=timedelta(seconds=ttl_seconds),
+            expires_at=timezone.now() + timedelta(seconds=ttl_seconds),
+            credentials=encrypted_credentials,
+        )
+        combined_meta["lease_id"] = str(lease.id)
+        combined_meta["outcome"] = "success"
+
+        # --- Schedule revocation ---
+        from ee.integrations.secrets.dynamic.utils import schedule_lease_revocation
+
+        schedule_lease_revocation(lease)
+        combined_meta["revocation_scheduled"] = True
+
+        return lease, lease_data, combined_meta
+
+    except Exception as e:
+        # If we created a user but something failed later, clean it up
+        if created_username:
+            logger.warning(
+                f"Lease creation failed after user creation, cleaning up user {created_username}"
+            )
+            combined_meta["cleanup_attempted"] = True
+            try:
+                cleanup_failed_user_creation(created_username, iam_client)
+                combined_meta["cleanup_successful"] = True
+                logger.info(
+                    f"Successfully cleaned up user {created_username} after failed lease creation"
+                )
+            except Exception as cleanup_error:
+                combined_meta["cleanup_error"] = str(cleanup_error)
+                logger.error(
+                    f"Failed to cleanup user {created_username}: {cleanup_error}"
+                )
+                # Don't suppress the original error
+
+        # Re-raise the original exception
+        raise
+
+
+def cleanup_failed_user_creation(username: str, iam_client):
+    """
+    Clean up a partially created IAM user by removing all attached resources.
+    This is called when lease creation fails after user creation.
+    """
+    try:
+        # Delete all access keys
+        try:
+            access_keys = iam_client.list_access_keys(UserName=username)
+            for key in access_keys["AccessKeyMetadata"]:
+                iam_client.delete_access_key(
+                    UserName=username, AccessKeyId=key["AccessKeyId"]
+                )
+                logger.info(
+                    f"Cleaned up access key {key['AccessKeyId']} for user {username}"
+                )
+        except ClientError:
+            pass  # User might not have access keys yet
+
+        # Detach all managed policies
+        try:
+            attached_policies = iam_client.list_attached_user_policies(
+                UserName=username
+            )
+            for policy in attached_policies["AttachedPolicies"]:
+                iam_client.detach_user_policy(
+                    UserName=username, PolicyArn=policy["PolicyArn"]
+                )
+                logger.info(
+                    f"Cleaned up attached policy {policy['PolicyArn']} for user {username}"
+                )
+        except ClientError:
+            pass
+
+        # Delete all inline policies
+        try:
+            inline_policies = iam_client.list_user_policies(UserName=username)
+            for policy_name in inline_policies["PolicyNames"]:
+                iam_client.delete_user_policy(UserName=username, PolicyName=policy_name)
+                logger.info(
+                    f"Cleaned up inline policy {policy_name} for user {username}"
+                )
+        except ClientError:
+            pass
+
+        # Remove user from all groups
+        try:
+            groups_resp = iam_client.list_groups_for_user(UserName=username)
+            for group in groups_resp["Groups"]:
+                iam_client.remove_user_from_group(
+                    UserName=username, GroupName=group["GroupName"]
+                )
+                logger.info(
+                    f"Cleaned up group membership {group['GroupName']} for user {username}"
+                )
+        except ClientError:
+            pass
+
+        # Finally, delete the user
+        iam_client.delete_user(UserName=username)
+        logger.info(f"Cleaned up IAM user {username}")
+
+    except iam_client.exceptions.NoSuchEntityException:
+        logger.info(f"User {username} already deleted during cleanup")
+    except ClientError as e:
+        logger.error(f"Error during cleanup of user {username}: {e}")
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected error during cleanup of user {username}: {e}")
+        raise
+
+
+def create_aws_dynamic_secret_lease(
+    *,
+    secret: DynamicSecret,
+    lease_name,
+    organisation_member=None,
+    service_account=None,
+    ttl_seconds,
+) -> dict:
+    """
+    Create a new lease for dynamic AWS credentials.
+    """
+    # Initialize combined metadata
+    combined_meta = {
+        "action": "create_lease",
+        "provider": "aws",
+        "ttl_seconds": ttl_seconds,
     }
 
-    env_pubkey, _ = get_environment_keys(secret.environment.id)
+    lease_config = secret.config
+
+    if not organisation_member and not service_account:
+        raise ValidationError("Must set either organisation_member or service_account")
+    if organisation_member and service_account:
+        raise ValidationError(
+            "Only one of organisation_member or service_account may be set"
+        )
+
+    iam_client, _ = get_iam_client(secret)
+    created_username = None  # Track if we created a user for cleanup
 
-    encrypted_credentials = {
-        "access_key_id": encrypt_asymmetric(
-            access_key_result["access_key_id"], env_pubkey
-        ),
-        "secret_access_key": encrypt_asymmetric(
-            access_key_result["secret_access_key"], env_pubkey
-        ),
-        "username": encrypt_asymmetric(username, env_pubkey),
+    # Build config for user creation
+    user_config = {
+        "username_template": lease_config.get("username_template"),
+        "groups": lease_config.get("groups"),
+        "policy_arns": lease_config.get("policy_arns"),
+        "iam_user_path": lease_config.get("iam_path", "/"),
+        "permission_boundary_arn": lease_config.get("permission_boundary_arn"),
+        "ttl_seconds": ttl_seconds,
     }
 
-    lease = DynamicSecretLease.objects.create(
-        secret=secret,
-        name=lease_name,
-        organisation_member=organisation_member,
-        service_account=service_account,
-        ttl=timedelta(seconds=ttl_seconds),
-        expires_at=timezone.now() + timedelta(seconds=ttl_seconds),
-        credentials=encrypted_credentials,
-    )
+    try:
+        user_result, user_meta = create_temporary_user(user_config, iam_client)
+        combined_meta["user_creation"] = user_meta
+        username = user_result["username"]
+        created_username = username  # Mark that we created a user
 
-    # --- Schedule revocation ---
-    from ee.integrations.secrets.dynamic.utils import schedule_lease_revocation
+        # Create access key for the user
+        access_key_result, access_key_meta = create_access_key(username, iam_client)
+        combined_meta["access_key_creation"] = access_key_meta
 
-    schedule_lease_revocation(lease)
+        lease_data = {
+            "username": username,
+            "user_arn": user_result["arn"],
+            "access_key_id": access_key_result["access_key_id"],
+            "secret_access_key": access_key_result["secret_access_key"],
+            "creation_time": user_result["creation_time"],
+            "expiry_time": user_result["expiry_time"],
+            "ttl_seconds": user_config.get("ttl_seconds", 60),
+        }
 
-    return lease, lease_data
+        env_pubkey, _ = get_environment_keys(secret.environment.id)
+
+        encrypted_credentials = {
+            "access_key_id": encrypt_asymmetric(
+                access_key_result["access_key_id"], env_pubkey
+            ),
+            "secret_access_key": encrypt_asymmetric(
+                access_key_result["secret_access_key"], env_pubkey
+            ),
+            "username": encrypt_asymmetric(username, env_pubkey),
+        }
+
+        lease = DynamicSecretLease.objects.create(
+            secret=secret,
+            name=lease_name,
+            organisation_member=organisation_member,
+            service_account=service_account,
+            ttl=timedelta(seconds=ttl_seconds),
+            expires_at=timezone.now() + timedelta(seconds=ttl_seconds),
+            credentials=encrypted_credentials,
+        )
+        combined_meta["lease_id"] = str(lease.id)
+        combined_meta["outcome"] = "success"
+
+        # --- Schedule revocation ---
+        from ee.integrations.secrets.dynamic.utils import schedule_lease_revocation
+
+        schedule_lease_revocation(lease)
+        combined_meta["revocation_scheduled"] = True
+
+        return lease, lease_data, combined_meta
+
+    except Exception as e:
+        # If we created a user but something failed later, clean it up
+        if created_username:
+            logger.warning(
+                f"Lease creation failed after user creation, cleaning up user {created_username}"
+            )
+            combined_meta["cleanup_attempted"] = True
+            try:
+                cleanup_failed_user_creation(created_username, iam_client)
+                combined_meta["cleanup_successful"] = True
+                logger.info(
+                    f"Successfully cleaned up user {created_username} after failed lease creation"
+                )
+            except Exception as cleanup_error:
+                combined_meta["cleanup_error"] = str(cleanup_error)
+                logger.error(
+                    f"Failed to cleanup user {created_username}: {cleanup_error}"
+                )
+                # Don't suppress the original error
+
+        # Re-raise the original exception
+        raise
+
+
+def cleanup_failed_user_creation(username: str, iam_client):
+    """
+    Clean up a partially created IAM user by removing all attached resources.
+    This is called when lease creation fails after user creation.
+    """
+    try:
+        # Delete all access keys
+        try:
+            access_keys = iam_client.list_access_keys(UserName=username)
+            for key in access_keys["AccessKeyMetadata"]:
+                iam_client.delete_access_key(
+                    UserName=username, AccessKeyId=key["AccessKeyId"]
+                )
+                logger.info(
+                    f"Cleaned up access key {key['AccessKeyId']} for user {username}"
+                )
+        except ClientError:
+            pass  # User might not have access keys yet
+
+        # Detach all managed policies
+        try:
+            attached_policies = iam_client.list_attached_user_policies(
+                UserName=username
+            )
+            for policy in attached_policies["AttachedPolicies"]:
+                iam_client.detach_user_policy(
+                    UserName=username, PolicyArn=policy["PolicyArn"]
+                )
+                logger.info(
+                    f"Cleaned up attached policy {policy['PolicyArn']} for user {username}"
+                )
+        except ClientError:
+            pass
+
+        # Delete all inline policies
+        try:
+            inline_policies = iam_client.list_user_policies(UserName=username)
+            for policy_name in inline_policies["PolicyNames"]:
+                iam_client.delete_user_policy(UserName=username, PolicyName=policy_name)
+                logger.info(
+                    f"Cleaned up inline policy {policy_name} for user {username}"
+                )
+        except ClientError:
+            pass
+
+        # Remove user from all groups
+        try:
+            groups_resp = iam_client.list_groups_for_user(UserName=username)
+            for group in groups_resp["Groups"]:
+                iam_client.remove_user_from_group(
+                    UserName=username, GroupName=group["GroupName"]
+                )
+                logger.info(
+                    f"Cleaned up group membership {group['GroupName']} for user {username}"
+                )
+        except ClientError:
+            pass
+
+        # Finally, delete the user
+        iam_client.delete_user(UserName=username)
+        logger.info(f"Cleaned up IAM user {username}")
+
+    except iam_client.exceptions.NoSuchEntityException:
+        logger.info(f"User {username} already deleted during cleanup")
+    except ClientError as e:
+        logger.error(f"Error during cleanup of user {username}: {e}")
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected error during cleanup of user {username}: {e}")
+        raise
 
 
 def revoke_aws_dynamic_secret_lease(

From 2eb7ac6aaad2ddadcdf2f756d8bd6e9c8f356b34 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 16 Sep 2025 12:25:24 +0530
Subject: [PATCH 082/117] feat: add log data to create event meta

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/integrations/secrets/dynamic/utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index 1cbcfefcf..50ad297f4 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -190,7 +190,7 @@ def create_dynamic_secret_lease(
         lease_name = lease_name or secret.name
         ttl = ttl or int(secret.default_ttl.total_seconds())
         if secret.provider == "aws":
-            lease, lease_data = create_aws_dynamic_secret_lease(
+            lease, lease_data, meta = create_aws_dynamic_secret_lease(
                 secret=secret,
                 lease_name=lease_name,
                 organisation_member=organisation_member,
@@ -217,7 +217,7 @@ def create_dynamic_secret_lease(
                 service_account=service_account if service_account else None,
                 ip_address=ip_address,
                 user_agent=user_agent,
-                metadata={"action": "create", "ttl": ttl},
+                metadata=meta,
             )
 
             return lease, lease_data

From 248d76415fe836426f850e0f10cbc587ce2b566f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 16 Sep 2025 13:59:35 +0530
Subject: [PATCH 083/117] fix: preselect first available aws cred, update cred
 picker styling

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../syncing/ProviderCredentialPicker.tsx      | 102 ++++++++++--------
 .../dynamic/CreateDynamicSecretDialog.tsx     |  29 +++--
 2 files changed, 74 insertions(+), 57 deletions(-)

diff --git a/frontend/components/syncing/ProviderCredentialPicker.tsx b/frontend/components/syncing/ProviderCredentialPicker.tsx
index 7ad5577fb..67840d11a 100644
--- a/frontend/components/syncing/ProviderCredentialPicker.tsx
+++ b/frontend/components/syncing/ProviderCredentialPicker.tsx
@@ -50,13 +50,18 @@ export const ProviderCredentialPicker = (props: {
       ? providerFilter === 'aws'
         ? credential.provider?.id === 'aws' || credential.provider?.id === 'aws_assume_role'
         : credential.provider?.id === providerFilter
-      : true
+      : false // If no credential is selected, it doesn't match the filter
 
   useEffect(() => {
-    if (setDefault && filteredCredentials.length > 0 && !credentialMatchesFilter)
+    if (
+      setDefault &&
+      filteredCredentials.length > 0 &&
+      (!credential || !credentialMatchesFilter) &&
+      filteredCredentials[0]
+    ) {
       setCredential(filteredCredentials[0])
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [providerFilter, filteredCredentials, setDefault])
+    }
+  }, [setDefault, filteredCredentials, credential, credentialMatchesFilter, setCredential])
 
   const NewCredentialsLink = () => (
     <Link
@@ -78,53 +83,56 @@ export const ProviderCredentialPicker = (props: {
     )
 
   return (
-    <Listbox value={credential} onChange={setCredential}>
-      {({ open }) => (
-        <>
-          <label className="block text-neutral-500 text-sm mb-2">Service credentials</label>
-          <Listbox.Button as={Fragment} aria-required aria-disabled={disabled}>
-            <div
-              className={clsx(
-                'p-2 flex items-center justify-between bg-zinc-100 dark:bg-zinc-800/60 rounded-md text-zinc-800 dark:text-white border border-zinc-300 dark:border-none focus:outline outline-emerald-500',
-                disabled && 'cursor-not-allowed opacity-60'
-              )}
-            >
-              {credential?.name || 'Select credentials'}
-              <FaChevronDown
+    <div className="relative">
+      <Listbox value={credential} onChange={setCredential}>
+        {({ open }) => (
+          <>
+            <label className="block text-neutral-500 text-sm mb-2">Service credentials</label>
+            <Listbox.Button as={Fragment} aria-required aria-disabled={disabled}>
+              <div
                 className={clsx(
-                  'transition-transform ease duration-300 text-neutral-500',
-                  open ? 'rotate-180' : 'rotate-0'
+                  'p-2 flex items-center justify-between bg-zinc-100 dark:bg-zinc-800/60  text-zinc-800 dark:text-white border border-neutral-500/20   focus:outline outline-emerald-500',
+                  disabled && 'cursor-not-allowed opacity-60',
+                  open ? 'rounded-t-md' : 'rounded-md'
                 )}
-              />
-            </div>
-          </Listbox.Button>
-          <Listbox.Options>
-            <div className="bg-zinc-100 dark:bg-zinc-800/60 p-2 rounded-b-md shadow-2xl backdrop-blur-md absolute z-10 space-y-2 border border-t-0 dark:border-none border-neutral-500/20">
-              {filteredCredentials.map((cred: ProviderCredentialsType) => (
-                <Listbox.Option key={cred.id} value={cred} as={Fragment}>
-                  {({ active, selected }) => (
-                    <div
-                      className={clsx(
-                        'flex items-center gap-2 p-2 cursor-pointer rounded-lg text-black dark:text-white',
-                        active && 'bg-zinc-200 dark:bg-zinc-700'
-                      )}
-                    >
-                      <FaKey className="shrink-0" />
-                      <div className="flex flex-col gap-2">
-                        <span className=" font-semibold">{cred.name}</span>
-                      </div>
-                    </div>
+              >
+                {credential?.name || 'Select credentials'}
+                <FaChevronDown
+                  className={clsx(
+                    'transition-transform ease duration-300 text-neutral-500',
+                    open ? 'rotate-180' : 'rotate-0'
                   )}
-                </Listbox.Option>
-              ))}
+                />
+              </div>
+            </Listbox.Button>
+            <Listbox.Options>
+              <div className="bg-zinc-100 w-full dark:bg-zinc-800/60 p-2 rounded-b-md shadow-2xl backdrop-blur-md absolute z-10 space-y-2 border border-t-0  border-neutral-500/20 ">
+                {filteredCredentials.map((cred: ProviderCredentialsType) => (
+                  <Listbox.Option key={cred.id} value={cred} as={Fragment}>
+                    {({ active, selected }) => (
+                      <div
+                        className={clsx(
+                          'flex items-center gap-2 p-2 cursor-pointer rounded-lg text-black dark:text-white',
+                          active && 'bg-zinc-200 dark:bg-zinc-700'
+                        )}
+                      >
+                        <FaKey className="shrink-0" />
+                        <div className="flex flex-col gap-2">
+                          <span className=" font-semibold">{cred.name}</span>
+                        </div>
+                      </div>
+                    )}
+                  </Listbox.Option>
+                ))}
 
-              <div className="pt-2 border-t border-neutral-500/40">
-                <NewCredentialsLink />
+                <div className="pt-2 border-t border-neutral-500/40">
+                  <NewCredentialsLink />
+                </div>
               </div>
-            </div>
-          </Listbox.Options>
-        </>
-      )}
-    </Listbox>
+            </Listbox.Options>
+          </>
+        )}
+      </Listbox>
+    </div>
   )
 }
diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index 600ab2947..eb7493417 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -1,6 +1,14 @@
 'use client'
 
-import { forwardRef, useContext, useEffect, useImperativeHandle, useRef, useState } from 'react'
+import {
+  forwardRef,
+  useCallback,
+  useContext,
+  useEffect,
+  useImperativeHandle,
+  useRef,
+  useState,
+} from 'react'
 import {
   AwsConfigInput,
   DynamicSecretProviderType,
@@ -77,6 +85,10 @@ export const CreateDynamicSecretDialog = forwardRef<
     maxTTL: '86400',
   })
 
+  const handleCredentialChange = useCallback((cred: ProviderCredentialsType) => {
+    setFormData((prev) => ({ ...prev, credential: cred }))
+  }, [])
+
   const reset = () => {
     setProvider(null)
     setActiveStep(0)
@@ -108,18 +120,14 @@ export const CreateDynamicSecretDialog = forwardRef<
       }
     })
 
-    setFormData({
-      name: 'AWS IAM credentials',
-      description: '',
-      credential: null,
+    setFormData((prev) => ({
+      ...prev,
       config: {
-        usernameTemplate: '{{random}}',
+        ...prev.config,
         iamPath: `/phase/${organisation?.name}/${environment.app.name}/${environment.name}${path}`,
       },
       keyMap: initialKeyMap,
-      defaultTTL: '3600',
-      maxTTL: '86400',
-    })
+    }))
   }, [environment.app.name, environment.name, organisation?.name, path, provider])
 
   const steps: Step[] = [
@@ -271,9 +279,10 @@ export const CreateDynamicSecretDialog = forwardRef<
                   <div className="mt-2">
                     <ProviderCredentialPicker
                       credential={formData.credential}
-                      setCredential={(cred) => setFormData({ ...formData, credential: cred })}
+                      setCredential={handleCredentialChange}
                       orgId={organisation!.id}
                       providerFilter={provider.id}
+                      setDefault
                     />
                   </div>
                   <div className="space-y-4 pt-2">

From 71f6d48b854a0728a566eed2c800edd17a7d250f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 16 Sep 2025 15:29:27 +0530
Subject: [PATCH 084/117] feat: add dynamic secrets to cross env screen

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/graphene/types.py             |  15 +-
 .../ee/integrations/secrets/dynamic/utils.py  |  12 +
 frontend/apollo/gql.ts                        |   4 +-
 frontend/apollo/graphql.ts                    |  10 +-
 frontend/apollo/schema.graphql                | 265 +++++++++---------
 .../apps/[app]/_components/AppSecrets.tsx     |  46 ++-
 .../[team]/apps/[app]/_hooks/useAppSecrets.ts |  50 +++-
 .../secrets/dynamic/AppDynamicSecretRow.tsx   | 157 +++++++++++
 frontend/ee/utils/dynamicSecrets.ts           |  40 +++
 .../graphql/queries/secrets/getAppSecrets.gql |  11 +
 10 files changed, 459 insertions(+), 151 deletions(-)
 create mode 100644 frontend/ee/components/secrets/dynamic/AppDynamicSecretRow.tsx
 create mode 100644 frontend/ee/utils/dynamicSecrets.ts

diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index ebf3d3c82..5a7d100d4 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -4,6 +4,8 @@
     user_can_access_environment,
     user_has_permission,
 )
+from ee.integrations.secrets.dynamic.graphene.queries import resolve_dynamic_secrets
+from ee.integrations.secrets.dynamic.graphene.types import DynamicSecretType
 from backend.quotas import PLAN_CONFIG
 import graphene
 from enum import Enum
@@ -12,6 +14,7 @@
 from api.models import (
     ActivatedPhaseLicense,
     CustomUser,
+    DynamicSecret,
     Environment,
     EnvironmentKey,
     EnvironmentSync,
@@ -500,6 +503,9 @@ class EnvironmentType(DjangoObjectType):
     secrets = graphene.NonNull(
         graphene.List(SecretType), path=graphene.String(required=False)
     )
+    dynamic_secrets = graphene.NonNull(
+        graphene.List(DynamicSecretType), path=graphene.String(required=False)
+    )
     folder_count = graphene.Int()
     secret_count = graphene.Int()
     members = graphene.NonNull(graphene.List(OrganisationMemberType))
@@ -542,6 +548,10 @@ def resolve_secrets(self, info, path=None):
 
         return Secret.objects.filter(**filter).order_by("-created_at")
 
+    def resolve_dynamic_secrets(self, info, path=None):
+        # Reuse the existing resolver from queries.py
+        return resolve_dynamic_secrets(root=None, info=info, env_id=self.id, path=path)
+
     def resolve_folders(self, info, path=None):
         if not user_can_access_environment(info.context.user.userId, self.id):
             raise GraphQLError("You don't have access to this environment")
@@ -557,7 +567,10 @@ def resolve_folder_count(self, info):
         return SecretFolder.objects.filter(environment=self).count()
 
     def resolve_secret_count(self, info):
-        return Secret.objects.filter(environment=self, deleted_at=None).count()
+        return (
+            Secret.objects.filter(environment=self, deleted_at=None).count()
+            + DynamicSecret.objects.filter(environment=self, deleted_at=None).count()
+        )
 
     def resolve_wrapped_seed(self, info):
         org_member = OrganisationMember.objects.get(
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index 50ad297f4..1963196be 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -186,6 +186,12 @@ def create_dynamic_secret_lease(
     service_account=None,
     request=None,
 ):
+
+    Organisation = apps.get_model("api", "Organisation")
+    org = secret.environment.app.organisation
+    if not org.plan == Organisation.ENTERPRISE_PLAN:
+        raise Exception("Dynamic secrets are only available on the Enterprise plan.")
+
     try:
         lease_name = lease_name or secret.name
         ttl = ttl or int(secret.default_ttl.total_seconds())
@@ -234,6 +240,12 @@ def renew_dynamic_secret_lease(
     organisation_member=None,
     service_account=None,
 ):
+
+    Organisation = apps.get_model("api", "Organisation")
+    org = lease.secret.environment.app.organisation
+    if not org.plan == Organisation.ENTERPRISE_PLAN:
+        raise Exception("Dynamic secrets are only available on the Enterprise plan.")
+
     if timedelta(seconds=ttl) > lease.secret.max_ttl:
         raise Exception(
             "The specified TTL exceeds the maximum TTL for this dynamic secret."
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index e7204e8e0..909b14cce 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -121,7 +121,7 @@ const documents = {
     "query GetDynamicSecretProviders {\n  dynamicSecretProviders {\n    id\n    name\n    credentials\n    configMap\n  }\n}": types.GetDynamicSecretProvidersDocument,
     "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}": types.GetDynamicSecretLeasesDocument,
     "query GetAppEnvironments($appId: ID!, $memberId: ID, $memberType: MemberType) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppEnvironmentsDocument,
-    "query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppSecretsDocument,
+    "query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n    dynamicSecrets(path: $path) {\n      id\n      name\n      path\n      description\n      provider\n      keyMap {\n        id\n        keyName\n      }\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppSecretsDocument,
     "query GetAppSecretsLogs($appId: ID!, $start: BigInt, $end: BigInt, $eventTypes: [String], $memberId: ID, $memberType: MemberType, $environmentId: ID) {\n  secretLogs(\n    appId: $appId\n    start: $start\n    end: $end\n    eventTypes: $eventTypes\n    memberId: $memberId\n    memberType: $memberType\n    environmentId: $environmentId\n  ) {\n    logs {\n      id\n      path\n      key\n      value\n      tags {\n        id\n        name\n        color\n      }\n      version\n      comment\n      timestamp\n      ipAddress\n      userAgent\n      user {\n        email\n        username\n        fullName\n        avatarUrl\n      }\n      serviceToken {\n        id\n        name\n      }\n      serviceAccount {\n        id\n        name\n        deletedAt\n      }\n      serviceAccountToken {\n        id\n        name\n        deletedAt\n      }\n      eventType\n      environment {\n        id\n        envType\n        name\n      }\n      secret {\n        id\n        path\n      }\n    }\n    count\n  }\n  environmentKeys(appId: $appId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    environment {\n      id\n    }\n  }\n}": types.GetAppSecretsLogsDocument,
     "query GetEnvironmentKey($envId: ID!, $appId: ID!) {\n  environmentKeys(environmentId: $envId, appId: $appId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n}": types.GetEnvironmentKeyDocument,
     "query GetEnvironmentTokens($envId: ID!) {\n  environmentTokens(environmentId: $envId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n  }\n}": types.GetEnvironmentTokensDocument,
@@ -607,7 +607,7 @@ export function graphql(source: "query GetAppEnvironments($appId: ID!, $memberId
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}"): (typeof documents)["query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}"];
+export function graphql(source: "query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n    dynamicSecrets(path: $path) {\n      id\n      name\n      path\n      description\n      provider\n      keyMap {\n        id\n        keyName\n      }\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}"): (typeof documents)["query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n    dynamicSecrets(path: $path) {\n      id\n      name\n      path\n      description\n      provider\n      keyMap {\n        id\n        keyName\n      }\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index a3bf9736b..d087703d3 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -684,6 +684,7 @@ export type EnvironmentType = {
   __typename?: 'EnvironmentType';
   app: AppMembershipType;
   createdAt?: Maybe<Scalars['DateTime']['output']>;
+  dynamicSecrets: Array<Maybe<DynamicSecretType>>;
   envType: ApiEnvironmentEnvTypeChoices;
   folderCount?: Maybe<Scalars['Int']['output']>;
   folders: Array<Maybe<SecretFolderType>>;
@@ -701,6 +702,11 @@ export type EnvironmentType = {
 };
 
 
+export type EnvironmentTypeDynamicSecretsArgs = {
+  path?: InputMaybe<Scalars['String']['input']>;
+};
+
+
 export type EnvironmentTypeSecretsArgs = {
   path?: InputMaybe<Scalars['String']['input']>;
 };
@@ -3366,7 +3372,7 @@ export type GetAppSecretsQueryVariables = Exact<{
 }>;
 
 
-export type GetAppSecretsQuery = { __typename?: 'Query', sseEnabled?: boolean | null, serverPublicKey?: string | null, appEnvironments?: Array<{ __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices, identityKey: string, wrappedSeed?: string | null, wrappedSalt?: string | null, createdAt?: any | null, secretCount?: number | null, folderCount?: number | null, index: number, app: { __typename?: 'AppMembershipType', name: string, id: string }, members: Array<{ __typename?: 'OrganisationMemberType', email?: string | null, fullName?: string | null, avatarUrl?: string | null } | null>, folders: Array<{ __typename?: 'SecretFolderType', id: string, name: string, path: string } | null>, secrets: Array<{ __typename?: 'SecretType', id: string, key: string, value: string, comment: string, path: string } | null> } | null> | null };
+export type GetAppSecretsQuery = { __typename?: 'Query', sseEnabled?: boolean | null, serverPublicKey?: string | null, appEnvironments?: Array<{ __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices, identityKey: string, wrappedSeed?: string | null, wrappedSalt?: string | null, createdAt?: any | null, secretCount?: number | null, folderCount?: number | null, index: number, app: { __typename?: 'AppMembershipType', name: string, id: string }, members: Array<{ __typename?: 'OrganisationMemberType', email?: string | null, fullName?: string | null, avatarUrl?: string | null } | null>, folders: Array<{ __typename?: 'SecretFolderType', id: string, name: string, path: string } | null>, secrets: Array<{ __typename?: 'SecretType', id: string, key: string, value: string, comment: string, path: string } | null>, dynamicSecrets: Array<{ __typename?: 'DynamicSecretType', id: string, name: string, path: string, description: string, provider: ApiDynamicSecretProviderChoices, keyMap?: Array<{ __typename?: 'KeyMap', id?: string | null, keyName?: string | null } | null> | null } | null> } | null> | null };
 
 export type GetAppSecretsLogsQueryVariables = Exact<{
   appId: Scalars['ID']['input'];
@@ -3725,7 +3731,7 @@ export const GetDynamicSecretsDocument = {"kind":"Document","definitions":[{"kin
 export const GetDynamicSecretProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"configMap"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretProvidersQuery, GetDynamicSecretProvidersQueryVariables>;
 export const GetDynamicSecretLeasesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretLeases"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"leases"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"events"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"metadata"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretLeasesQuery, GetDynamicSecretLeasesQueryVariables>;
 export const GetAppEnvironmentsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppEnvironments"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppEnvironmentsQuery, GetAppEnvironmentsQueryVariables>;
-export const GetAppSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppSecretsQuery, GetAppSecretsQueryVariables>;
+export const GetAppSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppSecretsQuery, GetAppSecretsQueryVariables>;
 export const GetAppSecretsLogsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecretsLogs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretLogs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}},{"kind":"Argument","name":{"kind":"Name","value":"eventTypes"},"value":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"logs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"version"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"username"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secret"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppSecretsLogsQuery, GetAppSecretsLogsQueryVariables>;
 export const GetEnvironmentKeyDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetEnvironmentKey"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}}]}}]} as unknown as DocumentNode<GetEnvironmentKeyQuery, GetEnvironmentKeyQueryVariables>;
 export const GetEnvironmentTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetEnvironmentTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"environmentTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyShare"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetEnvironmentTokensQuery, GetEnvironmentTokensQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index e42dbcc90..1e51cfafa 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -178,6 +178,7 @@ type EnvironmentType {
   updatedAt: DateTime!
   folders: [SecretFolderType]!
   secrets(path: String): [SecretType]!
+  dynamicSecrets(path: String): [DynamicSecretType]!
   folderCount: Int
   secretCount: Int
   members: [OrganisationMemberType]!
@@ -339,18 +340,25 @@ type PersonalSecretType {
   updatedAt: DateTime!
 }
 
-type EnvironmentSyncType {
+type DynamicSecretType {
   id: String!
+  name: String!
+  description: String!
   environment: EnvironmentType!
+  folder: SecretFolderType
   path: String!
-  options: JSONString!
   authentication: ProviderCredentialsType
-  isActive: Boolean!
+
+  """Which provider this secret is associated with."""
+  provider: ApiDynamicSecretProviderChoices!
+  config: DynamicSecretConfigUnion
+  keyMap: [KeyMap]
   createdAt: DateTime
-  lastSync: DateTime
-  status: ApiEnvironmentSyncStatusChoices!
-  serviceInfo: ServiceType
-  history: [EnvironmentSyncEventType!]!
+  updatedAt: DateTime!
+  deletedAt: DateTime
+  leases: [DynamicSecretLeaseType!]!
+  defaultTtlSeconds: Int
+  maxTtlSeconds: Int
 }
 
 type ProviderCredentialsType {
@@ -371,6 +379,124 @@ type ProviderType {
   authScheme: String
 }
 
+enum ApiDynamicSecretProviderChoices {
+  """AWS"""
+  AWS
+}
+
+union DynamicSecretConfigUnion = AWSConfigType
+
+type AWSConfigType {
+  usernameTemplate: String!
+  iamPath: String
+  permissionBoundaryArn: String
+  groups: String
+  policyArns: String
+  policyDocument: GenericScalar
+}
+
+"""
+The `GenericScalar` scalar type represents a generic
+GraphQL scalar value that could be:
+String, Boolean, Int, Float, List or Object.
+"""
+scalar GenericScalar
+
+type KeyMap {
+  id: String
+  keyName: String
+  masked: Boolean
+}
+
+type DynamicSecretLeaseType {
+  id: String!
+  name: String!
+  description: String!
+  secret: DynamicSecretType!
+  organisationMember: OrganisationMemberType
+  serviceAccount: ServiceAccountType
+  ttl: Float!
+
+  """Current status of the lease"""
+  status: ApiDynamicSecretLeaseStatusChoices!
+  credentials: LeaseCredentialsUnion
+  createdAt: DateTime
+  renewedAt: DateTime
+  expiresAt: DateTime
+  revokedAt: DateTime
+  deletedAt: DateTime
+  cleanupJobId: String!
+  events: [DynamicSecretLeaseEventType]
+}
+
+enum ApiDynamicSecretLeaseStatusChoices {
+  """Created"""
+  CREATED
+
+  """Active"""
+  ACTIVE
+
+  """Renewed"""
+  RENEWED
+
+  """Revoked"""
+  REVOKED
+
+  """Expired"""
+  EXPIRED
+}
+
+union LeaseCredentialsUnion = AwsCredentialsType
+
+type AwsCredentialsType {
+  accessKeyId: String
+  secretAccessKey: String
+  username: String
+}
+
+type DynamicSecretLeaseEventType {
+  id: ID!
+  lease: DynamicSecretLeaseType!
+  eventType: ApiDynamicSecretLeaseEventEventTypeChoices!
+  organisationMember: OrganisationMemberType
+  serviceAccount: ServiceAccountType
+  ipAddress: String
+  userAgent: String
+  metadata: JSONString!
+  createdAt: DateTime!
+}
+
+enum ApiDynamicSecretLeaseEventEventTypeChoices {
+  """Created"""
+  CREATED
+
+  """Active"""
+  ACTIVE
+
+  """Renewed"""
+  RENEWED
+
+  """Revoked"""
+  REVOKED
+
+  """Expired"""
+  EXPIRED
+}
+
+type EnvironmentSyncType {
+  id: String!
+  environment: EnvironmentType!
+  path: String!
+  options: JSONString!
+  authentication: ProviderCredentialsType
+  isActive: Boolean!
+  createdAt: DateTime
+  lastSync: DateTime
+  status: ApiEnvironmentSyncStatusChoices!
+  serviceInfo: ServiceType
+  history: [EnvironmentSyncEventType!]!
+}
+
 enum ApiEnvironmentSyncStatusChoices {
   """In progress"""
   IN_PROGRESS
@@ -780,131 +906,6 @@ type DynamicSecretProviderType {
   configMap: GenericScalar!
 }
 
-"""
-The `GenericScalar` scalar type represents a generic
-GraphQL scalar value that could be:
-String, Boolean, Int, Float, List or Object.
-"""
-scalar GenericScalar
-
-type DynamicSecretType {
-  id: String!
-  name: String!
-  description: String!
-  environment: EnvironmentType!
-  folder: SecretFolderType
-  path: String!
-  authentication: ProviderCredentialsType
-
-  """Which provider this secret is associated with."""
-  provider: ApiDynamicSecretProviderChoices!
-  config: DynamicSecretConfigUnion
-  keyMap: [KeyMap]
-  createdAt: DateTime
-  updatedAt: DateTime!
-  deletedAt: DateTime
-  leases: [DynamicSecretLeaseType!]!
-  defaultTtlSeconds: Int
-  maxTtlSeconds: Int
-}
-
-enum ApiDynamicSecretProviderChoices {
-  """AWS"""
-  AWS
-}
-
-union DynamicSecretConfigUnion = AWSConfigType
-
-type AWSConfigType {
-  usernameTemplate: String!
-  iamPath: String
-  permissionBoundaryArn: String
-  groups: String
-  policyArns: String
-  policyDocument: GenericScalar
-}
-
-type KeyMap {
-  id: String
-  keyName: String
-  masked: Boolean
-}
-
-type DynamicSecretLeaseType {
-  id: String!
-  name: String!
-  description: String!
-  secret: DynamicSecretType!
-  organisationMember: OrganisationMemberType
-  serviceAccount: ServiceAccountType
-  ttl: Float!
-
-  """Current status of the lease"""
-  status: ApiDynamicSecretLeaseStatusChoices!
-  credentials: LeaseCredentialsUnion
-  createdAt: DateTime
-  renewedAt: DateTime
-  expiresAt: DateTime
-  revokedAt: DateTime
-  deletedAt: DateTime
-  cleanupJobId: String!
-  events: [DynamicSecretLeaseEventType]
-}
-
-enum ApiDynamicSecretLeaseStatusChoices {
-  """Created"""
-  CREATED
-
-  """Active"""
-  ACTIVE
-
-  """Renewed"""
-  RENEWED
-
-  """Revoked"""
-  REVOKED
-
-  """Expired"""
-  EXPIRED
-}
-
-union LeaseCredentialsUnion = AwsCredentialsType
-
-type AwsCredentialsType {
-  accessKeyId: String
-  secretAccessKey: String
-  username: String
-}
-
-type DynamicSecretLeaseEventType {
-  id: ID!
-  lease: DynamicSecretLeaseType!
-  eventType: ApiDynamicSecretLeaseEventEventTypeChoices!
-  organisationMember: OrganisationMemberType
-  serviceAccount: ServiceAccountType
-  ipAddress: String
-  userAgent: String
-  metadata: JSONString!
-  createdAt: DateTime!
-}
-
-enum ApiDynamicSecretLeaseEventEventTypeChoices {
-  """Created"""
-  CREATED
-
-  """Active"""
-  ACTIVE
-
-  """Renewed"""
-  RENEWED
-
-  """Revoked"""
-  REVOKED
-
-  """Expired"""
-  EXPIRED
-}
-
 type Mutation {
   createOrganisation(id: ID!, identityKey: String!, name: String!, wrappedKeyring: String!, wrappedRecovery: String!): CreateOrganisationMutation
   bulkInviteOrganisationMembers(invites: [InviteInput]!, orgId: ID!): BulkInviteOrganisationMembersMutation
diff --git a/frontend/app/[team]/apps/[app]/_components/AppSecrets.tsx b/frontend/app/[team]/apps/[app]/_components/AppSecrets.tsx
index f7950bbd8..ebb9e4f93 100644
--- a/frontend/app/[team]/apps/[app]/_components/AppSecrets.tsx
+++ b/frontend/app/[team]/apps/[app]/_components/AppSecrets.tsx
@@ -1,6 +1,5 @@
 'use client'
 
-import { InitAppEnvironments } from '@/graphql/mutations/environments/initAppEnvironments.gql'
 import { BulkProcessSecrets } from '@/graphql/mutations/environments/bulkProcessSecrets.gql'
 import { GetAppSyncStatus } from '@/graphql/queries/syncing/getAppSyncStatus.gql'
 import { GetAppDetail } from '@/graphql/queries/getAppDetail.gql'
@@ -10,7 +9,6 @@ import { EnvironmentType, SecretFolderType, SecretInput, SecretType } from '@/ap
 import _sodium from 'libsodium-wrappers-sumo'
 import { KeyringContext } from '@/contexts/keyringContext'
 import { MdPassword, MdSearchOff } from 'react-icons/md'
-
 import {
   FaAngleDoubleDown,
   FaAngleDoubleUp,
@@ -41,9 +39,7 @@ import {
   getUserKxPublicKey,
   arraysEqual,
 } from '@/utils/crypto'
-
 import { EmptyState } from '@/components/common/EmptyState'
-
 import { toast } from 'react-toastify'
 import { EnvSyncStatus } from '@/components/syncing/EnvSyncStatus'
 import { useAppSecrets } from '../_hooks/useAppSecrets'
@@ -55,6 +51,7 @@ import MultiEnvImportDialog from '@/components/environments/secrets/import/Multi
 import { TbDownload } from 'react-icons/tb'
 import { duplicateKeysExist } from '@/utils/secrets'
 import { useWarnIfUnsavedChanges } from '@/hooks/warnUnsavedChanges'
+import { AppDynamicSecretRow } from '@/ee/components/secrets/dynamic/AppDynamicSecretRow'
 
 export const AppSecrets = ({ team, app }: { team: string; app: string }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -107,7 +104,7 @@ export const AppSecrets = ({ team, app }: { team: string; app: string }) => {
   const [expandedSecrets, setExpandedSecrets] = useState<string[]>([])
 
   const [searchQuery, setSearchQuery] = useState<string>('')
-  const [initAppEnvironments] = useMutation(InitAppEnvironments)
+
   const [bulkProcessSecrets, { loading: bulkUpdatePending }] = useMutation(BulkProcessSecrets)
 
   const [isLoading, setIsLoading] = useState(false)
@@ -128,7 +125,6 @@ export const AppSecrets = ({ team, app }: { team: string; app: string }) => {
     setExpandedSecrets(expandedSecrets.filter((id) => id !== secretId))
   }
 
-  const allRowsAreExpanded = clientAppSecrets.every((secret) => expandedSecrets.includes(secret.id))
   const allRowsAreCollapsed = expandedSecrets.length === 0
 
   const unsavedChanges =
@@ -155,10 +151,15 @@ export const AppSecrets = ({ team, app }: { team: string; app: string }) => {
 
   useWarnIfUnsavedChanges(unsavedChanges)
 
-  const { appEnvironments, appSecrets, appFolders, fetching, refetch } = useAppSecrets(
-    app,
-    userCanReadSecrets,
-    unsavedChanges ? 0 : 10000 // Poll every 10 seconds
+  const { appEnvironments, appSecrets, appFolders, appDynamicSecrets, fetching, refetch } =
+    useAppSecrets(
+      app,
+      userCanReadSecrets,
+      unsavedChanges ? 0 : 10000 // Poll every 10 seconds
+    )
+
+  const allRowsAreExpanded = [...clientAppSecrets, ...appDynamicSecrets].every((item) =>
+    expandedSecrets.includes(item.id)
   )
 
   useEffect(() => {
@@ -184,6 +185,14 @@ export const AppSecrets = ({ team, app }: { team: string; app: string }) => {
           return searchRegex.test(folder.name)
         })
 
+  const filteredDynamicSecrets =
+    searchQuery === ''
+      ? appDynamicSecrets
+      : appDynamicSecrets.filter((secret) => {
+          const searchRegex = new RegExp(searchQuery, 'i')
+          return searchRegex.test(secret.name)
+        })
+
   const { data: syncsData } = useQuery(GetAppSyncStatus, {
     variables: {
       appId: app,
@@ -194,7 +203,10 @@ export const AppSecrets = ({ team, app }: { team: string; app: string }) => {
 
   const toggleAllExpanded = (expand: boolean) => {
     expand
-      ? setExpandedSecrets(clientAppSecrets.map((appSecret) => appSecret.id))
+      ? setExpandedSecrets([
+          ...clientAppSecrets.map((appSecret) => appSecret.id),
+          ...appDynamicSecrets.map((appDynamicSecret) => appDynamicSecret.id),
+        ])
       : setExpandedSecrets([])
   }
 
@@ -855,7 +867,7 @@ export const AppSecrets = ({ team, app }: { team: string; app: string }) => {
         />
       )}
 
-      {filteredSecrets.length > 0 && (
+      {(filteredSecrets.length > 0 || filteredDynamicSecrets.length > 0) && (
         <div className="flex items-center justify-between">
           <div className="flex items-center gap-4">
             <Button
@@ -928,6 +940,16 @@ export const AppSecrets = ({ team, app }: { team: string; app: string }) => {
                     <AppFolderRow key={appFolder.name} appFolder={appFolder} />
                   ))}
 
+                  {filteredDynamicSecrets.map((appDynamicSecret) => (
+                    <AppDynamicSecretRow
+                      key={appDynamicSecret.id}
+                      appDynamicSecret={appDynamicSecret}
+                      isExpanded={expandedSecrets.includes(appDynamicSecret.id)}
+                      expand={handleExpandRow}
+                      collapse={handleCollapseRow}
+                    />
+                  ))}
+
                   {filteredSecrets.map((appSecret, index) => (
                     <AppSecretRow
                       index={index}
diff --git a/frontend/app/[team]/apps/[app]/_hooks/useAppSecrets.ts b/frontend/app/[team]/apps/[app]/_hooks/useAppSecrets.ts
index 8da65ff36..67eea6ea6 100644
--- a/frontend/app/[team]/apps/[app]/_hooks/useAppSecrets.ts
+++ b/frontend/app/[team]/apps/[app]/_hooks/useAppSecrets.ts
@@ -4,18 +4,36 @@ import { unwrapEnvSecretsForUser, decryptEnvSecretKVs } from '@/utils/crypto'
 import { AppSecret, AppFolder, EnvSecrets, EnvFolders } from '../types'
 import { GetAppSecrets } from '@/graphql/queries/secrets/getAppSecrets.gql'
 import { KeyringContext } from '@/contexts/keyringContext'
-import { EnvironmentType } from '@/apollo/graphql'
+import { EnvironmentType, DynamicSecretType } from '@/apollo/graphql'
+import { decryptDynamicSecretKeyNames } from '@/ee/utils/dynamicSecrets'
+
+// Types for dynamic secrets
+type EnvDynamicSecrets = {
+  env: EnvironmentType
+  dynamicSecrets: DynamicSecretType[]
+}
+
+type AppDynamicSecret = {
+  id: string
+  name: string
+  path: string
+  envs: {
+    env: EnvironmentType
+    dynamicSecret: DynamicSecretType | null
+  }[]
+}
 
 export const useAppSecrets = (appId: string, allowFetch: boolean, pollInterval: number = 10000) => {
   const [appSecrets, setAppSecrets] = useState<AppSecret[]>([])
   const [appFolders, setAppFolders] = useState<AppFolder[]>([])
+  const [appDynamicSecrets, setAppDynamicSecrets] = useState<AppDynamicSecret[]>([])
   const [fetching, setFetching] = useState(true)
 
   const { keyring } = useContext(KeyringContext)
 
   // Fetch environments and secrets in a single query with polling
   const { data: appSecretsData, refetch } = useQuery(GetAppSecrets, {
-    variables: { appId, path: "/" },
+    variables: { appId, path: '/' },
     fetchPolicy: 'cache-and-network',
     skip: !allowFetch,
     pollInterval, // Polling for environments and secrets
@@ -26,10 +44,12 @@ export const useAppSecrets = (appId: string, allowFetch: boolean, pollInterval:
     async (appEnvironments: EnvironmentType[], secretsData: any) => {
       const envSecrets: EnvSecrets[] = []
       const envFolders: EnvFolders[] = []
+      const envDynamicSecrets: EnvDynamicSecrets[] = []
 
       for (const env of appEnvironments) {
         const secrets = secretsData[env.id]?.secrets || []
         const folders = secretsData[env.id]?.folders || []
+        const dynamicSecrets = secretsData[env.id]?.dynamicSecrets || []
 
         const { wrappedSeed, wrappedSalt } = env
 
@@ -40,9 +60,14 @@ export const useAppSecrets = (appId: string, allowFetch: boolean, pollInterval:
           keyring!
         )
         const decryptedSecrets = await decryptEnvSecretKVs(secrets, { publicKey, privateKey })
+        const decryptedDynamicSecrets = await decryptDynamicSecretKeyNames(dynamicSecrets, {
+          publicKey,
+          privateKey,
+        })
 
         envSecrets.push({ env, secrets: decryptedSecrets })
         envFolders.push({ env, folders })
+        envDynamicSecrets.push({ env, dynamicSecrets: decryptedDynamicSecrets })
       }
 
       // Combine secrets across environments and remove duplicates based on keys
@@ -76,8 +101,27 @@ export const useAppSecrets = (appId: string, allowFetch: boolean, pollInterval:
         })),
       }))
 
+      // Combine dynamic secrets across environments and remove duplicates based on name + path
+      const appDynamicSecrets = Array.from(
+        new Set(
+          envDynamicSecrets.flatMap((env) =>
+            env.dynamicSecrets.map((ds) => `${ds.name}::${ds.path}`)
+          )
+        )
+      ).map((namePathKey) => {
+        const [name, path] = namePathKey.split('::')
+        const envs = envDynamicSecrets.map((env) => ({
+          env: env.env,
+          dynamicSecret:
+            env.dynamicSecrets.find((ds) => ds.name === name && ds.path === path) || null,
+        }))
+
+        return { id: `${appId}-${namePathKey}`, name, path, envs }
+      })
+
       setAppSecrets(appSecrets)
       setAppFolders(appFolders)
+      setAppDynamicSecrets(appDynamicSecrets)
       setFetching(false)
     },
     [keyring, appId]
@@ -93,6 +137,7 @@ export const useAppSecrets = (appId: string, allowFetch: boolean, pollInterval:
         acc[env.id] = {
           secrets: env.secrets,
           folders: env.folders,
+          dynamicSecrets: env.dynamicSecrets,
         }
         return acc
       }, {})
@@ -106,6 +151,7 @@ export const useAppSecrets = (appId: string, allowFetch: boolean, pollInterval:
     appEnvironments: appSecretsData?.appEnvironments as EnvironmentType[],
     appSecrets,
     appFolders,
+    appDynamicSecrets,
     fetching,
     refetch,
   }
diff --git a/frontend/ee/components/secrets/dynamic/AppDynamicSecretRow.tsx b/frontend/ee/components/secrets/dynamic/AppDynamicSecretRow.tsx
new file mode 100644
index 000000000..1feb2fa4c
--- /dev/null
+++ b/frontend/ee/components/secrets/dynamic/AppDynamicSecretRow.tsx
@@ -0,0 +1,157 @@
+'use client'
+
+import { EnvironmentType, DynamicSecretType } from '@/apollo/graphql'
+
+import Link from 'next/link'
+import { usePathname } from 'next/navigation'
+import clsx from 'clsx'
+import { FaCheckCircle, FaChevronRight, FaExternalLinkAlt, FaTimesCircle } from 'react-icons/fa'
+import { Disclosure, Transition } from '@headlessui/react'
+import { FaBolt } from 'react-icons/fa6'
+
+type AppDynamicSecret = {
+  id: string
+  name: string
+  envs: {
+    env: EnvironmentType
+    dynamicSecret: DynamicSecretType | null
+  }[]
+}
+
+export const AppDynamicSecretRow = ({
+  appDynamicSecret,
+  isExpanded,
+  expand,
+  collapse,
+}: {
+  appDynamicSecret: AppDynamicSecret
+  isExpanded: boolean
+  expand: (id: string) => void
+  collapse: (id: string) => void
+}) => {
+  const pathname = usePathname()
+
+  const tooltipText = (env: { env: EnvironmentType; dynamicSecret: DynamicSecretType | null }) => {
+    if (env.dynamicSecret === null) return `This dynamic secret is missing in ${env.env.name}`
+    else return 'This dynamic secret is present'
+  }
+
+  const EnvDynamicSecret = ({
+    envDynamicSecret,
+  }: {
+    envDynamicSecret: {
+      env: EnvironmentType
+      dynamicSecret: DynamicSecretType | null
+    }
+  }) => {
+    const { envDynamicSecret: envDS } = { envDynamicSecret }
+
+    const EnvLabel = () => (
+      <div
+        className={`flex items-center gap-2 w-min group font-medium text-xs text-zinc-900 dark:text-zinc-100 opacity-60`}
+      >
+        <div>{envDS.env.name}</div>
+
+        <FaExternalLinkAlt className="opacity-0 group-hover:opacity-100 transition ease" />
+      </div>
+    )
+
+    return (
+      <div className="py-2 px-4">
+        {envDS.dynamicSecret === null ? (
+          <span className="text-red-500 font-mono uppercase">missing</span>
+        ) : (
+          <Link
+            className="flex items-center gap-2 group"
+            href={`${pathname}/environments/${envDS.env.id}/?secret=${envDS.dynamicSecret.id}`}
+            title={`View this dynamic secret in ${envDS.env.name}`}
+          >
+            <div className="w-full">
+              <EnvLabel />
+
+              {/* Show key names from keyMap */}
+              {envDS.dynamicSecret.keyMap && envDS.dynamicSecret.keyMap.length > 0 && (
+                <div className="mt-2 flex flex-col gap-1">
+                  {envDS.dynamicSecret.keyMap.map((keyEntry, index) => (
+                    <span
+                      key={index}
+                      className="inline-flex items-center px-2 py-1 rounded-md font-mono ph-no-capture text-2xs 2xl:text-sm"
+                    >
+                      {keyEntry?.keyName}
+                    </span>
+                  ))}
+                </div>
+              )}
+            </div>
+          </Link>
+        )}
+      </div>
+    )
+  }
+
+  return (
+    <>
+      <tr
+        className={clsx(
+          'group divide-x divide-neutral-500/40 border-x bg-zinc-100 dark:bg-zinc-800 cursor-pointer',
+          isExpanded ? '!border-r-neutral-500/20' : 'border-neutral-500/20 '
+        )}
+        onClick={() => (isExpanded ? collapse(appDynamicSecret.id) : expand(appDynamicSecret.id))}
+      >
+        <td
+          className={clsx(
+            'px-6 py-3 whitespace-nowrap font-mono text-zinc-800 dark:text-zinc-300 flex items-center gap-2 text-2xs 2xl:text-sm',
+            isExpanded ? 'font-bold' : 'font-medium'
+          )}
+        >
+          <FaBolt className="text-emerald-500" />
+          {appDynamicSecret.name}
+          <FaChevronRight
+            className={clsx(
+              'transform transition ease font-light',
+              isExpanded ? 'opacity-100 rotate-90' : 'opacity-0 group-hover:opacity-100 rotate-0'
+            )}
+          />
+        </td>
+        {appDynamicSecret.envs.map((env) => (
+          <td key={env.env.id} className="px-6 py-3 whitespace-nowrap">
+            <div className="flex items-center justify-center" title={tooltipText(env)}>
+              {env.dynamicSecret !== null ? (
+                <FaCheckCircle className="text-emerald-500 shrink-0" />
+              ) : (
+                <FaTimesCircle className="text-red-500 shrink-0" />
+              )}
+            </div>
+          </td>
+        ))}
+      </tr>
+      <Transition
+        as="tr"
+        show={isExpanded}
+        enter="transition duration-100 ease-out"
+        enterFrom="transform scale-95 opacity-0"
+        enterTo="transform scale-100 opacity-100"
+        leave="transition duration-75 ease-out"
+        leaveFrom="transform scale-100 opacity-100"
+        leaveTo="transform scale-95 opacity-0"
+        className={clsx('border-x', isExpanded ? 'shadow-xl' : '')}
+      >
+        {isExpanded && (
+          <td
+            colSpan={appDynamicSecret.envs.length + 1}
+            className="p-2 space-y-6 bg-zinc-100 dark:bg-zinc-800"
+          >
+            <div className="grid gap-2 divide-y divide-neutral-500/20">
+              {appDynamicSecret.envs.map((envDynamicSecret) => (
+                <EnvDynamicSecret
+                  key={envDynamicSecret.env.id}
+                  envDynamicSecret={envDynamicSecret}
+                />
+              ))}
+            </div>
+          </td>
+        )}
+      </Transition>
+    </>
+  )
+}
diff --git a/frontend/ee/utils/dynamicSecrets.ts b/frontend/ee/utils/dynamicSecrets.ts
new file mode 100644
index 000000000..2345b2c39
--- /dev/null
+++ b/frontend/ee/utils/dynamicSecrets.ts
@@ -0,0 +1,40 @@
+import { DynamicSecretType } from '@/apollo/graphql'
+import { decryptAsymmetric } from '@/utils/crypto'
+
+/**
+ * Decrypts dynamic secret key names in keyMap.
+ *
+ * @param {DynamicSecretType[]} encryptedDynamicSecrets - An array of encrypted dynamic secrets.
+ * @param {{ publicKey: string; privateKey: string }} envKeys - The environment keys for decryption.
+ * @returns {Promise<DynamicSecretType[]>} - An array of dynamic secrets with decrypted keyNames.
+ */
+export const decryptDynamicSecretKeyNames = async (
+  encryptedDynamicSecrets: DynamicSecretType[],
+  envKeys: { publicKey: string; privateKey: string }
+) => {
+  return Promise.all(
+    encryptedDynamicSecrets.map(async (dynamicSecret) => {
+      const decryptedDynamicSecret = structuredClone(dynamicSecret)
+
+      if (dynamicSecret.keyMap) {
+        decryptedDynamicSecret.keyMap = await Promise.all(
+          dynamicSecret.keyMap.map(async (keyMapEntry) => {
+            if (!keyMapEntry) return keyMapEntry
+            return {
+              ...keyMapEntry,
+              keyName: keyMapEntry.keyName
+                ? await decryptAsymmetric(
+                    keyMapEntry.keyName,
+                    envKeys.privateKey,
+                    envKeys.publicKey
+                  )
+                : keyMapEntry.keyName,
+            }
+          })
+        )
+      }
+
+      return decryptedDynamicSecret
+    })
+  )
+}
diff --git a/frontend/graphql/queries/secrets/getAppSecrets.gql b/frontend/graphql/queries/secrets/getAppSecrets.gql
index 015a57fdc..7ffb2bc59 100644
--- a/frontend/graphql/queries/secrets/getAppSecrets.gql
+++ b/frontend/graphql/queries/secrets/getAppSecrets.gql
@@ -36,6 +36,17 @@ query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path:
       comment
       path
     }
+    dynamicSecrets(path: $path) {
+      id
+      name
+      path
+      description
+      provider
+      keyMap {
+        id
+        keyName
+      }
+    }
   }
   sseEnabled(appId: $appId)
   serverPublicKey

From 6d7834d32e4b0ab84a88a92019bddd5da396b93b Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 16 Sep 2025 18:57:54 +0530
Subject: [PATCH 085/117] feat: add active lease warning on delete dialog

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../dynamic/DeleteDynamicSecretDialog.tsx     | 119 +++++++++++++++++-
 .../secrets/dynamic/ManageLeasesDialog.tsx    |   1 -
 2 files changed, 114 insertions(+), 6 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
index b0d12395d..30757943f 100644
--- a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
@@ -1,14 +1,61 @@
-import { DynamicSecretType, KeyMap } from '@/apollo/graphql'
+import {
+  ApiDynamicSecretLeaseStatusChoices,
+  DynamicSecretLeaseType,
+  DynamicSecretType,
+  KeyMap,
+} from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { organisationContext } from '@/contexts/organisationContext'
 import { DeleteDynamicSecretOP } from '@/graphql/mutations/environments/secrets/dynamic/deleteDynamicSecret.gql'
 import { GetDynamicSecrets } from '@/graphql/queries/secrets/dynamic/getDynamicSecrets.gql'
-import { useMutation } from '@apollo/client'
-import { useContext, useRef } from 'react'
+import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
+import { useLazyQuery, useMutation } from '@apollo/client'
+import { useContext, useEffect, useRef, useState } from 'react'
 import { FaTrashAlt } from 'react-icons/fa'
 import { toast } from 'react-toastify'
 import { userHasPermission } from '@/utils/access/permissions'
 import { Button } from '@/components/common/Button'
+import { Avatar } from '@/components/common/Avatar'
+import { relativeTimeFromDates } from '@/utils/time'
+import { Alert } from '@/components/common/Alert'
+import { Input } from '@/components/common/Input'
+
+const ActiveLeaseCard = ({ lease }: { lease: DynamicSecretLeaseType }) => {
+  return (
+    <div className="grid grid-cols-2 py-1">
+      <div>
+        <div className="font-medium text-sm text-zinc-900 dark:text-zinc-100">{lease.name}</div>
+        <div className="font-mono text-2xs text-neutral-500">{lease.id}</div>
+      </div>
+      <div className="text-xs flex flex-col items-end">
+        <div className="text-neutral-500 flex items-center gap-1">
+          Created {relativeTimeFromDates(new Date(lease.createdAt))}
+          {(lease.organisationMember || lease.serviceAccount) && (
+            <div className="flex items-center gap-1">
+              <span className="text-neutral-500 w-4">by</span>
+              <Avatar
+                member={lease.organisationMember || undefined}
+                serviceAccount={lease.serviceAccount || undefined}
+                size="sm"
+              />
+              <span className="font-medium text-zinc-900 dark:text-zinc-100">
+                {lease.organisationMember?.self
+                  ? 'You'
+                  : lease.organisationMember?.fullName || lease.serviceAccount?.name}
+              </span>
+            </div>
+          )}
+        </div>
+
+        <div className="flex justify-between items-center">
+          <div className="text-neutral-500">
+            Expires {relativeTimeFromDates(new Date(lease.expiresAt))}
+          </div>
+        </div>
+      </div>
+    </div>
+  )
+}
 
 export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretType }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -17,18 +64,47 @@ export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretTyp
 
   const dialogRef = useRef<{ closeModal: () => void }>(null)
 
+  const [isOpen, setIsOpen] = useState(false)
+  // Listen for dialog open/close
+  const handleOpen = () => setIsOpen(true)
+  const handleClose = () => setIsOpen(false)
+
+  const [confirmed, setConfirmed] = useState(false)
+
   const closeModal = () => dialogRef.current?.closeModal()
 
   const keyMap: KeyMap[] = secret.keyMap as KeyMap[]
 
+  const [fetchLeases, { data, refetch, loading }] = useLazyQuery(GetDynamicSecretLeases, {
+    notifyOnNetworkStatusChange: true,
+  })
+
+  // Fetch leases when dialog is opened
+  useEffect(() => {
+    if (isOpen && organisation) {
+      fetchLeases({
+        variables: { secretId: secret.id, orgId: organisation?.id },
+        fetchPolicy: 'cache-and-network',
+      })
+    }
+  }, [isOpen, organisation, fetchLeases, secret.id])
+
+  const activeLeases: DynamicSecretLeaseType[] =
+    data?.dynamicSecrets[0].leases?.filter(
+      (lease: DynamicSecretLeaseType) => lease.status === ApiDynamicSecretLeaseStatusChoices.Active
+    ) ?? []
+
   const handleDelete = async () => {
     await deleteSecret({
       variables: { secretId: secret.id },
       refetchQueries: [{ query: GetDynamicSecrets, variables: { orgId: organisation?.id } }],
     })
     toast.success('Deleted dynamic secret')
+    closeModal()
   }
 
+  const allowDelete = activeLeases.length === 0 || (activeLeases.length > 0 && confirmed)
+
   const activeUserCanDeleteUsers = organisation?.role?.permissions
     ? userHasPermission(organisation?.role?.permissions, 'Members', 'delete', false)
     : false
@@ -44,11 +120,13 @@ export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretTyp
           <FaTrashAlt />
         </div>
       }
+      onOpen={handleOpen}
+      onClose={handleClose}
     >
       <div className="space-y-6">
         <p className="text-neutral-500 py-4">
-          Are you sure you want to delete this dynamic secret? This will immediately revoke all
-          active leases and delete the following secrets from your environment:
+          Are you sure you want to delete this dynamic secret? This will delete the following
+          secrets from your environment:
           <ul>
             {keyMap.map((k: KeyMap) => (
               <li
@@ -60,12 +138,43 @@ export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretTyp
             ))}
           </ul>
         </p>
+
+        {activeLeases.length > 0 && (
+          <div>
+            <p className="text-red-400 py-4 text-base">
+              Warning: This dynamic secret has{' '}
+              <span className="font-semibold">{activeLeases.length}</span> active leases which will
+              immediately be revoked:
+              <div className="divide-y divide-neutral-400/10 pt-2">
+                {activeLeases.slice(0, 5).map((lease) => (
+                  <ActiveLeaseCard key={lease.id} lease={lease} />
+                ))}
+              </div>
+              {activeLeases.length > 5 && (
+                <div className="text-center text-sm text-zinc-900 dark:text-zinc-100">
+                  + {activeLeases.length - 5} more
+                </div>
+              )}
+            </p>
+            <div className="flex items-center justify-end gap-2 text-red-400">
+              <input
+                type="checkbox"
+                className="cursor-pointer"
+                checked={confirmed}
+                onChange={(e) => setConfirmed(e.target.checked)}
+              />
+              <div className=" text-sm">Revoke all active leases.</div>
+            </div>
+          </div>
+        )}
+
         <div className="flex items-center justify-between gap-4">
           <Button variant="secondary" type="button" onClick={closeModal}>
             Cancel
           </Button>
           <Button
             variant="danger"
+            disabled={!allowDelete}
             onClick={handleDelete}
             isLoading={deleteIsPending}
             icon={FaTrashAlt}
diff --git a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
index 00e58bcc6..d0f52b9a0 100644
--- a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
@@ -24,7 +24,6 @@ export const ManageLeasesDialog = ({ secret }: { secret: DynamicSecretType }) =>
   const handleClose = () => setIsOpen(false)
 
   const [fetchLeases, { data, refetch, loading }] = useLazyQuery(GetDynamicSecretLeases, {
-    //variables: { secretId: secret.id, orgId: organisation?.id },
     notifyOnNetworkStatusChange: true,
   })
 

From ada85ee4938f5eabcb997e62174fb19a34138e83 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 16 Sep 2025 19:03:59 +0530
Subject: [PATCH 086/117] feat: misc ui cleanup

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/environments/secrets/SecretRow.tsx    | 4 +---
 .../secrets/dynamic/DeleteDynamicSecretDialog.tsx         | 6 +++---
 .../ee/components/secrets/dynamic/DynamicSecretRow.tsx    | 8 +++++---
 .../ee/components/secrets/dynamic/LeaseHistoryDialog.tsx  | 7 +++----
 .../secrets/dynamic/UpdateDynamicSecretDialog.tsx         | 4 ++--
 5 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/frontend/components/environments/secrets/SecretRow.tsx b/frontend/components/environments/secrets/SecretRow.tsx
index f1c95a34d..f274e6bb1 100644
--- a/frontend/components/environments/secrets/SecretRow.tsx
+++ b/frontend/components/environments/secrets/SecretRow.tsx
@@ -263,9 +263,7 @@ export default function SecretRow(props: {
           onClick={() => handleDelete(secret.id)}
           title={stagedForDelete ? 'Restore this secret' : 'Delete this secret'}
         >
-          <div className="text-white dark:text-red-500 flex items-center gap-1 p-1">
-            {stagedForDelete ? <FaUndo /> : <FaTrashAlt />}
-          </div>
+          <div className="p-1">{stagedForDelete ? <FaUndo /> : <FaTrashAlt />}</div>
         </Button>
       )}
     </div>
diff --git a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
index 30757943f..67b41f6b5 100644
--- a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
@@ -116,7 +116,7 @@ export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretTyp
       title="Delete Dynamic Secret"
       buttonVariant="danger"
       buttonContent={
-        <div className="py-1">
+        <div className="p-1">
           <FaTrashAlt />
         </div>
       }
@@ -143,8 +143,8 @@ export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretTyp
           <div>
             <p className="text-red-400 py-4 text-base">
               Warning: This dynamic secret has{' '}
-              <span className="font-semibold">{activeLeases.length}</span> active leases which will
-              immediately be revoked:
+              <span className="font-semibold">{activeLeases.length}</span> active lease
+              {`${activeLeases.length !== 1 ? 's' : ''}`} which will immediately be revoked:
               <div className="divide-y divide-neutral-400/10 pt-2">
                 {activeLeases.slice(0, 5).map((lease) => (
                   <ActiveLeaseCard key={lease.id} lease={lease} />
diff --git a/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
index 19ed9f45b..848fbaf71 100644
--- a/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
+++ b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
@@ -46,10 +46,12 @@ export const DynamicSecretRow = ({
           ))}
         </div>
 
-        <div className="flex h-full items-center gap-4  opacity-0 group-hover:opacity-100 transition ease">
+        <div className="flex h-full items-center justify-between gap-4 opacity-0 group-hover:opacity-100 transition ease">
           <CreateLeaseDialog secret={secret} />
-          <ManageLeasesDialog secret={secret} />
-          <UpdateDynamicSecretDialog secret={secret} environment={environment} />
+          <div className="flex items-center gap-4">
+            <ManageLeasesDialog secret={secret} />
+            <UpdateDynamicSecretDialog secret={secret} environment={environment} />
+          </div>
         </div>
       </div>
       <div className="opacity-0 group-hover:opacity-100 transition ease flex items-center">
diff --git a/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx b/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx
index a7cbc22ce..9ccd13481 100644
--- a/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/LeaseHistoryDialog.tsx
@@ -1,8 +1,7 @@
-import { DynamicSecretLeaseEventType, DynamicSecretLeaseType } from '@/apollo/graphql'
+import { DynamicSecretLeaseType } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { LeaseEventTimeline } from './LeaseTimeLine'
-import { FaClockRotateLeft } from 'react-icons/fa6'
-import { BsThreeDotsVertical } from 'react-icons/bs'
+import { FaListCheck } from 'react-icons/fa6'
 
 export const LeaseHistoryDialog = ({ lease }: { lease: DynamicSecretLeaseType }) => {
   return (
@@ -11,7 +10,7 @@ export const LeaseHistoryDialog = ({ lease }: { lease: DynamicSecretLeaseType })
       buttonVariant="ghost"
       buttonContent={
         <div className="flex items-center gap-1 text-2xs">
-          <BsThreeDotsVertical /> History
+          <FaListCheck /> History
         </div>
       }
     >
diff --git a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
index 966ba2df9..4af13b790 100644
--- a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
@@ -172,11 +172,11 @@ export const UpdateDynamicSecretDialog = forwardRef<
   return (
     <GenericDialog
       ref={dialogRef}
-      title={`Update Dynamic Secret`}
+      title={`Configure Dynamic Secret`}
       buttonVariant="secondary"
       buttonContent={
         <>
-          <FaCog /> Update
+          <FaCog /> Configure
         </>
       }
     >

From 550f85dca910f872c1c314454570e5af4c96f2c2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 16 Sep 2025 19:05:21 +0530
Subject: [PATCH 087/117] chore: misc code cleanup

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../components/secrets/dynamic/DeleteDynamicSecretDialog.tsx | 2 --
 frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx  | 1 -
 frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx     | 5 ++---
 .../ee/components/secrets/dynamic/ManageLeasesDialog.tsx     | 2 +-
 .../components/secrets/dynamic/UpdateDynamicSecretDialog.tsx | 4 ----
 5 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
index 67b41f6b5..260d223dc 100644
--- a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
@@ -17,8 +17,6 @@ import { userHasPermission } from '@/utils/access/permissions'
 import { Button } from '@/components/common/Button'
 import { Avatar } from '@/components/common/Avatar'
 import { relativeTimeFromDates } from '@/utils/time'
-import { Alert } from '@/components/common/Alert'
-import { Input } from '@/components/common/Input'
 
 const ActiveLeaseCard = ({ lease }: { lease: DynamicSecretLeaseType }) => {
   return (
diff --git a/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
index 848fbaf71..22e9ef01d 100644
--- a/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
+++ b/frontend/ee/components/secrets/dynamic/DynamicSecretRow.tsx
@@ -5,7 +5,6 @@ import { CreateLeaseDialog } from './CreateLeaseDialog'
 import { ManageLeasesDialog } from './ManageLeasesDialog'
 import { DeleteDynamicSecretDialog } from './DeleteDynamicSecretDialog'
 import { UpdateDynamicSecretDialog } from '@/ee/components/secrets/dynamic/UpdateDynamicSecretDialog'
-import { randomString } from '@/utils/copy'
 import { MaskedTextarea } from '@/components/common/MaskedTextarea'
 
 export const DynamicSecretRow = ({
diff --git a/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx b/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
index 135c0c49d..72483dc41 100644
--- a/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
+++ b/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
@@ -10,10 +10,9 @@ import { relativeTimeFromDates } from '@/utils/time'
 import clsx from 'clsx'
 import React from 'react'
 
-type Props = {
+type LeaseTimelineProps = {
   lease: DynamicSecretLeaseType
   className?: string
-  maxHeight?: number | string // e.g., 480 or '32rem'
 }
 
 const toTitleCase = (s: string) => (s ? s.charAt(0).toUpperCase() + s.slice(1).toLowerCase() : s)
@@ -104,7 +103,7 @@ const MetaRow = ({ k, v }: { k: string; v: unknown }) => {
   )
 }
 
-export const LeaseEventTimeline: React.FC<Props> = ({ lease, className }) => {
+export const LeaseEventTimeline: React.FC<LeaseTimelineProps> = ({ lease, className }) => {
   const events: DynamicSecretLeaseEventType[] =
     (lease.events as DynamicSecretLeaseEventType[]) || []
 
diff --git a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
index d0f52b9a0..0bff9e4f3 100644
--- a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
@@ -3,7 +3,7 @@ import { Button } from '@/components/common/Button'
 import GenericDialog from '@/components/common/GenericDialog'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
-import { useLazyQuery, useQuery } from '@apollo/client'
+import { useLazyQuery } from '@apollo/client'
 import { useContext, useEffect, useRef, useState } from 'react'
 import { FaAngleDoubleDown, FaAngleDoubleUp, FaCog } from 'react-icons/fa'
 import { LeaseCard } from './LeaseCard'
diff --git a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
index 4af13b790..00b792e63 100644
--- a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
@@ -5,7 +5,6 @@ import {
   EnvironmentType,
   ProviderCredentialsType,
   KeyMapInput,
-  SecretType,
   DynamicSecretType,
 } from '@/apollo/graphql'
 import { GetDynamicSecretProviders } from '@/graphql/queries/secrets/dynamic/getProviders.gql'
@@ -17,13 +16,10 @@ import { Step, Stepper } from '@/components/onboarding/Stepper'
 import { ProviderCredentialPicker } from '@/components/syncing/ProviderCredentialPicker'
 import { organisationContext } from '@/contexts/organisationContext'
 import { useMutation, useQuery } from '@apollo/client'
-import { Card } from '@/components/common/Card'
-import { ProviderIcon } from '@/components/syncing/ProviderIcon'
 import { FaArrowRightLong } from 'react-icons/fa6'
 import { MdOutlinePassword } from 'react-icons/md'
 import { camelCase, toUpper } from 'lodash'
 import { toast } from 'react-toastify'
-import { duplicateKeysExist } from '@/utils/secrets'
 import { FaCog, FaCogs } from 'react-icons/fa'
 import { Textarea } from '@/components/common/TextArea'
 import { encryptAsymmetric } from '@/utils/crypto'

From 1ac14bd9339a20d71cd603d841fcc76a5b409c7c Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 17 Sep 2025 12:36:31 +0530
Subject: [PATCH 088/117] feat: update renewal behavior to extend total ttl,
 update ui

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/graphene/types.py         | 25 ++++-
 .../ee/integrations/secrets/dynamic/utils.py  | 16 +++-
 .../secrets/dynamic/RenewLeaseDialog.tsx      | 94 +++++++++++++++----
 .../secrets/dynamic/getSecretLeases.gql       |  1 +
 4 files changed, 115 insertions(+), 21 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/graphene/types.py b/backend/ee/integrations/secrets/dynamic/graphene/types.py
index ac4ca4f4a..a401534df 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/types.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/types.py
@@ -101,18 +101,39 @@ class Meta:
         model = DynamicSecretLeaseEvent
         fields = "__all__"
 
+    def resolve_ttl(self, info):
+        return int(self.ttl.total_seconds()) if self.ttl else None
 
-class DynamicSecretLeaseType(DjangoObjectType):
 
+class DynamicSecretLeaseType(DjangoObjectType):
     credentials = graphene.Field(LeaseCredentialsUnion)
     events = graphene.List(DynamicSecretLeaseEventType)
+    ttl = graphene.Int()  # Add this to convert timedelta to seconds
 
     class Meta:
         model = DynamicSecretLease
-        fields = "__all__"
+        fields = (
+            "id",
+            "secret",
+            "name",
+            "organisation_member",
+            "service_account",
+            "ttl",
+            "status",
+            "expires_at",
+            "credentials",
+            "events",
+            "created_at",
+            "updated_at",
+            "revoked_at",
+            "deleted_at",
+        )
 
     def resolve_credentials(self, info):
         return getattr(self, "_credentials", None)
 
     def resolve_events(self, info):
         return self.events.all().order_by("created_at")
+
+    def resolve_ttl(self, info):
+        return int(self.ttl.total_seconds()) if self.ttl else None
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index 1963196be..fae0ed8c0 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -246,6 +246,18 @@ def renew_dynamic_secret_lease(
     if not org.plan == Organisation.ENTERPRISE_PLAN:
         raise Exception("Dynamic secrets are only available on the Enterprise plan.")
 
+    # Check if adding this renewal would exceed max TTL
+    current_ttl_seconds = lease.ttl.total_seconds()
+    new_total_ttl = current_ttl_seconds + ttl
+    max_ttl_seconds = lease.secret.max_ttl.total_seconds()
+
+    if new_total_ttl > max_ttl_seconds:
+        remaining_seconds = max_ttl_seconds - current_ttl_seconds
+        raise Exception(
+            f"The renewal TTL would exceed the maximum TTL for this dynamic secret. "
+            f"Maximum remaining renewal time: {int(remaining_seconds)} seconds"
+        )
+
     if timedelta(seconds=ttl) > lease.secret.max_ttl:
         raise Exception(
             "The specified TTL exceeds the maximum TTL for this dynamic secret."
@@ -255,7 +267,9 @@ def renew_dynamic_secret_lease(
         raise Exception("This lease has expired and cannot be renewed")
 
     else:
-        lease.expires_at = timezone.now() + timedelta(seconds=ttl)
+        lease.expires_at = lease.expires_at + timedelta(seconds=ttl)
+        # Add the renewal TTL to the existing lease TTL
+        lease.ttl = lease.ttl + timedelta(seconds=ttl)
         lease.updated_at = timezone.now()
 
     # --- reschedule cleanup job ---
diff --git a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
index 58f295f8f..db7d56dcf 100644
--- a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
@@ -1,4 +1,8 @@
-import { DynamicSecretLeaseType, DynamicSecretType } from '@/apollo/graphql'
+import {
+  ApiDynamicSecretLeaseEventEventTypeChoices,
+  DynamicSecretLeaseType,
+  DynamicSecretType,
+} from '@/apollo/graphql'
 import { Button } from '@/components/common/Button'
 import GenericDialog from '@/components/common/GenericDialog'
 import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
@@ -11,6 +15,7 @@ import { useMutation } from '@apollo/client'
 import { toast } from 'react-toastify'
 import { organisationContext } from '@/contexts/organisationContext'
 import { Input } from '@/components/common/Input'
+import ProgressBar from '@/components/common/ProgressBar'
 
 export const RenewLeaseDialog = ({
   secret,
@@ -24,8 +29,17 @@ export const RenewLeaseDialog = ({
   const [ttl, setTtl] = useState(secret.defaultTtlSeconds!.toString())
   const [renewedLease, setRenewedLease] = useState<DynamicSecretLeaseType | null>(null)
 
-  const ttlButtons = leaseTtlButtons.filter((button) =>
-    secret.maxTtlSeconds ? parseInt(button.seconds) <= secret.maxTtlSeconds : button
+  // Calculate renewal statistics
+  const renewalCount =
+    lease.events?.filter(
+      (event) => event?.eventType === ApiDynamicSecretLeaseEventEventTypeChoices.Renewed
+    ).length || 0
+  const currentTtlSeconds = lease.ttl // This is the total TTL (initial + all renewals)
+  const maxTtlSeconds = secret.maxTtlSeconds!
+  const remainingRenewalTime = Math.max(0, maxTtlSeconds - currentTtlSeconds)
+
+  const ttlButtons = leaseTtlButtons.filter(
+    (button) => parseInt(button.seconds) <= remainingRenewalTime
   )
 
   const dialogRef = useRef<{ closeModal: () => void }>(null)
@@ -40,8 +54,8 @@ export const RenewLeaseDialog = ({
   }
 
   const handleRenewLease = async () => {
-    if (parseInt(ttl) > secret.maxTtlSeconds!) {
-      toast.error(`The maximum allowed TTL for this secret is ${secret.maxTtlSeconds}`)
+    if (parseInt(ttl) > remainingRenewalTime) {
+      toast.error(`The maximum remaining renewal time is ${remainingRenewalTime} seconds`)
       return
     }
 
@@ -96,26 +110,59 @@ export const RenewLeaseDialog = ({
             </div>
           </div>
         ) : (
-          <div className="py-4 space-y-2">
-            <div className="text-zinc-900 dark:text-zinc-100">
+          <div className="py-4 space-y-4">
+            <div className="text-zinc-900 dark:text-zinc-100 space-y-2 text-sm">
               <p>
                 This lease was created {relativeTimeFromDates(new Date(lease.createdAt))} and
                 expires {relativeTimeFromDates(new Date(lease.expiresAt))}{' '}
                 <span className="font-mono">({lease.expiresAt})</span>.
               </p>
 
-              <p>Select a TTL to renew this lease.</p>
+              {renewalCount > 0 && (
+                <p className="text-sm text-neutral-600 dark:text-neutral-400">
+                  This lease has been renewed <strong>{renewalCount}</strong> time
+                  {renewalCount !== 1 ? 's' : ''}.
+                </p>
+              )}
+
+              <div className="rounded-md py-2 text-sm">
+                <div className="flex justify-between items-center mb-2">
+                  <span className="text-neutral-600 dark:text-neutral-400">
+                    Total lease time used:
+                  </span>
+                  <span className="font-mono">
+                    {currentTtlSeconds}s / {maxTtlSeconds}s
+                  </span>
+                </div>
+                <ProgressBar
+                  percentage={(currentTtlSeconds / maxTtlSeconds) * 100}
+                  color="bg-emerald-500"
+                  size="sm"
+                />
+
+                <div className="flex justify-between items-center mt-2 text-xs text-neutral-500">
+                  <span>
+                    Maximum remaining renewal time: <strong>{remainingRenewalTime}s</strong>
+                  </span>
+                </div>
+              </div>
+
+              <p>Select a duration to extend this lease for:</p>
             </div>
             <div className="flex items-end gap-4 justify-between">
-              <Input
-                value={ttl}
-                setValue={setTtl}
-                type="number"
-                label="TTL (seconds)"
-                min={MINIMUM_LEASE_TTL}
-                max={secret.maxTtlSeconds!}
-                required
-              />
+              <div className="relative w-full">
+                <span className="absolute left-2 bottom-3 text-zinc-900 dark:text-zinc-100">+</span>
+                <Input
+                  value={ttl}
+                  setValue={setTtl}
+                  type="number"
+                  label="TTL (seconds)"
+                  min={MINIMUM_LEASE_TTL}
+                  max={remainingRenewalTime}
+                  required
+                  className="pl-6"
+                />
+              </div>
 
               <div className="flex items-center gap-2 py-1">
                 {ttlButtons.map((button) => (
@@ -123,10 +170,20 @@ export const RenewLeaseDialog = ({
                     variant={ttl === button.seconds ? 'secondary' : 'ghost'}
                     key={button.label}
                     onClick={() => setTtl(button.seconds)}
+                    disabled={parseInt(button.seconds) > remainingRenewalTime}
                   >
-                    {button.label}
+                    +{button.label}
                   </Button>
                 ))}
+                {remainingRenewalTime > 0 && (
+                  <Button
+                    variant={ttl === remainingRenewalTime.toString() ? 'secondary' : 'ghost'}
+                    onClick={() => setTtl(remainingRenewalTime.toString())}
+                    title={`Extend to maximum remaining time (${remainingRenewalTime}s)`}
+                  >
+                    Max
+                  </Button>
+                )}
               </div>
             </div>
           </div>
@@ -143,6 +200,7 @@ export const RenewLeaseDialog = ({
               icon={FiRefreshCw}
               onClick={handleRenewLease}
               isLoading={renewIsPending}
+              disabled={remainingRenewalTime <= 0}
             >
               {' '}
               Renew Lease
diff --git a/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql b/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql
index 03541a37b..825632997 100644
--- a/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql
+++ b/frontend/graphql/queries/secrets/dynamic/getSecretLeases.gql
@@ -4,6 +4,7 @@ query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {
     leases {
       id
       name
+      ttl
       createdAt
       expiresAt
       revokedAt

From 5334ebaeb268089e0274b1d4cdedf86cd0aeab9b Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 17 Sep 2025 13:24:06 +0530
Subject: [PATCH 089/117] feat: misc ui fixes and improvements

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/ToggleSwitch.tsx   | 52 ++++++++----
 .../dynamic/CreateDynamicSecretDialog.tsx     |  2 +-
 .../dynamic/DeleteDynamicSecretDialog.tsx     | 51 +++++++-----
 .../secrets/dynamic/LeaseTimeLine.tsx         |  2 +-
 .../secrets/dynamic/RenewLeaseDialog.tsx      | 83 ++++++++++---------
 .../secrets/dynamic/RevokeLeaseDialog.tsx     |  2 +-
 .../dynamic/UpdateDynamicSecretDialog.tsx     |  2 +-
 7 files changed, 116 insertions(+), 78 deletions(-)

diff --git a/frontend/components/common/ToggleSwitch.tsx b/frontend/components/common/ToggleSwitch.tsx
index f557b6a2c..d3af53f21 100644
--- a/frontend/components/common/ToggleSwitch.tsx
+++ b/frontend/components/common/ToggleSwitch.tsx
@@ -5,8 +5,42 @@ export const ToggleSwitch = (props: {
   onToggle: () => void
   disabled?: boolean
   asBoolean?: boolean
+  theme?: 'emerald' | 'red'
 }) => {
-  const { value, onToggle, disabled, asBoolean = true } = props
+  const { value, onToggle, disabled, asBoolean = true, theme = 'emerald' } = props
+
+  const getThemeColors = (isActive: boolean) => {
+    if (theme === 'red') {
+      return {
+        background: isActive
+          ? 'bg-red-400/20 dark:bg-red-400/10 ring-red-400/20'
+          : asBoolean
+            ? 'bg-neutral-500/40 ring-neutral-500/30'
+            : 'bg-red-400/20 dark:bg-red-400/10 ring-red-400/20',
+        toggle: isActive
+          ? 'translate-x-6 bg-red-500 dark:bg-red-400'
+          : asBoolean
+            ? 'translate-x-1 bg-black'
+            : 'translate-x-1 bg-red-500 dark:bg-red-400',
+      }
+    }
+
+    // Default emerald theme
+    return {
+      background: isActive
+        ? 'bg-emerald-400/20 dark:bg-emerald-400/10 ring-emerald-400/20'
+        : asBoolean
+          ? 'bg-neutral-500/40 ring-neutral-500/30'
+          : 'bg-emerald-400/20 dark:bg-emerald-400/10 ring-emerald-400/20',
+      toggle: isActive
+        ? 'translate-x-6 bg-emerald-500 dark:bg-emerald-400'
+        : asBoolean
+          ? 'translate-x-1 bg-black'
+          : 'translate-x-1 bg-emerald-500 dark:bg-emerald-400',
+    }
+  }
+
+  const themeColors = getThemeColors(value)
 
   return (
     <Switch
@@ -14,23 +48,11 @@ export const ToggleSwitch = (props: {
       checked={value}
       onChange={onToggle}
       disabled={disabled}
-      className={`${
-        value
-          ? 'bg-emerald-400/20 dark:bg-emerald-400/10 ring-emerald-400/20'
-          : asBoolean
-            ? 'bg-neutral-500/40 ring-neutral-500/30'
-            : 'bg-emerald-400/20 dark:bg-emerald-400/10 ring-emerald-400/20'
-      } ${disabled ? 'opacity-50 cursor-not-allowed' : ''} relative inline-flex h-6 w-11 items-center rounded-full ring-1 ring-inset`}
+      className={`${themeColors.background} ${disabled ? 'opacity-50 cursor-not-allowed' : ''} relative inline-flex h-6 w-11 items-center rounded-full ring-1 ring-inset`}
     >
       <span className="sr-only">Active</span>
       <span
-        className={`${
-          value
-            ? 'translate-x-6 bg-emerald-500 dark:bg-emerald-400'
-            : asBoolean
-              ? 'translate-x-1 bg-black'
-              : 'translate-x-1 bg-emerald-500 dark:bg-emerald-400'
-        } flex items-center justify-center h-4 w-4 transform rounded-full transition`}
+        className={`${themeColors.toggle} flex items-center justify-center h-4 w-4 transform rounded-full transition`}
       ></span>
     </Switch>
   )
diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index eb7493417..2b8f90621 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -410,7 +410,7 @@ export const CreateDynamicSecretDialog = forwardRef<
                         <FaArrowRightLong className="text-neutral-500" />
                         <div className="flex-1">
                           <Input
-                            className="font-mono"
+                            className="font-mono ph-no-capture"
                             placeholder="Enter secret name"
                             value={key.keyName ?? ''}
                             setValue={(val) =>
diff --git a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
index 260d223dc..cf8b456ce 100644
--- a/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/DeleteDynamicSecretDialog.tsx
@@ -17,6 +17,8 @@ import { userHasPermission } from '@/utils/access/permissions'
 import { Button } from '@/components/common/Button'
 import { Avatar } from '@/components/common/Avatar'
 import { relativeTimeFromDates } from '@/utils/time'
+import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import clsx from 'clsx'
 
 const ActiveLeaseCard = ({ lease }: { lease: DynamicSecretLeaseType }) => {
   return (
@@ -122,14 +124,14 @@ export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretTyp
       onClose={handleClose}
     >
       <div className="space-y-6">
-        <p className="text-neutral-500 py-4">
+        <p className="text-neutral-500 pt-4">
           Are you sure you want to delete this dynamic secret? This will delete the following
           secrets from your environment:
-          <ul>
+          <ul className="pt-2">
             {keyMap.map((k: KeyMap) => (
               <li
                 key={k.keyName}
-                className="list-disc list-inside font-mono text-red-400 line-through"
+                className="list-disc list-inside font-mono text-red-400 line-through ph-no-capture"
               >
                 {k.keyName?.toUpperCase()}
               </li>
@@ -154,31 +156,36 @@ export const DeleteDynamicSecretDialog = ({ secret }: { secret: DynamicSecretTyp
                 </div>
               )}
             </p>
-            <div className="flex items-center justify-end gap-2 text-red-400">
-              <input
-                type="checkbox"
-                className="cursor-pointer"
-                checked={confirmed}
-                onChange={(e) => setConfirmed(e.target.checked)}
-              />
-              <div className=" text-sm">Revoke all active leases.</div>
-            </div>
           </div>
         )}
 
-        <div className="flex items-center justify-between gap-4">
+        <div className="flex items-end justify-between gap-4">
           <Button variant="secondary" type="button" onClick={closeModal}>
             Cancel
           </Button>
-          <Button
-            variant="danger"
-            disabled={!allowDelete}
-            onClick={handleDelete}
-            isLoading={deleteIsPending}
-            icon={FaTrashAlt}
-          >
-            Delete Dynamic Secret
-          </Button>
+          <div className="flex flex-col items-end gap-4">
+            {activeLeases.length > 0 && (
+              <div className="flex items-center justify-end gap-2 text-red-400">
+                <ToggleSwitch
+                  value={confirmed}
+                  onToggle={() => setConfirmed(!confirmed)}
+                  theme="red"
+                />
+                <div className={clsx('text-sm', confirmed ? '' : 'opacity-60')}>
+                  Revoke all active leases
+                </div>
+              </div>
+            )}
+            <Button
+              variant="danger"
+              disabled={!allowDelete}
+              onClick={handleDelete}
+              isLoading={deleteIsPending}
+              icon={FaTrashAlt}
+            >
+              Delete Dynamic Secret
+            </Button>
+          </div>
         </div>
       </div>
     </GenericDialog>
diff --git a/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx b/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
index 72483dc41..985acb552 100644
--- a/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
+++ b/frontend/ee/components/secrets/dynamic/LeaseTimeLine.tsx
@@ -172,7 +172,7 @@ export const LeaseEventTimeline: React.FC<LeaseTimelineProps> = ({ lease, classN
                     </div>
 
                     {/* Metadata and request info */}
-                    <div className="pl-3 space-y-1 ">
+                    <div className="pl-3 space-y-1 ph-no-capture">
                       {(evt.ipAddress || evt.userAgent) && (
                         <div className="space-y-1">
                           {evt.ipAddress && <MetaRow k="IP" v={evt.ipAddress} />}
diff --git a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
index db7d56dcf..5e520226e 100644
--- a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
@@ -146,46 +146,55 @@ export const RenewLeaseDialog = ({
                   </span>
                 </div>
               </div>
-
-              <p>Select a duration to extend this lease for:</p>
             </div>
-            <div className="flex items-end gap-4 justify-between">
-              <div className="relative w-full">
-                <span className="absolute left-2 bottom-3 text-zinc-900 dark:text-zinc-100">+</span>
-                <Input
-                  value={ttl}
-                  setValue={setTtl}
-                  type="number"
-                  label="TTL (seconds)"
-                  min={MINIMUM_LEASE_TTL}
-                  max={remainingRenewalTime}
-                  required
-                  className="pl-6"
-                />
+            {remainingRenewalTime > 0 ? (
+              <div>
+                <p>Select a duration to extend this lease for:</p>
+                <div className="flex items-end gap-4 justify-between">
+                  <div className="relative w-full">
+                    <span className="absolute left-2 bottom-3 text-zinc-900 dark:text-zinc-100">
+                      +
+                    </span>
+                    <Input
+                      value={ttl}
+                      setValue={setTtl}
+                      type="number"
+                      label="TTL (seconds)"
+                      min={MINIMUM_LEASE_TTL}
+                      max={remainingRenewalTime}
+                      required
+                      className="pl-6"
+                    />
+                  </div>
+
+                  <div className="flex items-center gap-2 py-1">
+                    {ttlButtons.map((button) => (
+                      <Button
+                        variant={ttl === button.seconds ? 'secondary' : 'ghost'}
+                        key={button.label}
+                        onClick={() => setTtl(button.seconds)}
+                        disabled={parseInt(button.seconds) > remainingRenewalTime}
+                      >
+                        +{button.label}
+                      </Button>
+                    ))}
+                    {remainingRenewalTime > 0 && (
+                      <Button
+                        variant={ttl === remainingRenewalTime.toString() ? 'secondary' : 'ghost'}
+                        onClick={() => setTtl(remainingRenewalTime.toString())}
+                        title={`Extend to maximum remaining time (${remainingRenewalTime}s)`}
+                      >
+                        Max
+                      </Button>
+                    )}
+                  </div>
+                </div>
               </div>
-
-              <div className="flex items-center gap-2 py-1">
-                {ttlButtons.map((button) => (
-                  <Button
-                    variant={ttl === button.seconds ? 'secondary' : 'ghost'}
-                    key={button.label}
-                    onClick={() => setTtl(button.seconds)}
-                    disabled={parseInt(button.seconds) > remainingRenewalTime}
-                  >
-                    +{button.label}
-                  </Button>
-                ))}
-                {remainingRenewalTime > 0 && (
-                  <Button
-                    variant={ttl === remainingRenewalTime.toString() ? 'secondary' : 'ghost'}
-                    onClick={() => setTtl(remainingRenewalTime.toString())}
-                    title={`Extend to maximum remaining time (${remainingRenewalTime}s)`}
-                  >
-                    Max
-                  </Button>
-                )}
+            ) : (
+              <div className="text-zinc-900 dark:text-zinc-100 text-sm">
+                This lease cannot be renewed any further.
               </div>
-            </div>
+            )}
           </div>
         )}
 
diff --git a/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
index 18c4f2b18..3d675ca67 100644
--- a/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
@@ -61,7 +61,7 @@ export const RevokeLeaseDialog = ({
         <div className="text-neutral-500">Revoke the lease for these dynamic secrets</div>
 
         <div className="py-4 space-y-2">
-          <div className="text-zinc-900 dark:text-zinc-100">
+          <div className="text-zinc-900 dark:text-zinc-100 text-sm">
             <p>Are you sure you want to revoke this lease?</p>
             <p>
               This lease was created {relativeTimeFromDates(new Date(lease.createdAt))} and expires{' '}
diff --git a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
index 00b792e63..48a0bb82f 100644
--- a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
@@ -307,7 +307,7 @@ export const UpdateDynamicSecretDialog = forwardRef<
                   <FaArrowRightLong className="text-neutral-500" />
                   <div className="flex-1">
                     <Input
-                      className="font-mono"
+                      className="font-mono ph-no-capture"
                       placeholder="Enter secret name"
                       value={key.keyName ?? ''}
                       setValue={(val) =>

From 44b473346a99ef1fdbbb47cee20258ce9677c608 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 17 Sep 2025 14:52:04 +0530
Subject: [PATCH 090/117] feat: move verbose timestamps to title attrs

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/CreateLeaseDialog.tsx     | 21 +++++++++----------
 .../secrets/dynamic/RenewLeaseDialog.tsx      | 16 ++++++++++----
 .../secrets/dynamic/RevokeLeaseDialog.tsx     | 12 ++++++++---
 3 files changed, 31 insertions(+), 18 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
index 1f65603ba..fadffaf78 100644
--- a/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
@@ -100,18 +100,17 @@ export const CreateLeaseDialog = ({ secret }: { secret: DynamicSecretType }) =>
               Copy these values. You will not be able to view them once this dialog is closed!
             </Alert>
 
-            <AWSCredentials lease={lease} keyMap={(secret?.keyMap as KeyMap[]) || []} />
+            <Alert variant="info" size="sm" icon={true}>
+              <p>
+                This lease expires{' '}
+                <span title={lease.expiresAt}>
+                  {relativeTimeFromDates(new Date(lease.expiresAt))}
+                </span>
+                .
+              </p>
+            </Alert>
 
-            <div>
-              <div
-                className="flex items-center gap-2 text-neutral-500 text-sm"
-                title={lease.expiresAt}
-              >
-                <FaInfoCircle /> This lease expires{' '}
-                {relativeTimeFromDates(new Date(lease.expiresAt))}
-              </div>
-              <div className="font-mono text-sm text-neutral-500">({lease.expiresAt})</div>
-            </div>
+            <AWSCredentials lease={lease} keyMap={(secret?.keyMap as KeyMap[]) || []} />
           </div>
         ) : (
           <div className="space-y-2">
diff --git a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
index 5e520226e..56f2bf3ff 100644
--- a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
@@ -113,9 +113,15 @@ export const RenewLeaseDialog = ({
           <div className="py-4 space-y-4">
             <div className="text-zinc-900 dark:text-zinc-100 space-y-2 text-sm">
               <p>
-                This lease was created {relativeTimeFromDates(new Date(lease.createdAt))} and
-                expires {relativeTimeFromDates(new Date(lease.expiresAt))}{' '}
-                <span className="font-mono">({lease.expiresAt})</span>.
+                This lease was created{' '}
+                <span title={lease.createdAt}>
+                  {relativeTimeFromDates(new Date(lease.createdAt))}
+                </span>{' '}
+                and expires{' '}
+                <span title={lease.expiresAt}>
+                  {relativeTimeFromDates(new Date(lease.expiresAt))}
+                </span>
+                .
               </p>
 
               {renewalCount > 0 && (
@@ -149,7 +155,9 @@ export const RenewLeaseDialog = ({
             </div>
             {remainingRenewalTime > 0 ? (
               <div>
-                <p>Select a duration to extend this lease for:</p>
+                <p className="text-sm text-zinc-900 dark:text-zinc-100">
+                  Select a duration to extend this lease for:
+                </p>
                 <div className="flex items-end gap-4 justify-between">
                   <div className="relative w-full">
                     <span className="absolute left-2 bottom-3 text-zinc-900 dark:text-zinc-100">
diff --git a/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
index 3d675ca67..f3dccda07 100644
--- a/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RevokeLeaseDialog.tsx
@@ -64,9 +64,15 @@ export const RevokeLeaseDialog = ({
           <div className="text-zinc-900 dark:text-zinc-100 text-sm">
             <p>Are you sure you want to revoke this lease?</p>
             <p>
-              This lease was created {relativeTimeFromDates(new Date(lease.createdAt))} and expires{' '}
-              {relativeTimeFromDates(new Date(lease.expiresAt))}{' '}
-              <span className="font-mono">({lease.expiresAt})</span>.
+              This lease was created{' '}
+              <span title={lease.createdAt}>
+                {relativeTimeFromDates(new Date(lease.createdAt))}
+              </span>{' '}
+              and expires{' '}
+              <span title={lease.expiresAt}>
+                {relativeTimeFromDates(new Date(lease.expiresAt))}
+              </span>
+              .
             </p>
           </div>
         </div>

From 7468b6db227f40963ac1c301586c8c5aaf710b45 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 17 Sep 2025 15:03:09 +0530
Subject: [PATCH 091/117] fix: misc ui cleanup for secret menus

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/environments/secrets/HistoryDialog.tsx  | 5 ++++-
 frontend/components/environments/secrets/OverrideDialog.tsx | 4 +++-
 frontend/components/environments/secrets/SecretRow.tsx      | 4 ++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/frontend/components/environments/secrets/HistoryDialog.tsx b/frontend/components/environments/secrets/HistoryDialog.tsx
index 1ddd7453a..4afc4393e 100644
--- a/frontend/components/environments/secrets/HistoryDialog.tsx
+++ b/frontend/components/environments/secrets/HistoryDialog.tsx
@@ -159,7 +159,10 @@ export const HistoryDialog = ({
     <>
       <div className="flex items-center justify-center">
         <Button variant="outline" onClick={openModal} title="View secret history" tabIndex={-1}>
-          <FaHistory /> <span className="hidden 2xl:block text-xs">History</span>
+          <span className="py-1">
+            <FaHistory className="shrink-0" />
+          </span>
+          <span className="hidden 2xl:block text-xs">History</span>
         </Button>
       </div>
 
diff --git a/frontend/components/environments/secrets/OverrideDialog.tsx b/frontend/components/environments/secrets/OverrideDialog.tsx
index 1ec038c72..5f65bc779 100644
--- a/frontend/components/environments/secrets/OverrideDialog.tsx
+++ b/frontend/components/environments/secrets/OverrideDialog.tsx
@@ -113,7 +113,9 @@ export const OverrideDialog = (props: {
             activeOverride ? 'A Personal Secret is overriding this value' : 'Override this value'
           }
         >
-          <FaUserEdit className={clsx(activeOverride && 'text-amber-500')} />{' '}
+          <span className="py-1">
+            <FaUserEdit className={clsx('shrink-0', activeOverride && 'text-amber-500')} />
+          </span>
           <span className={clsx('hidden 2xl:block text-xs', activeOverride && 'text-amber-500')}>
             Override
           </span>
diff --git a/frontend/components/environments/secrets/SecretRow.tsx b/frontend/components/environments/secrets/SecretRow.tsx
index f274e6bb1..72eaed392 100644
--- a/frontend/components/environments/secrets/SecretRow.tsx
+++ b/frontend/components/environments/secrets/SecretRow.tsx
@@ -162,7 +162,7 @@ export default function SecretRow(props: {
       <div
         className={clsx(
           'flex gap-1 items-center pt-1 px-1 rounded-t-lg',
-          'bg-zinc-200 group-hover:dark:bg-zinc-700',
+          'bg-zinc-200 dark:bg-zinc-700',
           'z-10 group-hover:z-10 absolute right-0 -top-9 translate-y-9 group-hover:translate-y-0 opacity-0 group-hover:opacity-100',
           'transition ease'
         )}
@@ -228,7 +228,7 @@ export default function SecretRow(props: {
             onClick={toggleReveal}
             title={isRevealed ? 'Mask value' : 'Reveal value'}
           >
-            <span className="2xl:py-1">{isRevealed ? <FaEyeSlash /> : <FaEye />}</span>{' '}
+            <span className="py-1">{isRevealed ? <FaEyeSlash /> : <FaEye />}</span>{' '}
             <span className="hidden 2xl:block text-xs">{isRevealed ? 'Mask' : 'Reveal'}</span>
           </Button>
         )}

From 6611bb47b4fd742cf740bbcbd67fc3acfabd2778 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 18 Sep 2025 13:23:13 +0530
Subject: [PATCH 092/117] feat: display used, remaining and total ttl in human
 readable format

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/RenewLeaseDialog.tsx      | 12 +++++---
 frontend/utils/time.ts                        | 28 +++++++++++++++++++
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
index 56f2bf3ff..70fcf1ae7 100644
--- a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
@@ -6,7 +6,7 @@ import {
 import { Button } from '@/components/common/Button'
 import GenericDialog from '@/components/common/GenericDialog'
 import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
-import { relativeTimeFromDates } from '@/utils/time'
+import { relativeTimeFromDates, humanReadableDuration } from '@/utils/time'
 import { useContext, useRef, useState } from 'react'
 import { FiRefreshCw } from 'react-icons/fi'
 import { RenewDynamicSecretLeaseOP } from '@/graphql/mutations/environments/secrets/dynamic/renewLease.gql'
@@ -136,8 +136,9 @@ export const RenewLeaseDialog = ({
                   <span className="text-neutral-600 dark:text-neutral-400">
                     Total lease time used:
                   </span>
-                  <span className="font-mono">
-                    {currentTtlSeconds}s / {maxTtlSeconds}s
+                  <span className="font-mono" title={`${currentTtlSeconds}s / ${maxTtlSeconds}s`}>
+                    {humanReadableDuration(currentTtlSeconds)} /{' '}
+                    {humanReadableDuration(maxTtlSeconds)}
                   </span>
                 </div>
                 <ProgressBar
@@ -148,7 +149,10 @@ export const RenewLeaseDialog = ({
 
                 <div className="flex justify-between items-center mt-2 text-xs text-neutral-500">
                   <span>
-                    Maximum remaining renewal time: <strong>{remainingRenewalTime}s</strong>
+                    Maximum remaining renewal time:{' '}
+                    <strong title={`${remainingRenewalTime}s`}>
+                      {humanReadableDuration(remainingRenewalTime)}
+                    </strong>
                   </span>
                 </div>
               </div>
diff --git a/frontend/utils/time.ts b/frontend/utils/time.ts
index e742751b5..35a15d540 100644
--- a/frontend/utils/time.ts
+++ b/frontend/utils/time.ts
@@ -73,3 +73,31 @@ export const dateToUnixTimestamp = (dateString: string): number => {
 export const inviteIsExpired = (invite: OrganisationMemberInviteType) => {
   return new Date(invite.expiresAt) < new Date()
 }
+
+/**
+ * Returns a human-readable duration string from a duration in seconds.
+ *
+ * @param {number} seconds - duration in seconds
+ * @returns {string} - human-readable duration (e.g., "1d 2h", "3h 15m", "45m", "30s")
+ */
+export const humanReadableDuration = (seconds: number): string => {
+  if (seconds < 60) {
+    return `${seconds}s`
+  }
+
+  const minutes = Math.floor(seconds / 60)
+  const hours = Math.floor(minutes / 60)
+  const days = Math.floor(hours / 24)
+
+  if (days > 0) {
+    const remainingHours = hours % 24
+    return remainingHours > 0 ? `${days}d ${remainingHours}h` : `${days}d`
+  }
+
+  if (hours > 0) {
+    const remainingMinutes = minutes % 60
+    return remainingMinutes > 0 ? `${hours}h ${remainingMinutes}m` : `${hours}h`
+  }
+
+  return `${minutes}m`
+}

From 5ed9483a50d3741e836c81ecc14ad8f33960032a Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 18 Sep 2025 13:44:50 +0530
Subject: [PATCH 093/117] fix: clamp progress bar to 100%

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/ProgressBar.tsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/frontend/components/common/ProgressBar.tsx b/frontend/components/common/ProgressBar.tsx
index 279a363e6..3e5be8c00 100644
--- a/frontend/components/common/ProgressBar.tsx
+++ b/frontend/components/common/ProgressBar.tsx
@@ -17,6 +17,9 @@ const ProgressBar: React.FC<ProgressBarProps> = ({
   message = '',
   size,
 }) => {
+  // Ensure percentage is between 0 and 100
+  const clampedPercentage = Math.min(100, Math.max(0, percentage))
+
   const height = () => {
     if (!size || size === 'md') return 'h-2'
     else if (size === 'sm') return 'h-1'
@@ -29,7 +32,7 @@ const ProgressBar: React.FC<ProgressBarProps> = ({
         <div
           className={clsx(color, 'transition-all ease float-left rounded-sm', height())}
           style={{
-            width: `${percentage}%`,
+            width: `${clampedPercentage}%`,
           }}
         ></div>
       </div>

From 0d3ff8e811dc797ed9fab10c0e8ba14dfffec2a6 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Thu, 25 Sep 2025 16:41:00 +0530
Subject: [PATCH 094/117] fix: pass external id when assuming role via sts

---
 .../ee/integrations/secrets/dynamic/aws/utils.py    | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index 856d2aeb8..7bc2d082a 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -386,9 +386,16 @@ def get_iam_client(secret: DynamicSecret) -> tuple[boto3.client, dict]:
     if has_role_arn:
         integration_credentials = get_aws_assume_role_credentials(secret.authentication)
         role_arn = integration_credentials.get("role_arn")
-        assumed_role = sts_client.assume_role(
-            RoleArn=role_arn, RoleSessionName="phase-dynamic-secret-session"
-        )
+        external_id = integration_credentials.get("external_id")
+
+        assume_params = {
+            "RoleArn": role_arn,
+            "RoleSessionName": "phase-dynamic-secret-session",
+        }
+        if external_id:
+            assume_params["ExternalId"] = external_id
+
+        assumed_role = sts_client.assume_role(**assume_params)
         aws_credentials = assumed_role["Credentials"]
     else:
         integration_credentials = get_aws_access_key_credentials(secret.authentication)

From d376038b2c09ef55aff2fab66b91c45d894b01f4 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Thu, 25 Sep 2025 18:13:28 +0530
Subject: [PATCH 095/117] feat: unambigious sts client construction

---
 .../integrations/secrets/dynamic/aws/utils.py   | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index 7bc2d082a..6ca28e553 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -359,12 +359,17 @@ def get_sts_client(region="us-east-1"):
     aws_access_key_id = get_secret("AWS_INTEGRATION_ACCESS_KEY_ID")
     aws_secret_access_key = get_secret("AWS_INTEGRATION_SECRET_ACCESS_KEY")
 
-    sts_client = boto3.client(
-        "sts",
-        region_name=region,
-        aws_access_key_id=aws_access_key_id,
-        aws_secret_access_key=aws_secret_access_key,
-    )
+    # If explicit integration credentials are passed, use them.
+    # Otherwise, rely on the instance/machine role auth provider chain.
+    if aws_access_key_id and aws_secret_access_key:
+        sts_client = boto3.client(
+            "sts",
+            region_name=region,
+            aws_access_key_id=aws_access_key_id,
+            aws_secret_access_key=aws_secret_access_key,
+        )
+    else:
+        sts_client = boto3.client("sts", region_name=region)
 
     return sts_client
 

From 6c721f94e01053bcea28756896bccb8df518b018 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Fri, 26 Sep 2025 15:07:32 +0530
Subject: [PATCH 096/117] fix: replace concat with extend for dynamic secrets
 in response data

---
 backend/api/views/secrets.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/api/views/secrets.py b/backend/api/views/secrets.py
index a5d86f2e5..b6f89ecf0 100644
--- a/backend/api/views/secrets.py
+++ b/backend/api/views/secrets.py
@@ -219,7 +219,7 @@ def get(self, request, *args, **kwargs):
         response_data = serializer.data
 
         if include_dynamic_secrets:
-            response_data.concat(dynamic_secrets_data)
+            response_data.extend(dynamic_secrets_data)
 
         return Response(
             response_data,
@@ -612,7 +612,7 @@ def get(self, request, *args, **kwargs):
         response_data = serializer.data
 
         if include_dynamic_secrets:
-            response_data.append(dynamic_secrets_data)
+            response_data.extend(dynamic_secrets_data)
 
         return Response(
             response_data,

From f55c5f05a4489ac86ec32ae47488e21090c5f6c6 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 27 Sep 2025 14:59:09 +0530
Subject: [PATCH 097/117] fix: correctly log org member during revoke via rest

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/integrations/secrets/dynamic/rest/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index 71d079a32..dd39c3505 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -306,7 +306,7 @@ def delete(self, request, *args, **kwargs):
 
         org_member = service_account = None
         if request.auth["auth_type"] == "User":
-            org_member = request.auth["org_member"].user
+            org_member = request.auth["org_member"]
         elif request.auth["auth_type"] == "ServiceAccount":
             service_account = request.auth["service_account"]
 

From b9f2e37c7cfbf75a82a0b463b3232e1697ca6e7e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 27 Sep 2025 17:26:13 +0530
Subject: [PATCH 098/117] feat: implement custom exceptions for dynamic secret
 operations and lease handling

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../integrations/secrets/dynamic/aws/utils.py |  5 +-
 .../secrets/dynamic/exceptions.py             | 34 ++++++++++
 .../secrets/dynamic/rest/views.py             | 67 +++++++++++++++----
 .../ee/integrations/secrets/dynamic/utils.py  | 22 ++++--
 4 files changed, 107 insertions(+), 21 deletions(-)
 create mode 100644 backend/ee/integrations/secrets/dynamic/exceptions.py

diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index 6ca28e553..e4350acc7 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -7,6 +7,7 @@
 from api.utils.secrets import get_environment_keys
 
 from api.utils.rest import get_resolver_request_meta
+from ee.integrations.secrets.dynamic.exceptions import LeaseAlreadyRevokedError
 from backend.utils.secrets import get_secret
 from ee.integrations.secrets.dynamic.providers import DynamicSecretProviders
 import logging
@@ -821,7 +822,9 @@ def revoke_aws_dynamic_secret_lease(
 
     if lease.revoked_at is not None:
         logger.info(f"Lease {lease.id} already revoked at {lease.revoked_at}")
-        return
+        raise LeaseAlreadyRevokedError(
+            f"Lease has already been revoked at {lease.revoked_at}"
+        )
 
     logger.info(f"Revoking lease {lease.id} (manual={manual})")
 
diff --git a/backend/ee/integrations/secrets/dynamic/exceptions.py b/backend/ee/integrations/secrets/dynamic/exceptions.py
new file mode 100644
index 000000000..ab7cf3ba2
--- /dev/null
+++ b/backend/ee/integrations/secrets/dynamic/exceptions.py
@@ -0,0 +1,34 @@
+class DynamicSecretError(Exception):
+    """Base exception for dynamic secret operations"""
+
+    pass
+
+
+class PlanRestrictionError(DynamicSecretError):
+    """Raised when operation is restricted by organization plan"""
+
+    pass
+
+
+class LeaseRenewalError(DynamicSecretError):
+    """Raised when lease renewal fails due to business logic constraints"""
+
+    pass
+
+
+class LeaseExpiredError(DynamicSecretError):
+    """Raised when attempting to renew an expired lease"""
+
+    pass
+
+
+class TTLExceededError(DynamicSecretError):
+    """Raised when TTL exceeds maximum allowed values"""
+
+    pass
+
+
+class LeaseAlreadyRevokedError(DynamicSecretError):
+    """Raised when attempting to operate on an already revoked lease"""
+
+    pass
diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index dd39c3505..e68c94de0 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -23,6 +23,14 @@
 from ee.integrations.secrets.dynamic.aws.utils import (
     revoke_aws_dynamic_secret_lease,
 )
+from ee.integrations.secrets.dynamic.exceptions import (
+    DynamicSecretError,
+    PlanRestrictionError,
+    LeaseRenewalError,
+    LeaseExpiredError,
+    TTLExceededError,
+    LeaseAlreadyRevokedError,
+)
 from ee.integrations.secrets.dynamic.utils import (
     create_dynamic_secret_lease,
     renew_dynamic_secret_lease,
@@ -285,15 +293,26 @@ def put(self, request, *args, **kwargs):
                 organisation_member=org_member,
                 service_account=service_account,
             )
+        except PlanRestrictionError as e:
+            return Response({"error": str(e)}, status=403)
+        except (LeaseRenewalError, TTLExceededError, LeaseExpiredError) as e:
+            return Response({"error": str(e)}, status=400)
+        except DynamicSecretError as e:
+            # Catch any other dynamic secret errors
+            return Response({"error": str(e)}, status=400)
         except Exception as e:
-            logger.exception(
-                "Failed to renew dynamic secret lease (lease_id=%s)", lease_id
-            )
+            logger.exception("Unexpected error renewing lease (lease_id=%s)", lease_id)
             return Response(
-                {"error": "An internal error occurred while renewing the lease."},
-                status=400,
+                {"error": "An internal error occurred while renewing the lease"},
+                status=500,
             )
-        return Response(status=status.HTTP_200_OK)
+
+        return Response(
+            {
+                "message": f"Lease renewed successfully. Updated expiry: {lease.expires_at}"
+            },
+            status=status.HTTP_200_OK,
+        )
 
     # Revoke
     def delete(self, request, *args, **kwargs):
@@ -310,13 +329,33 @@ def delete(self, request, *args, **kwargs):
         elif request.auth["auth_type"] == "ServiceAccount":
             service_account = request.auth["service_account"]
 
-        if lease.secret.provider == "aws":
-            revoke_aws_dynamic_secret_lease(
-                lease.id,
-                manual=True,
-                request=request,
-                organisation_member=org_member,
-                service_account=service_account,
+        try:
+            if lease.secret.provider == "aws":
+                revoke_aws_dynamic_secret_lease(
+                    lease.id,
+                    manual=True,
+                    request=request,
+                    organisation_member=org_member,
+                    service_account=service_account,
+                )
+
+            return Response(
+                {"message": "Lease revoked successfully"}, status=status.HTTP_200_OK
             )
 
-        return Response(status=status.HTTP_200_OK)
+        except LeaseAlreadyRevokedError as e:
+            # If lease is already revoked, still return success with message
+            return Response(
+                {"message": "Lease was already revoked"}, status=status.HTTP_200_OK
+            )
+        except PlanRestrictionError as e:
+            return Response({"error": str(e)}, status=403)
+        except DynamicSecretError as e:
+            # Catch any other dynamic secret errors
+            return Response({"error": str(e)}, status=400)
+        except Exception as e:
+            logger.exception("Unexpected error revoking lease (lease_id=%s)", lease_id)
+            return Response(
+                {"error": "An internal error occurred while revoking the lease"},
+                status=500,
+            )
diff --git a/backend/ee/integrations/secrets/dynamic/utils.py b/backend/ee/integrations/secrets/dynamic/utils.py
index fae0ed8c0..127b3ce6f 100644
--- a/backend/ee/integrations/secrets/dynamic/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/utils.py
@@ -9,6 +9,13 @@
 from api.utils.crypto import decrypt_asymmetric
 from api.models import DynamicSecretLease, DynamicSecretLeaseEvent
 from api.utils.rest import get_resolver_request_meta
+from ee.integrations.secrets.dynamic.exceptions import (
+    LeaseAlreadyRevokedError,
+    LeaseExpiredError,
+    LeaseRenewalError,
+    PlanRestrictionError,
+    TTLExceededError,
+)
 from ee.integrations.secrets.dynamic.aws.utils import (
     create_aws_dynamic_secret_lease,
 )
@@ -244,7 +251,9 @@ def renew_dynamic_secret_lease(
     Organisation = apps.get_model("api", "Organisation")
     org = lease.secret.environment.app.organisation
     if not org.plan == Organisation.ENTERPRISE_PLAN:
-        raise Exception("Dynamic secrets are only available on the Enterprise plan.")
+        raise PlanRestrictionError(
+            "Dynamic secrets are only available on the Enterprise plan."
+        )
 
     # Check if adding this renewal would exceed max TTL
     current_ttl_seconds = lease.ttl.total_seconds()
@@ -253,18 +262,18 @@ def renew_dynamic_secret_lease(
 
     if new_total_ttl > max_ttl_seconds:
         remaining_seconds = max_ttl_seconds - current_ttl_seconds
-        raise Exception(
+        raise LeaseRenewalError(
             f"The renewal TTL would exceed the maximum TTL for this dynamic secret. "
             f"Maximum remaining renewal time: {int(remaining_seconds)} seconds"
         )
 
     if timedelta(seconds=ttl) > lease.secret.max_ttl:
-        raise Exception(
+        raise TTLExceededError(
             "The specified TTL exceeds the maximum TTL for this dynamic secret."
         )
 
     if lease.expires_at <= timezone.now():
-        raise Exception("This lease has expired and cannot be renewed")
+        raise LeaseExpiredError("This lease has expired and cannot be renewed")
 
     else:
         lease.expires_at = lease.expires_at + timedelta(seconds=ttl)
@@ -323,8 +332,9 @@ def schedule_lease_revocation(lease, immediate=False):
     # --- Schedule revocation ---
 
     if lease.revoked_at is not None:
-        logger.info(f"Lease {lease.id} already revoked at {lease.revoked_at}")
-        return
+        raise LeaseAlreadyRevokedError(
+            f"Lease has already been revoked at {lease.revoked_at}"
+        )
 
     scheduled_revoke_time = lease.expires_at
     if immediate:

From 6ea662e83d185ecad53409e89c6b2e36e4e5b59e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 27 Sep 2025 17:26:26 +0530
Subject: [PATCH 099/117] chore: clean up types

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/graphene/types.py         |   1 -
 frontend/apollo/gql.ts                        |   4 +-
 frontend/apollo/graphql.ts                    |   9 +-
 frontend/apollo/schema.graphql                | 484 +++++++++++++++---
 4 files changed, 405 insertions(+), 93 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/graphene/types.py b/backend/ee/integrations/secrets/dynamic/graphene/types.py
index a401534df..2a5ca0770 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/types.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/types.py
@@ -124,7 +124,6 @@ class Meta:
             "credentials",
             "events",
             "created_at",
-            "updated_at",
             "revoked_at",
             "deleted_at",
         )
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 909b14cce..b4c16e884 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -119,7 +119,7 @@ const documents = {
     "query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}": types.VerifyInviteDocument,
     "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetDynamicSecretsDocument,
     "query GetDynamicSecretProviders {\n  dynamicSecretProviders {\n    id\n    name\n    credentials\n    configMap\n  }\n}": types.GetDynamicSecretProvidersDocument,
-    "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}": types.GetDynamicSecretLeasesDocument,
+    "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      ttl\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}": types.GetDynamicSecretLeasesDocument,
     "query GetAppEnvironments($appId: ID!, $memberId: ID, $memberType: MemberType) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppEnvironmentsDocument,
     "query GetAppSecrets($appId: ID!, $memberId: ID, $memberType: MemberType, $path: String) {\n  appEnvironments(\n    appId: $appId\n    environmentId: null\n    memberId: $memberId\n    memberType: $memberType\n  ) {\n    id\n    name\n    envType\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    createdAt\n    app {\n      name\n      id\n    }\n    secretCount\n    folderCount\n    index\n    members {\n      email\n      fullName\n      avatarUrl\n    }\n    folders {\n      id\n      name\n      path\n    }\n    secrets(path: $path) {\n      id\n      key\n      value\n      comment\n      path\n    }\n    dynamicSecrets(path: $path) {\n      id\n      name\n      path\n      description\n      provider\n      keyMap {\n        id\n        keyName\n      }\n    }\n  }\n  sseEnabled(appId: $appId)\n  serverPublicKey\n}": types.GetAppSecretsDocument,
     "query GetAppSecretsLogs($appId: ID!, $start: BigInt, $end: BigInt, $eventTypes: [String], $memberId: ID, $memberType: MemberType, $environmentId: ID) {\n  secretLogs(\n    appId: $appId\n    start: $start\n    end: $end\n    eventTypes: $eventTypes\n    memberId: $memberId\n    memberType: $memberType\n    environmentId: $environmentId\n  ) {\n    logs {\n      id\n      path\n      key\n      value\n      tags {\n        id\n        name\n        color\n      }\n      version\n      comment\n      timestamp\n      ipAddress\n      userAgent\n      user {\n        email\n        username\n        fullName\n        avatarUrl\n      }\n      serviceToken {\n        id\n        name\n      }\n      serviceAccount {\n        id\n        name\n        deletedAt\n      }\n      serviceAccountToken {\n        id\n        name\n        deletedAt\n      }\n      eventType\n      environment {\n        id\n        envType\n        name\n      }\n      secret {\n        id\n        path\n      }\n    }\n    count\n  }\n  environmentKeys(appId: $appId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n    environment {\n      id\n    }\n  }\n}": types.GetAppSecretsLogsDocument,
@@ -599,7 +599,7 @@ export function graphql(source: "query GetDynamicSecretProviders {\n  dynamicSec
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}"): (typeof documents)["query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}"];
+export function graphql(source: "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      ttl\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}"): (typeof documents)["query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      ttl\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index d087703d3..42c091cb2 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -558,23 +558,20 @@ export type DynamicSecretLeaseEventType = {
 
 export type DynamicSecretLeaseType = {
   __typename?: 'DynamicSecretLeaseType';
-  cleanupJobId: Scalars['String']['output'];
   createdAt?: Maybe<Scalars['DateTime']['output']>;
   credentials?: Maybe<LeaseCredentialsUnion>;
   deletedAt?: Maybe<Scalars['DateTime']['output']>;
-  description: Scalars['String']['output'];
   events?: Maybe<Array<Maybe<DynamicSecretLeaseEventType>>>;
   expiresAt?: Maybe<Scalars['DateTime']['output']>;
   id: Scalars['String']['output'];
   name: Scalars['String']['output'];
   organisationMember?: Maybe<OrganisationMemberType>;
-  renewedAt?: Maybe<Scalars['DateTime']['output']>;
   revokedAt?: Maybe<Scalars['DateTime']['output']>;
   secret: DynamicSecretType;
   serviceAccount?: Maybe<ServiceAccountType>;
   /** Current status of the lease */
   status: ApiDynamicSecretLeaseStatusChoices;
-  ttl: Scalars['Float']['output'];
+  ttl?: Maybe<Scalars['Int']['output']>;
 };
 
 export type DynamicSecretProviderType = {
@@ -3353,7 +3350,7 @@ export type GetDynamicSecretLeasesQueryVariables = Exact<{
 }>;
 
 
-export type GetDynamicSecretLeasesQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, leases: Array<{ __typename?: 'DynamicSecretLeaseType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null, revokedAt?: any | null, status: ApiDynamicSecretLeaseStatusChoices, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null, events?: Array<{ __typename?: 'DynamicSecretLeaseEventType', id: string, eventType: ApiDynamicSecretLeaseEventEventTypeChoices, createdAt: any, metadata: any, ipAddress?: string | null, userAgent?: string | null, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null } | null> | null }> } | null> | null };
+export type GetDynamicSecretLeasesQuery = { __typename?: 'Query', dynamicSecrets?: Array<{ __typename?: 'DynamicSecretType', id: string, leases: Array<{ __typename?: 'DynamicSecretLeaseType', id: string, name: string, ttl?: number | null, createdAt?: any | null, expiresAt?: any | null, revokedAt?: any | null, status: ApiDynamicSecretLeaseStatusChoices, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null, events?: Array<{ __typename?: 'DynamicSecretLeaseEventType', id: string, eventType: ApiDynamicSecretLeaseEventEventTypeChoices, createdAt: any, metadata: any, ipAddress?: string | null, userAgent?: string | null, organisationMember?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string } | null } | null> | null }> } | null> | null };
 
 export type GetAppEnvironmentsQueryVariables = Exact<{
   appId: Scalars['ID']['input'];
@@ -3729,7 +3726,7 @@ export const GetRolesDocument = {"kind":"Document","definitions":[{"kind":"Opera
 export const VerifyInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"VerifyInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateInvite"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"organisation"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"invitedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<VerifyInviteQuery, VerifyInviteQueryVariables>;
 export const GetDynamicSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretsQuery, GetDynamicSecretsQueryVariables>;
 export const GetDynamicSecretProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"configMap"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretProvidersQuery, GetDynamicSecretProvidersQueryVariables>;
-export const GetDynamicSecretLeasesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretLeases"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"leases"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"events"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"metadata"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretLeasesQuery, GetDynamicSecretLeasesQueryVariables>;
+export const GetDynamicSecretLeasesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretLeases"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"leases"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"ttl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"events"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"metadata"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretLeasesQuery, GetDynamicSecretLeasesQueryVariables>;
 export const GetAppEnvironmentsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppEnvironments"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppEnvironmentsQuery, GetAppEnvironmentsQueryVariables>;
 export const GetAppSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"NullValue"}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}]},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetAppSecretsQuery, GetAppSecretsQueryVariables>;
 export const GetAppSecretsLogsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppSecretsLogs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretLogs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}},{"kind":"Argument","name":{"kind":"Name","value":"eventTypes"},"value":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"logs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"version"}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"username"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"deletedAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"secret"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"path"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppSecretsLogsQuery, GetAppSecretsLogsQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 1e51cfafa..ce0f2e1b8 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -13,9 +13,22 @@ type Query {
   validateInvite(inviteId: ID): OrganisationMemberInviteType
   apps(organisationId: ID, appId: ID): [AppType]
   kmsLogs(appId: ID, start: BigInt, end: BigInt): KMSLogsResponseType
-  secretLogs(appId: ID, start: BigInt, end: BigInt, eventTypes: [String], memberId: ID, memberType: MemberType, environmentId: ID): SecretLogsResponseType
+  secretLogs(
+    appId: ID
+    start: BigInt
+    end: BigInt
+    eventTypes: [String]
+    memberId: ID
+    memberType: MemberType
+    environmentId: ID
+  ): SecretLogsResponseType
   appActivityChart(appId: ID, period: TimeRange): [ChartDataPointType]
-  appEnvironments(appId: ID, environmentId: ID, memberId: ID, memberType: MemberType): [EnvironmentType]
+  appEnvironments(
+    appId: ID
+    environmentId: ID
+    memberId: ID
+    memberType: MemberType
+  ): [EnvironmentType]
   appUsers(appId: ID): [OrganisationMemberType]
   appServiceAccounts(appId: ID): [ServiceAccountType]
   secrets(envId: ID, path: String, id: ID): [SecretType]
@@ -49,7 +62,11 @@ type Query {
   testVaultCreds(credentialId: ID): Boolean
   testNomadCreds(credentialId: ID): Boolean
   validateAwsAssumeRoleAuth: AWSValidationResultType
-  validateAwsAssumeRoleCredentials(roleArn: String!, region: String, externalId: String): AWSValidationResultType
+  validateAwsAssumeRoleCredentials(
+    roleArn: String!
+    region: String
+    externalId: String
+  ): AWSValidationResultType
   stripeCheckoutDetails(stripeSessionId: String!): StripeCheckoutDetails
   stripeSubscriptionDetails(organisationId: ID): StripeSubscriptionDetails
   stripeCustomerPortalUrl(organisationId: ID!): String
@@ -78,13 +95,19 @@ value as specified by
 scalar DateTime
 
 enum ApiOrganisationPlanChoices {
-  """Free"""
+  """
+  Free
+  """
   FR
 
-  """Pro"""
+  """
+  Pro
+  """
   PR
 
-  """Enterprise"""
+  """
+  Enterprise
+  """
   EN
 }
 
@@ -186,16 +209,24 @@ type EnvironmentType {
 }
 
 enum ApiEnvironmentEnvTypeChoices {
-  """Development"""
+  """
+  Development
+  """
   DEV
 
-  """Staging"""
+  """
+  Staging
+  """
   STAGING
 
-  """Production"""
+  """
+  Production
+  """
   PROD
 
-  """Custom"""
+  """
+  Custom
+  """
   CUSTOM
 }
 
@@ -317,16 +348,24 @@ type ServiceAccountTokenType {
 }
 
 enum ApiSecretEventEventTypeChoices {
-  """Create"""
+  """
+  Create
+  """
   C
 
-  """Read"""
+  """
+  Read
+  """
   R
 
-  """Update"""
+  """
+  Update
+  """
   U
 
-  """Delete"""
+  """
+  Delete
+  """
   D
 }
 
@@ -349,7 +388,9 @@ type DynamicSecretType {
   path: String!
   authentication: ProviderCredentialsType
 
-  """Which provider this secret is associated with."""
+  """
+  Which provider this secret is associated with.
+  """
   provider: ApiDynamicSecretProviderChoices!
   config: DynamicSecretConfigUnion
   keyMap: [KeyMap]
@@ -380,7 +421,9 @@ type ProviderType {
 }
 
 enum ApiDynamicSecretProviderChoices {
-  """AWS"""
+  """
+  AWS
+  """
   AWS
 }
 
@@ -411,38 +454,47 @@ type KeyMap {
 type DynamicSecretLeaseType {
   id: String!
   name: String!
-  description: String!
   secret: DynamicSecretType!
   organisationMember: OrganisationMemberType
   serviceAccount: ServiceAccountType
-  ttl: Float!
+  ttl: Int
 
-  """Current status of the lease"""
+  """
+  Current status of the lease
+  """
   status: ApiDynamicSecretLeaseStatusChoices!
   credentials: LeaseCredentialsUnion
   createdAt: DateTime
-  renewedAt: DateTime
   expiresAt: DateTime
   revokedAt: DateTime
   deletedAt: DateTime
-  cleanupJobId: String!
   events: [DynamicSecretLeaseEventType]
 }
 
 enum ApiDynamicSecretLeaseStatusChoices {
-  """Created"""
+  """
+  Created
+  """
   CREATED
 
-  """Active"""
+  """
+  Active
+  """
   ACTIVE
 
-  """Renewed"""
+  """
+  Renewed
+  """
   RENEWED
 
-  """Revoked"""
+  """
+  Revoked
+  """
   REVOKED
 
-  """Expired"""
+  """
+  Expired
+  """
   EXPIRED
 }
 
@@ -467,19 +519,29 @@ type DynamicSecretLeaseEventType {
 }
 
 enum ApiDynamicSecretLeaseEventEventTypeChoices {
-  """Created"""
+  """
+  Created
+  """
   CREATED
 
-  """Active"""
+  """
+  Active
+  """
   ACTIVE
 
-  """Renewed"""
+  """
+  Renewed
+  """
   RENEWED
 
-  """Revoked"""
+  """
+  Revoked
+  """
   REVOKED
 
-  """Expired"""
+  """
+  Expired
+  """
   EXPIRED
 }
 
@@ -498,19 +560,29 @@ type EnvironmentSyncType {
 }
 
 enum ApiEnvironmentSyncStatusChoices {
-  """In progress"""
+  """
+  In progress
+  """
   IN_PROGRESS
 
-  """Completed"""
+  """
+  Completed
+  """
   COMPLETED
 
-  """cancelled"""
+  """
+  cancelled
+  """
   CANCELLED
 
-  """Timed out"""
+  """
+  Timed out
+  """
   TIMED_OUT
 
-  """Failed"""
+  """
+  Failed
+  """
   FAILED
 }
 
@@ -531,19 +603,29 @@ type EnvironmentSyncEventType {
 }
 
 enum ApiEnvironmentSyncEventStatusChoices {
-  """In progress"""
+  """
+  In progress
+  """
   IN_PROGRESS
 
-  """Completed"""
+  """
+  Completed
+  """
   COMPLETED
 
-  """cancelled"""
+  """
+  cancelled
+  """
   CANCELLED
 
-  """Timed out"""
+  """
+  Timed out
+  """
   TIMED_OUT
 
-  """Failed"""
+  """
+  Failed
+  """
   FAILED
 }
 
@@ -606,13 +688,19 @@ type ActivatedPhaseLicenseType {
 }
 
 enum ApiActivatedPhaseLicensePlanChoices {
-  """Free"""
+  """
+  Free
+  """
   FR
 
-  """Pro"""
+  """
+  Pro
+  """
   PR
 
-  """Enterprise"""
+  """
+  Enterprise
+  """
   EN
 }
 
@@ -667,9 +755,13 @@ type KMSLogType implements Node {
   longitude: Float
 }
 
-"""An object with an ID"""
+"""
+An object with an ID
+"""
 interface Node {
-  """The ID of the object"""
+  """
+  The ID of the object
+  """
   id: ID!
 }
 
@@ -907,62 +999,253 @@ type DynamicSecretProviderType {
 }
 
 type Mutation {
-  createOrganisation(id: ID!, identityKey: String!, name: String!, wrappedKeyring: String!, wrappedRecovery: String!): CreateOrganisationMutation
-  bulkInviteOrganisationMembers(invites: [InviteInput]!, orgId: ID!): BulkInviteOrganisationMembersMutation
-  createOrganisationMember(identityKey: String!, inviteId: ID!, orgId: ID!, wrappedKeyring: String, wrappedRecovery: String): CreateOrganisationMemberMutation
+  createOrganisation(
+    id: ID!
+    identityKey: String!
+    name: String!
+    wrappedKeyring: String!
+    wrappedRecovery: String!
+  ): CreateOrganisationMutation
+  bulkInviteOrganisationMembers(
+    invites: [InviteInput]!
+    orgId: ID!
+  ): BulkInviteOrganisationMembersMutation
+  createOrganisationMember(
+    identityKey: String!
+    inviteId: ID!
+    orgId: ID!
+    wrappedKeyring: String
+    wrappedRecovery: String
+  ): CreateOrganisationMemberMutation
   deleteOrganisationMember(memberId: ID!): DeleteOrganisationMemberMutation
   updateOrganisationMemberRole(memberId: ID!, roleId: ID!): UpdateOrganisationMemberRole
-  updateMemberWrappedSecrets(orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
+  updateMemberWrappedSecrets(
+    orgId: ID!
+    wrappedKeyring: String!
+    wrappedRecovery: String!
+  ): UpdateUserWrappedSecretsMutation
   deleteInvitation(inviteId: ID!): DeleteInviteMutation
-  createApp(appSeed: String!, appToken: String!, appVersion: Int!, id: ID!, identityKey: String!, name: String!, organisationId: ID!, wrappedKeyShare: String!): CreateAppMutation
+  createApp(
+    appSeed: String!
+    appToken: String!
+    appVersion: Int!
+    id: ID!
+    identityKey: String!
+    name: String!
+    organisationId: ID!
+    wrappedKeyShare: String!
+  ): CreateAppMutation
   rotateAppKeys(appToken: String!, id: ID!, wrappedKeyShare: String!): RotateAppKeysMutation
   deleteApp(id: ID!): DeleteAppMutation
   updateAppName(id: ID!, name: String!): UpdateAppNameMutation
-  addAppMember(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): AddAppMemberMutation
+  addAppMember(
+    appId: ID
+    envKeys: [EnvironmentKeyInput]
+    memberId: ID
+    memberType: MemberType
+  ): AddAppMemberMutation
   bulkAddAppMembers(appId: ID!, members: [AppMemberInputType]!): BulkAddAppMembersMutation
   removeAppMember(appId: ID, memberId: ID, memberType: MemberType): RemoveAppMemberMutation
-  updateMemberEnvironmentScope(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): UpdateMemberEnvScopeMutation
-  createEnvironment(adminKeys: [EnvironmentKeyInput], environmentData: EnvironmentInput!, wrappedSalt: String, wrappedSeed: String): CreateEnvironmentMutation
+  updateMemberEnvironmentScope(
+    appId: ID
+    envKeys: [EnvironmentKeyInput]
+    memberId: ID
+    memberType: MemberType
+  ): UpdateMemberEnvScopeMutation
+  createEnvironment(
+    adminKeys: [EnvironmentKeyInput]
+    environmentData: EnvironmentInput!
+    wrappedSalt: String
+    wrappedSeed: String
+  ): CreateEnvironmentMutation
   deleteEnvironment(environmentId: ID!): DeleteEnvironmentMutation
   renameEnvironment(environmentId: ID!, name: String!): RenameEnvironmentMutation
   swapEnvironmentOrder(environment1Id: ID!, environment2Id: ID!): SwapEnvironmentOrderMutation
-  createEnvironmentKey(envId: ID!, identityKey: String!, userId: ID, wrappedSalt: String!, wrappedSeed: String!): CreateEnvironmentKeyMutation
-  createEnvironmentToken(envId: ID!, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateEnvironmentTokenMutation
-  createCustomRole(color: String, description: String, name: String, organisationId: ID!, permissions: JSONString): CreateCustomRoleMutation
-  updateCustomRole(color: String, description: String, id: ID!, name: String, permissions: JSONString): UpdateCustomRoleMutation
+  createEnvironmentKey(
+    envId: ID!
+    identityKey: String!
+    userId: ID
+    wrappedSalt: String!
+    wrappedSeed: String!
+  ): CreateEnvironmentKeyMutation
+  createEnvironmentToken(
+    envId: ID!
+    identityKey: String!
+    name: String!
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateEnvironmentTokenMutation
+  createCustomRole(
+    color: String
+    description: String
+    name: String
+    organisationId: ID!
+    permissions: JSONString
+  ): CreateCustomRoleMutation
+  updateCustomRole(
+    color: String
+    description: String
+    id: ID!
+    name: String
+    permissions: JSONString
+  ): UpdateCustomRoleMutation
   deleteCustomRole(id: ID!): DeleteCustomRoleMutation
-  createNetworkAccessPolicy(allowedIps: String!, isGlobal: Boolean!, name: String, organisationId: ID!): CreateNetworkAccessPolicyMutation
+  createNetworkAccessPolicy(
+    allowedIps: String!
+    isGlobal: Boolean!
+    name: String
+    organisationId: ID!
+  ): CreateNetworkAccessPolicyMutation
   updateNetworkAccessPolicy(policyInputs: [UpdatePolicyInput]): UpdateNetworkAccessPolicyMutation
   deleteNetworkAccessPolicy(id: ID!): DeleteNetworkAccessPolicyMutation
-  updateAccountNetworkAccessPolicies(accountInputs: [AccountPolicyInput], organisationId: ID!): UpdateAccountNetworkAccessPolicies
-  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
-  enableServiceAccountThirdPartyAuth(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountThirdPartyAuthMutation
-  updateServiceAccountHandlers(handlers: [ServiceAccountHandlerInput], organisationId: ID): UpdateServiceAccountHandlersMutation
+  updateAccountNetworkAccessPolicies(
+    accountInputs: [AccountPolicyInput]
+    organisationId: ID!
+  ): UpdateAccountNetworkAccessPolicies
+  createServiceAccount(
+    handlers: [ServiceAccountHandlerInput]
+    identityKey: String
+    name: String
+    organisationId: ID
+    roleId: ID
+    serverWrappedKeyring: String
+    serverWrappedRecovery: String
+  ): CreateServiceAccountMutation
+  enableServiceAccountThirdPartyAuth(
+    serverWrappedKeyring: String
+    serverWrappedRecovery: String
+    serviceAccountId: ID
+  ): EnableServiceAccountThirdPartyAuthMutation
+  updateServiceAccountHandlers(
+    handlers: [ServiceAccountHandlerInput]
+    organisationId: ID
+  ): UpdateServiceAccountHandlersMutation
   updateServiceAccount(name: String, roleId: ID, serviceAccountId: ID): UpdateServiceAccountMutation
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
-  createServiceAccountToken(expiry: BigInt, identityKey: String!, name: String!, serviceAccountId: ID, token: String!, wrappedKeyShare: String!): CreateServiceAccountTokenMutation
+  createServiceAccountToken(
+    expiry: BigInt
+    identityKey: String!
+    name: String!
+    serviceAccountId: ID
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
   initEnvSync(appId: ID, envKeys: [EnvironmentKeyInput]): InitEnvSync
   deleteEnvSync(syncId: ID): DeleteSync
   triggerSync(syncId: ID): TriggerSync
   toggleSyncActive(syncId: ID): ToggleSyncActive
   updateSyncAuthentication(credentialId: ID, syncId: ID): UpdateSyncAuthentication
-  createProviderCredentials(credentials: JSONString, name: String, orgId: ID, provider: String): CreateProviderCredentials
-  updateProviderCredentials(credentialId: ID, credentials: JSONString, name: String): UpdateProviderCredentials
+  createProviderCredentials(
+    credentials: JSONString
+    name: String
+    orgId: ID
+    provider: String
+  ): CreateProviderCredentials
+  updateProviderCredentials(
+    credentialId: ID
+    credentials: JSONString
+    name: String
+  ): UpdateProviderCredentials
   deleteProviderCredentials(credentialId: ID): DeleteProviderCredentials
-  createCloudflarePagesSync(credentialId: ID, deploymentId: ID, envId: ID, path: String, projectEnv: String, projectName: String): CreateCloudflarePagesSync
-  createCloudflareWorkersSync(credentialId: ID, envId: ID, path: String, workerName: String): CreateCloudflareWorkersSync
-  createAwsSecretSync(credentialId: ID, envId: ID, kmsId: String, path: String, secretName: String): CreateAWSSecretsManagerSync
-  createGhActionsSync(credentialId: ID, envId: ID, owner: String, path: String, repoName: String): CreateGitHubActionsSync
-  createVaultSync(credentialId: ID, engine: String, envId: ID, path: String, vaultPath: String): CreateVaultSync
-  createNomadSync(credentialId: ID, envId: ID, nomadNamespace: String, nomadPath: String, path: String): CreateNomadSync
-  createGitlabCiSync(credentialId: ID, envId: ID, isGroup: Boolean, masked: Boolean, path: String, protected: Boolean, resourceId: String, resourcePath: String): CreateGitLabCISync
-  createRailwaySync(credentialId: ID, envId: ID, path: String, railwayEnvironment: RailwayResourceInput, railwayProject: RailwayResourceInput, railwayService: RailwayResourceInput): CreateRailwaySync
-  createVercelSync(credentialId: ID, envId: ID, environment: String, path: String, projectId: String, projectName: String, secretType: String, teamId: String, teamName: String): CreateVercelSync
-  createRenderSync(credentialId: ID, envId: ID, path: String, resourceId: String, resourceName: String, resourceType: RenderResourceType, secretFileName: String): CreateRenderSync
-  createUserToken(expiry: BigInt, identityKey: String!, name: String!, orgId: ID!, token: String!, wrappedKeyShare: String!): CreateUserTokenMutation
+  createCloudflarePagesSync(
+    credentialId: ID
+    deploymentId: ID
+    envId: ID
+    path: String
+    projectEnv: String
+    projectName: String
+  ): CreateCloudflarePagesSync
+  createCloudflareWorkersSync(
+    credentialId: ID
+    envId: ID
+    path: String
+    workerName: String
+  ): CreateCloudflareWorkersSync
+  createAwsSecretSync(
+    credentialId: ID
+    envId: ID
+    kmsId: String
+    path: String
+    secretName: String
+  ): CreateAWSSecretsManagerSync
+  createGhActionsSync(
+    credentialId: ID
+    envId: ID
+    owner: String
+    path: String
+    repoName: String
+  ): CreateGitHubActionsSync
+  createVaultSync(
+    credentialId: ID
+    engine: String
+    envId: ID
+    path: String
+    vaultPath: String
+  ): CreateVaultSync
+  createNomadSync(
+    credentialId: ID
+    envId: ID
+    nomadNamespace: String
+    nomadPath: String
+    path: String
+  ): CreateNomadSync
+  createGitlabCiSync(
+    credentialId: ID
+    envId: ID
+    isGroup: Boolean
+    masked: Boolean
+    path: String
+    protected: Boolean
+    resourceId: String
+    resourcePath: String
+  ): CreateGitLabCISync
+  createRailwaySync(
+    credentialId: ID
+    envId: ID
+    path: String
+    railwayEnvironment: RailwayResourceInput
+    railwayProject: RailwayResourceInput
+    railwayService: RailwayResourceInput
+  ): CreateRailwaySync
+  createVercelSync(
+    credentialId: ID
+    envId: ID
+    environment: String
+    path: String
+    projectId: String
+    projectName: String
+    secretType: String
+    teamId: String
+    teamName: String
+  ): CreateVercelSync
+  createRenderSync(
+    credentialId: ID
+    envId: ID
+    path: String
+    resourceId: String
+    resourceName: String
+    resourceType: RenderResourceType
+    secretFileName: String
+  ): CreateRenderSync
+  createUserToken(
+    expiry: BigInt
+    identityKey: String!
+    name: String!
+    orgId: ID!
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateUserTokenMutation
   deleteUserToken(tokenId: ID!): DeleteUserTokenMutation
-  createServiceToken(appId: ID!, environmentKeys: [EnvironmentKeyInput], expiry: BigInt, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateServiceTokenMutation
+  createServiceToken(
+    appId: ID!
+    environmentKeys: [EnvironmentKeyInput]
+    expiry: BigInt
+    identityKey: String!
+    name: String!
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateServiceTokenMutation
   deleteServiceToken(tokenId: ID!): DeleteServiceTokenMutation
   createSecretFolder(envId: ID, name: String, path: String): CreateSecretFolderMutation
   deleteSecretFolder(folderId: ID): DeleteSecretFolderMutation
@@ -977,20 +1260,53 @@ type Mutation {
   createOverride(overrideData: PersonalSecretInput): CreatePersonalSecretMutation
   removeOverride(secretId: ID): DeletePersonalSecretMutation
   createLockbox(input: LockboxInput): CreateLockboxMutation
-  createSubscriptionCheckoutSession(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum): CreateSubscriptionCheckoutSession
+  createSubscriptionCheckoutSession(
+    billingPeriod: BillingPeriodEnum
+    organisationId: ID!
+    planType: PlanTypeEnum
+  ): CreateSubscriptionCheckoutSession
   deletePaymentMethod(organisationId: ID, paymentMethodId: String): DeletePaymentMethodMutation
   cancelSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
   resumeSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
-  modifySubscription(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum, subscriptionId: String!): UpdateSubscriptionResponse
+  modifySubscription(
+    billingPeriod: BillingPeriodEnum
+    organisationId: ID!
+    planType: PlanTypeEnum
+    subscriptionId: String!
+  ): UpdateSubscriptionResponse
   createSetupIntent(organisationId: ID): CreateSetupIntentMutation
   setDefaultPaymentMethod(
     organisationId: ID
 
-    """Payment Method ID to set as default"""
+    """
+    Payment Method ID to set as default
+    """
     paymentMethodId: String!
   ): SetDefaultPaymentMethodMutation
-  createAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, environmentId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): CreateAWSDynamicSecretMutation
-  updateAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, dynamicSecretId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): UpdateAWSDynamicSecretMutation
+  createAwsDynamicSecret(
+    authenticationId: ID
+    config: AWSConfigInput!
+    defaultTtl: Int
+    description: String
+    environmentId: ID!
+    keyMap: [KeyMapInput]!
+    maxTtl: Int
+    name: String!
+    organisationId: ID!
+    path: String
+  ): CreateAWSDynamicSecretMutation
+  updateAwsDynamicSecret(
+    authenticationId: ID
+    config: AWSConfigInput!
+    defaultTtl: Int
+    description: String
+    dynamicSecretId: ID!
+    keyMap: [KeyMapInput]!
+    maxTtl: Int
+    name: String!
+    organisationId: ID!
+    path: String
+  ): UpdateAWSDynamicSecretMutation
   deleteDynamicSecret(secretId: ID!): DeleteDynamicSecretMutation
   createDynamicSecretLease(name: String, secretId: ID!, ttl: Int): LeaseDynamicSecret
   renewDynamicSecretLease(leaseId: ID!, ttl: Int): RenewLeaseMutation
@@ -1433,4 +1749,4 @@ type RenewLeaseMutation {
 
 type RevokeLeaseMutation {
   lease: DynamicSecretLeaseType
-}
\ No newline at end of file
+}

From a4067ec08d7775a6265a5dc1ded232aad7394383 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 27 Sep 2025 17:40:42 +0530
Subject: [PATCH 100/117] fix: ensure current TTL is safely accessed in
 RenewLeaseDialog

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
index 70fcf1ae7..d2dcf1b4d 100644
--- a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
@@ -34,7 +34,7 @@ export const RenewLeaseDialog = ({
     lease.events?.filter(
       (event) => event?.eventType === ApiDynamicSecretLeaseEventEventTypeChoices.Renewed
     ).length || 0
-  const currentTtlSeconds = lease.ttl // This is the total TTL (initial + all renewals)
+  const currentTtlSeconds = lease.ttl! // This is the total TTL (initial + all renewals)
   const maxTtlSeconds = secret.maxTtlSeconds!
   const remainingRenewalTime = Math.max(0, maxTtlSeconds - currentTtlSeconds)
 

From 825a50e005178191caea3ecc5d1df9d49008c65b Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 27 Sep 2025 19:00:02 +0530
Subject: [PATCH 101/117] fix: add dynamic secrets to secret count for folder
 type

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/graphene/types.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index 5a7d100d4..9482d166c 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -392,7 +392,10 @@ def resolve_folder_count(self, info):
         return SecretFolder.objects.filter(folder=self).count()
 
     def resolve_secret_count(self, info):
-        return Secret.objects.filter(folder=self).count()
+        return (
+            Secret.objects.filter(folder=self).count()
+            + DynamicSecret.objects.filter(folder=self, deleted_at=None).count()
+        )
 
 
 class SecretEventType(DjangoObjectType):

From 0857852a4b479fb1295a8f5d1c1fe9d763ee1bc5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 27 Sep 2025 19:09:07 +0530
Subject: [PATCH 102/117] feat: add copy buttons for secret and lease id

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/ee/components/secrets/dynamic/LeaseCard.tsx  | 11 +++++------
 .../secrets/dynamic/UpdateDynamicSecretDialog.tsx     | 11 ++++++++++-
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/LeaseCard.tsx b/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
index 9b6149b3d..90e00dfb9 100644
--- a/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
+++ b/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
@@ -1,18 +1,15 @@
 import {
   ApiDynamicSecretLeaseStatusChoices,
-  DynamicSecretLeaseEventType,
   DynamicSecretLeaseType,
   DynamicSecretType,
 } from '@/apollo/graphql'
 import { Avatar } from '@/components/common/Avatar'
-import { Button } from '@/components/common/Button'
 import { relativeTimeFromDates } from '@/utils/time'
 import clsx from 'clsx'
-import { FaBan } from 'react-icons/fa6'
-import { FiRefreshCw } from 'react-icons/fi'
 import { RenewLeaseDialog } from './RenewLeaseDialog'
 import { RevokeLeaseDialog } from './RevokeLeaseDialog'
 import { LeaseHistoryDialog } from './LeaseHistoryDialog'
+import CopyButton from '@/components/common/CopyButton'
 
 export const LeaseCard = ({
   secret,
@@ -61,11 +58,13 @@ export const LeaseCard = ({
         <div>
           {' '}
           <div className="font-medium text-sm text-zinc-900 dark:text-zinc-100">{lease.name}</div>
-          <div className="font-mono text-2xs text-neutral-500">{lease.id}</div>
+          <CopyButton buttonVariant="ghost" value={lease.id}>
+            <div className="font-mono text-2xs text-neutral-500">{lease.id}</div>
+          </CopyButton>
         </div>
       </div>
 
-      <div className="space-y-0 col-span-2 text-xs">
+      <div className="space-y-1 col-span-2 text-xs">
         <div className="text-neutral-500 flex items-center gap-1">
           Created {relativeTimeFromDates(new Date(lease.createdAt))}
           {(lease.organisationMember || lease.serviceAccount) && (
diff --git a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
index 48a0bb82f..0c7df796c 100644
--- a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
@@ -24,6 +24,7 @@ import { FaCog, FaCogs } from 'react-icons/fa'
 import { Textarea } from '@/components/common/TextArea'
 import { encryptAsymmetric } from '@/utils/crypto'
 import { leaseTtlButtons } from '@/utils/dynamicSecrets'
+import CopyButton from '@/components/common/CopyButton'
 
 type UpdateDynamicSecretDialogRef = {
   openModal: () => void
@@ -168,7 +169,15 @@ export const UpdateDynamicSecretDialog = forwardRef<
   return (
     <GenericDialog
       ref={dialogRef}
-      title={`Configure Dynamic Secret`}
+      title="Configure Dynamic Secret"
+      dialogTitle={
+        <div className="flex flex-col gap-1">
+          Configure {secret.name}
+          <CopyButton value={secret.id}>
+            <span className="text-2xs font-mono">{secret.id}</span>
+          </CopyButton>{' '}
+        </div>
+      }
       buttonVariant="secondary"
       buttonContent={
         <>

From 25d615c4ae01a245ca7a2b9208ee405327b3e8fa Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 28 Sep 2025 15:07:04 +0530
Subject: [PATCH 103/117] fix: add loading state to leases list

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../components/secrets/dynamic/ManageLeasesDialog.tsx  | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
index 0bff9e4f3..97a10aece 100644
--- a/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/ManageLeasesDialog.tsx
@@ -11,6 +11,7 @@ import { FiRefreshCw } from 'react-icons/fi'
 import { FaListCheck } from 'react-icons/fa6'
 import { CreateLeaseDialog } from './CreateLeaseDialog'
 import { EmptyState } from '@/components/common/EmptyState'
+import Spinner from '@/components/common/Spinner'
 
 export const ManageLeasesDialog = ({ secret }: { secret: DynamicSecretType }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -68,6 +69,7 @@ export const ManageLeasesDialog = ({ secret }: { secret: DynamicSecretType }) =>
             Refresh
           </Button>
         </div>
+
         <div className="divide-y divide-neutral-500/20 max-h-[80vh] overflow-y-auto">
           {leases.slice(0, viewLimit === 0 ? undefined : viewLimit).map((lease) => (
             <LeaseCard key={lease.id} secret={secret} lease={lease} />
@@ -86,7 +88,13 @@ export const ManageLeasesDialog = ({ secret }: { secret: DynamicSecretType }) =>
           )}
         </div>
 
-        {leases.length === 0 && (
+        {leases.length === 0 && loading && (
+          <div className="flex items-center justify-center h-48">
+            <Spinner size="md" />
+          </div>
+        )}
+
+        {leases.length === 0 && !loading && (
           <EmptyState
             title="No leases"
             subtitle="There are no leases for this dynamic secret."

From a1954c4a30b7af976a5aed5b0b4cfb725d9e08bc Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 28 Sep 2025 15:10:20 +0530
Subject: [PATCH 104/117] feat: improve configure secret dialog header

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/GenericDialog.tsx             | 2 +-
 .../secrets/dynamic/UpdateDynamicSecretDialog.tsx        | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/frontend/components/common/GenericDialog.tsx b/frontend/components/common/GenericDialog.tsx
index 049fc17b3..5ca4e0fa8 100644
--- a/frontend/components/common/GenericDialog.tsx
+++ b/frontend/components/common/GenericDialog.tsx
@@ -121,7 +121,7 @@ const GenericDialog = forwardRef(
                       sizeClass
                     )}
                   >
-                    <Dialog.Title as="div" className="flex w-full justify-between">
+                    <Dialog.Title as="div" className="flex w-full justify-between items-start">
                       <h3 className="text-lg font-medium leading-6 text-zinc-800 dark:text-zinc-200 break-all">
                         {dialogTitle || title}
                       </h3>
diff --git a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
index 0c7df796c..47926b2d2 100644
--- a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
@@ -173,9 +173,12 @@ export const UpdateDynamicSecretDialog = forwardRef<
       dialogTitle={
         <div className="flex flex-col gap-1">
           Configure {secret.name}
-          <CopyButton value={secret.id}>
-            <span className="text-2xs font-mono">{secret.id}</span>
-          </CopyButton>{' '}
+          <div className="flex items-center gap-1 text-xs text-neutral-500">
+            Dynamic Secret ID:
+            <CopyButton value={secret.id} buttonVariant="ghost">
+              <span className="text-2xs font-mono">{secret.id}</span>
+            </CopyButton>
+          </div>
         </div>
       }
       buttonVariant="secondary"

From 2e6f7861d3b7fab059bcdcf5b185e6be42cbfcc3 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 28 Sep 2025 15:11:45 +0530
Subject: [PATCH 105/117] fix: return 404 if no dynamic secrets match filter

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/integrations/secrets/dynamic/rest/views.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index e68c94de0..81e8efc25 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -121,6 +121,9 @@ def get(self, request, *args, **kwargs):
 
         dynamic_secrets = DynamicSecret.objects.filter(**dynamic_secrets_filter)
 
+        if not dynamic_secrets.exists():
+            return Response({"error": "No dynamic secrets found"}, status=404)
+
         # If lease header is present, generate a lease per secret
         include_lease = (
             "lease" in request.GET

From b7fc04a4c2225b788a8844f91b518dc9ae693ffb Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 28 Sep 2025 15:16:25 +0530
Subject: [PATCH 106/117] fix: clean up duplicate code

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../integrations/secrets/dynamic/aws/utils.py | 188 ------------------
 1 file changed, 188 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/aws/utils.py b/backend/ee/integrations/secrets/dynamic/aws/utils.py
index e4350acc7..a460809ed 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/utils.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/utils.py
@@ -613,194 +613,6 @@ def cleanup_failed_user_creation(username: str, iam_client):
         raise
 
 
-def create_aws_dynamic_secret_lease(
-    *,
-    secret: DynamicSecret,
-    lease_name,
-    organisation_member=None,
-    service_account=None,
-    ttl_seconds,
-) -> dict:
-    """
-    Create a new lease for dynamic AWS credentials.
-    """
-    # Initialize combined metadata
-    combined_meta = {
-        "action": "create_lease",
-        "provider": "aws",
-        "ttl_seconds": ttl_seconds,
-    }
-
-    lease_config = secret.config
-
-    if not organisation_member and not service_account:
-        raise ValidationError("Must set either organisation_member or service_account")
-    if organisation_member and service_account:
-        raise ValidationError(
-            "Only one of organisation_member or service_account may be set"
-        )
-
-    iam_client, _ = get_iam_client(secret)
-    created_username = None  # Track if we created a user for cleanup
-
-    # Build config for user creation
-    user_config = {
-        "username_template": lease_config.get("username_template"),
-        "groups": lease_config.get("groups"),
-        "policy_arns": lease_config.get("policy_arns"),
-        "iam_user_path": lease_config.get("iam_path", "/"),
-        "permission_boundary_arn": lease_config.get("permission_boundary_arn"),
-        "ttl_seconds": ttl_seconds,
-    }
-
-    try:
-        user_result, user_meta = create_temporary_user(user_config, iam_client)
-        combined_meta["user_creation"] = user_meta
-        username = user_result["username"]
-        created_username = username  # Mark that we created a user
-
-        # Create access key for the user
-        access_key_result, access_key_meta = create_access_key(username, iam_client)
-        combined_meta["access_key_creation"] = access_key_meta
-
-        lease_data = {
-            "username": username,
-            "user_arn": user_result["arn"],
-            "access_key_id": access_key_result["access_key_id"],
-            "secret_access_key": access_key_result["secret_access_key"],
-            "creation_time": user_result["creation_time"],
-            "expiry_time": user_result["expiry_time"],
-            "ttl_seconds": user_config.get("ttl_seconds", 60),
-        }
-
-        env_pubkey, _ = get_environment_keys(secret.environment.id)
-
-        encrypted_credentials = {
-            "access_key_id": encrypt_asymmetric(
-                access_key_result["access_key_id"], env_pubkey
-            ),
-            "secret_access_key": encrypt_asymmetric(
-                access_key_result["secret_access_key"], env_pubkey
-            ),
-            "username": encrypt_asymmetric(username, env_pubkey),
-        }
-
-        lease = DynamicSecretLease.objects.create(
-            secret=secret,
-            name=lease_name,
-            organisation_member=organisation_member,
-            service_account=service_account,
-            ttl=timedelta(seconds=ttl_seconds),
-            expires_at=timezone.now() + timedelta(seconds=ttl_seconds),
-            credentials=encrypted_credentials,
-        )
-        combined_meta["lease_id"] = str(lease.id)
-        combined_meta["outcome"] = "success"
-
-        # --- Schedule revocation ---
-        from ee.integrations.secrets.dynamic.utils import schedule_lease_revocation
-
-        schedule_lease_revocation(lease)
-        combined_meta["revocation_scheduled"] = True
-
-        return lease, lease_data, combined_meta
-
-    except Exception as e:
-        # If we created a user but something failed later, clean it up
-        if created_username:
-            logger.warning(
-                f"Lease creation failed after user creation, cleaning up user {created_username}"
-            )
-            combined_meta["cleanup_attempted"] = True
-            try:
-                cleanup_failed_user_creation(created_username, iam_client)
-                combined_meta["cleanup_successful"] = True
-                logger.info(
-                    f"Successfully cleaned up user {created_username} after failed lease creation"
-                )
-            except Exception as cleanup_error:
-                combined_meta["cleanup_error"] = str(cleanup_error)
-                logger.error(
-                    f"Failed to cleanup user {created_username}: {cleanup_error}"
-                )
-                # Don't suppress the original error
-
-        # Re-raise the original exception
-        raise
-
-
-def cleanup_failed_user_creation(username: str, iam_client):
-    """
-    Clean up a partially created IAM user by removing all attached resources.
-    This is called when lease creation fails after user creation.
-    """
-    try:
-        # Delete all access keys
-        try:
-            access_keys = iam_client.list_access_keys(UserName=username)
-            for key in access_keys["AccessKeyMetadata"]:
-                iam_client.delete_access_key(
-                    UserName=username, AccessKeyId=key["AccessKeyId"]
-                )
-                logger.info(
-                    f"Cleaned up access key {key['AccessKeyId']} for user {username}"
-                )
-        except ClientError:
-            pass  # User might not have access keys yet
-
-        # Detach all managed policies
-        try:
-            attached_policies = iam_client.list_attached_user_policies(
-                UserName=username
-            )
-            for policy in attached_policies["AttachedPolicies"]:
-                iam_client.detach_user_policy(
-                    UserName=username, PolicyArn=policy["PolicyArn"]
-                )
-                logger.info(
-                    f"Cleaned up attached policy {policy['PolicyArn']} for user {username}"
-                )
-        except ClientError:
-            pass
-
-        # Delete all inline policies
-        try:
-            inline_policies = iam_client.list_user_policies(UserName=username)
-            for policy_name in inline_policies["PolicyNames"]:
-                iam_client.delete_user_policy(UserName=username, PolicyName=policy_name)
-                logger.info(
-                    f"Cleaned up inline policy {policy_name} for user {username}"
-                )
-        except ClientError:
-            pass
-
-        # Remove user from all groups
-        try:
-            groups_resp = iam_client.list_groups_for_user(UserName=username)
-            for group in groups_resp["Groups"]:
-                iam_client.remove_user_from_group(
-                    UserName=username, GroupName=group["GroupName"]
-                )
-                logger.info(
-                    f"Cleaned up group membership {group['GroupName']} for user {username}"
-                )
-        except ClientError:
-            pass
-
-        # Finally, delete the user
-        iam_client.delete_user(UserName=username)
-        logger.info(f"Cleaned up IAM user {username}")
-
-    except iam_client.exceptions.NoSuchEntityException:
-        logger.info(f"User {username} already deleted during cleanup")
-    except ClientError as e:
-        logger.error(f"Error during cleanup of user {username}: {e}")
-        raise
-    except Exception as e:
-        logger.error(f"Unexpected error during cleanup of user {username}: {e}")
-        raise
-
-
 def revoke_aws_dynamic_secret_lease(
     lease_id,
     manual=False,

From 0dd6e53ec137843663214e5b62ce5310b741d8e5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 28 Sep 2025 15:47:57 +0530
Subject: [PATCH 107/117] fix: correctly apply lease filter, misc cleanup

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/integrations/secrets/dynamic/rest/views.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index 81e8efc25..e96545638 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -259,12 +259,10 @@ def get(self, request, *args, **kwargs):
         ):
             if request.auth["org_member"] is not None:
                 leases_filter["organisation_member"] = request.auth["org_member"]
-            elif request.auth["service_account_token"] is not None:
-                leases_filter["service_account"] = request.auth[
-                    "service_account_token"
-                ]["service_account"]
+            elif request.auth["service_account"] is not None:
+                leases_filter["service_account"] = request.auth["service_account"]
 
-        leases = DynamicSecretLease.objects.filter(secret=secret).order_by(
+        leases = DynamicSecretLease.objects.filter(**leases_filter).order_by(
             "-created_at"
         )
         serializer = DynamicSecretLeaseSerializer(

From f49512ab6ed8342301607e8206f643f931feb48f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 28 Sep 2025 19:55:50 +0530
Subject: [PATCH 108/117] feat: add ttl param, granular exception handling to
 dynamic secrets view

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../secrets/dynamic/rest/views.py             | 29 +++++++++++++++++--
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index e96545638..b48d23e5a 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -124,12 +124,22 @@ def get(self, request, *args, **kwargs):
         if not dynamic_secrets.exists():
             return Response({"error": "No dynamic secrets found"}, status=404)
 
-        # If lease header is present, generate a lease per secret
+        # If lease param is present, generate a lease per secret
         include_lease = (
             "lease" in request.GET
             and request.GET.get("lease", "false").lower() != "false"
         )
 
+        # Get optional TTL parameter for lease creation
+        lease_ttl = request.GET.get("ttl")
+        if lease_ttl:
+            try:
+                lease_ttl = int(lease_ttl)
+            except ValueError:
+                return Response(
+                    {"error": "ttl must be a valid integer (seconds)"}, status=400
+                )
+
         # 2. Create leases for each secret
         service_account = org_member = None
 
@@ -144,14 +154,27 @@ def get(self, request, *args, **kwargs):
                 try:
                     lease, _ = create_dynamic_secret_lease(
                         ds,
+                        ttl=lease_ttl,
                         organisation_member=org_member,
                         service_account=service_account,
                         request=request,
                     )
                     leases_by_secret_id[ds.id] = str(lease.id)
+                except PlanRestrictionError as e:
+                    return Response({"error": str(e)}, status=403)
+                except (TTLExceededError, LeaseRenewalError) as e:
+                    return Response({"error": str(e)}, status=400)
+                except DynamicSecretError as e:
+                    return Response({"error": str(e)}, status=400)
                 except Exception as e:
-                    logger.error(
-                        f"Failed to create lease for dynamic secret {ds.id}: {e}"
+                    logger.exception(
+                        "Unexpected error creating lease for dynamic secret %s", ds.id
+                    )
+                    return Response(
+                        {
+                            "error": "An internal error occurred while creating the lease"
+                        },
+                        status=500,
                     )
 
             # Serialize each secret with its lease_id in context

From 76e44e22bd9ed491bf14b044947558b7df2df6e5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 28 Sep 2025 19:56:30 +0530
Subject: [PATCH 109/117] chore: cleanup

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/integrations/secrets/dynamic/rest/views.py | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index b48d23e5a..b8379de47 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -2,7 +2,6 @@
 from api.models import (
     DynamicSecret,
     DynamicSecretLease,
-    OrganisationMember,
 )
 from api.utils.secrets import (
     normalize_path_string,
@@ -16,7 +15,6 @@
 )
 from api.utils.rest import (
     METHOD_TO_ACTION,
-    get_resolver_request_meta,
 )
 
 from api.utils.access.middleware import IsIPAllowed
@@ -94,8 +92,6 @@ def get(self, request, *args, **kwargs):
         if not env.app.sse_enabled:
             return Response({"error": "SSE is not enabled for this App"}, status=400)
 
-        ip_address, user_agent = get_resolver_request_meta(request)
-
         dynamic_secrets_filter = {
             "environment": env,
             "deleted_at": None,

From 10328ddd6b0aea8b4cfc60e0f648264460dfc95e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 28 Sep 2025 20:03:05 +0530
Subject: [PATCH 110/117] fix: change exception type from AuthenticationFailed
 to NotFound for missing secret

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/api/auth.py b/backend/api/auth.py
index defd7f8f5..dfa5c7c83 100644
--- a/backend/api/auth.py
+++ b/backend/api/auth.py
@@ -64,7 +64,7 @@ def authenticate(self, request):
                 except DynamicSecret.DoesNotExist:
                     pass
             if not found:
-                raise exceptions.AuthenticationFailed("Secret not found")
+                raise exceptions.NotFound("Secret not found")
 
         # If env is still None, try resolving from header or query params
         if env is None:

From e187822b2d01bff56e7d7d02311198cbe77a96d1 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 28 Sep 2025 22:49:28 +0530
Subject: [PATCH 111/117] feat: add optional lease_ttl param to control ttl for
 leased credentials

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/views/secrets.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/backend/api/views/secrets.py b/backend/api/views/secrets.py
index b6f89ecf0..d1e3ecb65 100644
--- a/backend/api/views/secrets.py
+++ b/backend/api/views/secrets.py
@@ -178,6 +178,17 @@ def get(self, request, *args, **kwargs):
                 and request.headers.get("lease", "false").lower() != "false"
             )
 
+            # Get optional lease_ttl header for custom TTL
+            lease_ttl = request.headers.get("lease_ttl")
+            if lease_ttl:
+                try:
+                    lease_ttl = int(lease_ttl)
+                except ValueError:
+                    return Response(
+                        {"error": "lease_ttl must be a valid integer (seconds)"},
+                        status=400,
+                    )
+
             service_account = None
             if request.auth.get("service_account_token") is not None:
                 service_account = request.auth["service_account_token"].service_account
@@ -188,6 +199,7 @@ def get(self, request, *args, **kwargs):
                     try:
                         lease, _ = create_dynamic_secret_lease(
                             ds,
+                            ttl=lease_ttl,  # Pass the TTL if provided
                             organisation_member=request.auth.get("org_member"),
                             service_account=service_account,
                             request=request,
@@ -571,6 +583,17 @@ def get(self, request, *args, **kwargs):
                 and request.GET.get("lease", "false").lower() != "false"
             )
 
+            # Get optional lease_ttl parameter for custom TTL
+            lease_ttl = request.GET.get("lease_ttl")
+            if lease_ttl:
+                try:
+                    lease_ttl = int(lease_ttl)
+                except ValueError:
+                    return Response(
+                        {"error": "lease_ttl must be a valid integer (seconds)"},
+                        status=400,
+                    )
+
             service_account = None
             if request.auth.get("service_account_token") is not None:
                 service_account = request.auth["service_account_token"].service_account
@@ -581,6 +604,7 @@ def get(self, request, *args, **kwargs):
                     try:
                         lease, _ = create_dynamic_secret_lease(
                             ds,
+                            ttl=lease_ttl,
                             organisation_member=request.auth.get("org_member"),
                             service_account=service_account,
                             request=request,

From bcda6d14ea8c7c839e452553683c76ab0b9afecf Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 29 Sep 2025 16:33:45 +0530
Subject: [PATCH 112/117] feat: return an error response for combined secrets
 api if leases cannot be generated

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/views/secrets.py | 85 +++++++++++++++++++++++++++++++++---
 1 file changed, 80 insertions(+), 5 deletions(-)

diff --git a/backend/api/views/secrets.py b/backend/api/views/secrets.py
index d1e3ecb65..62d948076 100644
--- a/backend/api/views/secrets.py
+++ b/backend/api/views/secrets.py
@@ -32,8 +32,15 @@
 import json
 from api.content_negotiation import CamelCaseContentNegotiation
 from api.utils.access.middleware import IsIPAllowed
+from ee.integrations.secrets.dynamic.exceptions import (
+    DynamicSecretError,
+    PlanRestrictionError,
+    TTLExceededError,
+)
 from ee.integrations.secrets.dynamic.serializers import DynamicSecretSerializer
-from ee.integrations.secrets.dynamic.utils import create_dynamic_secret_lease
+from ee.integrations.secrets.dynamic.utils import (
+    create_dynamic_secret_lease,
+)
 from rest_framework.views import APIView
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.exceptions import PermissionDenied
@@ -195,6 +202,7 @@ def get(self, request, *args, **kwargs):
 
             if include_lease:
                 leases_by_secret_id = {}
+                failed_leases = []
                 for ds in dynamic_secrets_qs:
                     try:
                         lease, _ = create_dynamic_secret_lease(
@@ -205,10 +213,39 @@ def get(self, request, *args, **kwargs):
                             request=request,
                         )
                         leases_by_secret_id[ds.id] = str(lease.id)
+                    except PlanRestrictionError as e:
+                        return Response({"error": str(e)}, status=403)
+                    except DynamicSecretError as e:
+                        failed_leases.append(
+                            {
+                                "secret_id": str(ds.id),
+                                "secret_name": ds.name,
+                                "error": str(e),
+                            }
+                        )
                     except Exception as e:
-                        logger.error(
-                            f"Failed to create lease for dynamic secret {ds.id}: {e}"
+                        logger.exception(
+                            "Unexpected error creating lease for dynamic secret %s",
+                            ds.id,
                         )
+                        failed_leases.append(
+                            {
+                                "secret_id": str(ds.id),
+                                "secret_name": ds.name,
+                                "error": "Internal error occurred",
+                            }
+                        )
+
+                # If any leases failed to create, return error response
+                if failed_leases:
+                    return Response(
+                        {
+                            "error": "One or more dynamic secret leases could not be created",
+                            "failed_leases": failed_leases,
+                            "successful_leases": len(leases_by_secret_id),
+                        },
+                        status=400,
+                    )
 
                 # Serialize each secret with its lease_id in context
                 dynamic_secrets_data = [
@@ -600,6 +637,7 @@ def get(self, request, *args, **kwargs):
 
             if include_lease:
                 leases_by_secret_id = {}
+                failed_leases = []
                 for ds in dynamic_secrets_qs:
                     try:
                         lease, _ = create_dynamic_secret_lease(
@@ -610,10 +648,47 @@ def get(self, request, *args, **kwargs):
                             request=request,
                         )
                         leases_by_secret_id[ds.id] = str(lease.id)
+                    except PlanRestrictionError as e:
+                        return Response({"error": str(e)}, status=403)
+                    except (TTLExceededError,) as e:
+                        failed_leases.append(
+                            {
+                                "secret_id": str(ds.id),
+                                "secret_name": ds.name,
+                                "error": str(e),
+                            }
+                        )
+                    except DynamicSecretError as e:
+                        failed_leases.append(
+                            {
+                                "secret_id": str(ds.id),
+                                "secret_name": ds.name,
+                                "error": str(e),
+                            }
+                        )
                     except Exception as e:
-                        logger.error(
-                            f"Failed to create lease for dynamic secret {ds.id}: {e}"
+                        logger.exception(
+                            "Unexpected error creating lease for dynamic secret %s",
+                            ds.id,
                         )
+                        failed_leases.append(
+                            {
+                                "secret_id": str(ds.id),
+                                "secret_name": ds.name,
+                                "error": "Internal error occurred",
+                            }
+                        )
+
+                # If any leases failed to create, return error response
+                if failed_leases:
+                    return Response(
+                        {
+                            "error": "One or more dynamic secret leases could not be created",
+                            "failed_leases": failed_leases,
+                            "successful_leases": len(leases_by_secret_id),
+                        },
+                        status=400,
+                    )
 
                 # Serialize each secret with its lease_id in context
                 dynamic_secrets_data = [

From 13a3a629cfff403827eb766ab8636e707fef1504 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 30 Sep 2025 11:45:38 +0530
Subject: [PATCH 113/117] feat: enhance lease status display by indicating
 leases that due to expire

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../ee/components/secrets/dynamic/LeaseCard.tsx   | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/LeaseCard.tsx b/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
index 90e00dfb9..8b31d2736 100644
--- a/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
+++ b/frontend/ee/components/secrets/dynamic/LeaseCard.tsx
@@ -20,13 +20,17 @@ export const LeaseCard = ({
 }) => {
   const toTitleCase = (str: string) => str.charAt(0).toUpperCase() + str.slice(1).toLowerCase()
 
-  //const isExpired = new Date(lease.expiresAt) <= new Date()
+  const isExpired = new Date(lease.expiresAt) <= new Date()
   const isRevoked = lease.revokedAt !== null && new Date(lease.revokedAt) <= new Date()
 
   const leaseStatusBadge = (status: ApiDynamicSecretLeaseStatusChoices) => {
+    // Check if Active lease has actually expired
+    const isActiveButExpired = status === ApiDynamicSecretLeaseStatusChoices.Active && isExpired
+
     const styles: Record<ApiDynamicSecretLeaseStatusChoices, string> = {
-      [ApiDynamicSecretLeaseStatusChoices.Active]:
-        'bg-emerald-400/10 text-emerald-400 ring-1 ring-inset ring-emerald-400/10',
+      [ApiDynamicSecretLeaseStatusChoices.Active]: isActiveButExpired
+        ? 'bg-amber-400/10 text-amber-400 ring-1 ring-inset ring-amber-400/10'
+        : 'bg-emerald-400/10 text-emerald-400 ring-1 ring-inset ring-emerald-400/10',
       [ApiDynamicSecretLeaseStatusChoices.Created]:
         'bg-blue-400/10 text-blue-400 ring-1 ring-inset ring-blue-400/10',
       [ApiDynamicSecretLeaseStatusChoices.Expired]:
@@ -46,7 +50,7 @@ export const LeaseCard = ({
         )}
       >
         <span className="size-2 rounded-full bg-current" />
-        {toTitleCase(status)}
+        {isActiveButExpired ? 'Expiring' : toTitleCase(status)}
       </span>
     )
   }
@@ -94,7 +98,8 @@ export const LeaseCard = ({
             </div>
           ) : (
             <div className="text-neutral-500">
-              Expires {relativeTimeFromDates(new Date(lease.expiresAt))}
+              {isExpired ? 'Queued for revocation' : 'Expires'}{' '}
+              {relativeTimeFromDates(new Date(lease.expiresAt))}
             </div>
           )}
         </div>

From 1f9e6be026a09e50daec053cebb41d7fd943faa4 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 30 Sep 2025 13:06:07 +0530
Subject: [PATCH 114/117] feat: improve spacing and layout in create and update
 dialogs

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/onboarding/Stepper.tsx    |  4 +-
 .../dynamic/CreateDynamicSecretDialog.tsx     | 12 ++--
 .../dynamic/UpdateDynamicSecretDialog.tsx     | 64 ++++++++++---------
 3 files changed, 41 insertions(+), 39 deletions(-)

diff --git a/frontend/components/onboarding/Stepper.tsx b/frontend/components/onboarding/Stepper.tsx
index b8cb472df..575681bf2 100644
--- a/frontend/components/onboarding/Stepper.tsx
+++ b/frontend/components/onboarding/Stepper.tsx
@@ -30,7 +30,7 @@ export const Stepper = ({ steps, activeStep, align = 'center' }: StepperProps) =
   }
 
   return (
-    <div className="space-y-16">
+    <div className="space-y-10">
       <div className="mx-4 p-4">
         <div className="flex items-center">
           {steps.map((step: Step, index: number) => (
@@ -76,7 +76,7 @@ export const Stepper = ({ steps, activeStep, align = 'center' }: StepperProps) =
       </div>
       <div
         className={clsx(
-          'border-b border-neutral-500/40 pb-2',
+          'border-b border-neutral-500/40 py-2',
           align === 'center' && 'text-center px-4'
         )}
       >
diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index 2b8f90621..5ebc7d6d1 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -275,7 +275,7 @@ export const CreateDynamicSecretDialog = forwardRef<
 
               {/* Step 2: Config */}
               {activeStep === 0 && (
-                <div className="space-y-4 divide-y divide-neutral-500/40 text-sm">
+                <div className="divide-y divide-neutral-500/40 text-sm">
                   <div className="mt-2">
                     <ProviderCredentialPicker
                       credential={formData.credential}
@@ -285,7 +285,7 @@ export const CreateDynamicSecretDialog = forwardRef<
                       setDefault
                     />
                   </div>
-                  <div className="space-y-4 pt-2">
+                  <div className="space-y-3 py-2">
                     {provider.configMap.map(
                       (field: {
                         id: keyof AwsConfigInput
@@ -314,8 +314,8 @@ export const CreateDynamicSecretDialog = forwardRef<
 
               {/* Step 3: Key Mapping */}
               {activeStep === 1 && (
-                <div className="space-y-6 divide-y divide-neutral-500/40 text-sm">
-                  <div className="space-y-4">
+                <div className="divide-y divide-neutral-500/40 text-sm">
+                  <div className="space-y-3 py-2">
                     <Input
                       label="Name"
                       required
@@ -331,7 +331,7 @@ export const CreateDynamicSecretDialog = forwardRef<
                     />
                   </div>
 
-                  <div className="space-y-4 pt-6">
+                  <div className="space-y-3 py-2">
                     <div className="border-b border-neutral-500/20">
                       <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">
                         TTLs
@@ -392,7 +392,7 @@ export const CreateDynamicSecretDialog = forwardRef<
                     </div>
                   </div>
 
-                  <div className="space-y-4 pt-6">
+                  <div className="space-y-3 py-2">
                     <div className="border-b border-neutral-500/20">
                       <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">
                         Outputs
diff --git a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
index 47926b2d2..fe0083d52 100644
--- a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
@@ -202,7 +202,7 @@ export const UpdateDynamicSecretDialog = forwardRef<
             </div>
 
             {provider && (
-              <div className="space-y-4 pt-2">
+              <div className="space-y-3 pt-2">
                 {provider.configMap.map(
                   (field: {
                     id: keyof AwsConfigInput
@@ -230,8 +230,8 @@ export const UpdateDynamicSecretDialog = forwardRef<
           </div>
         )}
         {activeStep === 1 && (
-          <div className="space-y-6 divide-y divide-neutral-500/40 text-sm">
-            <div className="space-y-4">
+          <div className="divide-y divide-neutral-500/40 text-sm">
+            <div className="space-y-3 py-2">
               <Input
                 label="Name"
                 required
@@ -246,8 +246,8 @@ export const UpdateDynamicSecretDialog = forwardRef<
                 setValue={(val) => setFormData({ ...formData, description: val })}
               />
             </div>
-            <div className="space-y-4 pt-6">
-              <div className="border-b border-neutral-500/20">
+            <div className="space-y-3 py-2">
+              <div>
                 <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">TTLs</div>
                 <div className="text-neutral-500 text-xs">
                   Configure the default and max TTLs for generated secrets
@@ -304,38 +304,40 @@ export const UpdateDynamicSecretDialog = forwardRef<
                 </div>
               </div>
             </div>
-            <div className="space-y-4 pt-6">
-              <div className="border-b border-neutral-500/20">
+            <div className="space-y-3 py-2">
+              <div>
                 <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">Outputs</div>
                 <div className="text-neutral-500 text-xs">
                   Configure how generated secrets are mapped to keys in your environment
                 </div>
               </div>
-              {formData.keyMap.map((key) => (
-                <div key={key.id} className="flex items-center gap-4">
-                  <div className="flex-1 font-mono text-sm text-zinc-900 dark:text-zinc-100">
-                    {toUpper(key.id)}
+              <div className="space-y-2">
+                {formData.keyMap.map((key) => (
+                  <div key={key.id} className="flex items-center gap-4">
+                    <div className="flex-1 font-mono text-sm text-zinc-900 dark:text-zinc-100">
+                      {toUpper(key.id)}
+                    </div>
+                    <FaArrowRightLong className="text-neutral-500" />
+                    <div className="flex-1">
+                      <Input
+                        className="font-mono ph-no-capture"
+                        placeholder="Enter secret name"
+                        value={key.keyName ?? ''}
+                        setValue={(val) =>
+                          setFormData((prev) => ({
+                            ...prev,
+                            keyMap: prev.keyMap.map((k) =>
+                              k.id === key.id
+                                ? { ...k, keyName: val.replace(/ /g, '_').toUpperCase() }
+                                : k
+                            ),
+                          }))
+                        }
+                      />
+                    </div>
                   </div>
-                  <FaArrowRightLong className="text-neutral-500" />
-                  <div className="flex-1">
-                    <Input
-                      className="font-mono ph-no-capture"
-                      placeholder="Enter secret name"
-                      value={key.keyName ?? ''}
-                      setValue={(val) =>
-                        setFormData((prev) => ({
-                          ...prev,
-                          keyMap: prev.keyMap.map((k) =>
-                            k.id === key.id
-                              ? { ...k, keyName: val.replace(/ /g, '_').toUpperCase() }
-                              : k
-                          ),
-                        }))
-                      }
-                    />
-                  </div>
-                </div>
-              ))}
+                ))}
+              </div>
             </div>
           </div>
         )}

From a89ef7ec8b7b37ce1305c610004e56bb3cacc2e5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 30 Sep 2025 13:13:25 +0530
Subject: [PATCH 115/117] chore: bump version

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/version.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/version.txt b/backend/version.txt
index 194d155c1..6e380ebf9 100644
--- a/backend/version.txt
+++ b/backend/version.txt
@@ -1 +1 @@
-v2.51.0
+v2.52.0

From d48444398395a51c13cdf0195f45cefd4913ee59 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 30 Sep 2025 14:24:17 +0530
Subject: [PATCH 116/117] fix: prevent bad ttl values being passed to mutation
 vars in case form validation fails

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index 5ebc7d6d1..974dfb6f6 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -180,10 +180,12 @@ export const CreateDynamicSecretDialog = forwardRef<
 
       if (parseInt(formData.defaultTTL, 10) > parseInt(formData.maxTTL, 10)) {
         toast.error('Default TTL must be less than or equal to Max TTL')
+        return false
       }
 
       if (parseInt(formData.maxTTL, 10) <= MINIMUM_LEASE_TTL) {
         toast.error(`Max TTL must be greater than ${MINIMUM_LEASE_TTL} seconds`)
+        return false
       }
 
       // Encrypt each keyName in keyMap

From 5178a0fb342bdee172b474e218f301b31d7a10df Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 30 Sep 2025 16:31:36 +0530
Subject: [PATCH 117/117] fix: clean up borders

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../components/secrets/dynamic/CreateDynamicSecretDialog.tsx  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index 974dfb6f6..edd58efa7 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -334,7 +334,7 @@ export const CreateDynamicSecretDialog = forwardRef<
                   </div>
 
                   <div className="space-y-3 py-2">
-                    <div className="border-b border-neutral-500/20">
+                    <div>
                       <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">
                         TTLs
                       </div>
@@ -395,7 +395,7 @@ export const CreateDynamicSecretDialog = forwardRef<
                   </div>
 
                   <div className="space-y-3 py-2">
-                    <div className="border-b border-neutral-500/20">
+                    <div>
                       <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">
                         Outputs
                       </div>