Draft
Conversation
Add enrollment token-based gateway registration that decouples gateways from machine identities. Gateways can now be registered using a one-time enrollment token instead of requiring a pre-configured machine identity. Backend: - Add GATEWAY_ACCESS_TOKEN auth mode and GATEWAY actor type - Add enrollment token CRUD endpoints (create, list, delete, enroll) - Migration to make gateways_v2.identityId nullable and add gateway_enrollment_tokens table - Update PAM session, account, and gateway services to accept GATEWAY actors - Add GatewayActor to audit log and telemetry types Frontend: - Show pending enrollment tokens as "Pending" gateways in the gateway list - Invalidate gateway list on token create/delete - Deploy modal generates enrollment CLI command - Skip pending items in network health banner
Add re-enroll flow that lets admins create a new enrollment token for existing gateways, invalidating the old JWT via tokenVersion. Backend: - Add tokenVersion column to gateways_v2, gatewayId FK to enrollment tokens - Include tokenVersion in gateway JWT, verify on auth - Add POST /re-enroll endpoint handling both pending tokens and enrolled gateways - Bump tokenVersion and clear health status on re-enroll - enrollGateway reuses existing gateway record when tokenRecord.gatewayId is set - Add audit log events for enrollment token CRUD and re-enroll Frontend: - Add Re-enroll button in kebab menu (enrollment-based gateways only) - ReEnrollGatewayModal with confirmation step and CLI command output - Distinguish isTokenOnly vs isPending for correct delete/re-enroll behavior - Re-enrolled gateways show as Pending until CLI command is run
CLI: - Gateway name is now a positional arg instead of --name flag - --name flag kept as deprecated alias for backwards compatibility - Name is required for both enrollment and identity flows Backend: - Reject creating enrollment tokens with duplicate names - Reject creating tokens when a gateway with that name exists - Remove ttlSeconds parameter, hardcode 1-hour TTL - Return expired unused tokens from list endpoint for UI display Frontend: - Show expired standalone tokens with red "Expired" badge and status - Client-side duplicate name check before creating tokens - Generated CLI commands use positional name arg - Use isTokenOnly instead of isPending for delete/re-enroll logic
Merge origin/main, combining RequestContextKey import with UnauthorizedError and TGatewayAccessTokenJwtPayload imports.
… simplify token version check
GATEWAY actors carry a gateway ID, not an identity ID. The session authorization checks in updateLogsById, endSessionById, and uploadEventBatch were comparing actor.id against gatewayIdentityId, which would never match for enrollment-flow gateways.
Replace findOne + updateById with a single UPDATE WHERE usedAt IS NULL so concurrent enrollment requests can't both consume the same token.
…nal re-enroll - Split gatewaysQueryKeys.list() (shared, no tokens) from listWithTokens() (Gateway tab only) so gateway pickers in other forms don't show enrollment tokens as selectable gateways - Wrap both re-enroll branches in transactions so tokenVersion bump, old token cleanup, and new token creation are atomic
Defer JWT invalidation from re-enroll time to enrollment time so the old gateway keeps running until the new machine actually enrolls. Show "Re-enrolling" badge on gateways with pending re-enrollment tokens without overriding their health status.
- Add enrollment token as the recommended deployment method in the gateway deployment guide with step-by-step instructions - Document gateway lifecycle states (Pending, Expired, Unregistered, Healthy, Unreachable, Re-enrolling) - Document re-enrollment flow and zero-downtime machine migration - Add enrollment token auth method to CLI reference - Update all CLI examples to use positional name argument - Mark --name flag as deprecated in favor of positional argument - Add --enroll-method flag documentation for both start and systemd
- Add gatewayId to session response schema so frontend can detect enrollment-flow gateway sessions (where gatewayIdentityId is null) - Fix checkAndExpireSessionIfNeeded to also check gatewayId - Fix isGatewaySession check in PamSessionByIDPage to match PamSessionRow
Gateway record now exists immediately when the enrollment token is created, so other features (K8s auth, dynamic secrets, app connections) can reference it by ID before the CLI enrolls. - createEnrollmentToken creates both gateway and token in one transaction - enrollGateway always updates existing gateway (no more create branch) - reEnrollGateway simplified to gatewayId only (no more tokenId branch) - Remove isTokenOnly from frontend, every list item is a real gateway - Simplify delete handler, query logic, and re-enroll modal
…llment-tokens Move enrollment token status onto the gateway list response so the frontend doesn't need a separate API call. Remove the now-unused GET /enrollment-tokens endpoint and listEnrollmentTokens service method.
- POST /api/v3/gateways - Create a gateway - POST /api/v3/gateways/:id/token-auth/configure - Generate enrollment token - POST /api/v3/gateways/token-auth/enroll - Enroll with token - POST /api/v3/gateways/connect - Refresh certs Remove V2 enrollment endpoints (enrollment-tokens, re-enroll, enroll). Frontend uses V3 create + token-auth/configure. Re-enroll uses token-auth/configure directly.
…rvices and update permission service types
Added new vercel sync feature
feat: add new vercel sync feature
feat(pam): move ad server resources to dedicated domains section
* remove upgrade-path page and backend service * remove orphan files and update docs
The Font Awesome kubernetes icon wasn't resolving in Mintlify, leaving the Kubernetes card without a logo while every other card rendered one. Swap to a hosted SVG from simpleicons so the logo shows consistently. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feat: updated default config for request
…#6084) * feat(pki): PQC readiness pie + trend chart and inventory preset views * fix(pki): stretch KPI cards to equal height on dashboard UnstableCard defaults to h-fit which disables flex items-stretch; other dashboard cards override with h-auto but KpiCards didn't, so cards without a badge (Expiring Soon, Expired) rendered shorter than the rest. * fix(pki): stretch PQC trend card to match pie in same row Missed h-auto on PqcTrend so it kept h-fit from UnstableCard default, breaking stretch alignment with PqcReadinessChart beside it. * fix(pki): let PQC trend card shrink with viewport min-w-[400px] prevented the trend card from shrinking below 400px, causing overflow/clipping at narrow widths. Drop the min-width and let it behave like ActivityTrend.
feat: resovled ts error and new token type
Card color="#000000" gives the icon a dark accent background; a black SVG fill renders invisible against it. Font Awesome glyphs like docker and aws inherit a white foreground via CSS, so they look correct. The URL-based SVG bakes color in, so switch the simpleicons fill to white to match the other cards. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Card background is light, so black renders correctly. Reverts the white fill from the previous commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
docs(selfhost): render kubernetes logo on self-hosting overview card
) Follow-up to #6084 — missed updating PqcReadinessChart and PqcTrend after the Unstable prefix was removed from v3 components.
Co-Authored-By: bernie <bernie@infisical.com>
feat: removed secret rotation v1
Co-Authored-By: bernie <bernie@infisical.com>
…eway-systemd feat(frontend): show systemd CLI command in re-enroll gateway modal
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).