From 2e9ddbaea3b58883027cb08a0bf0ceb796cef965 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:15 +0530
Subject: [PATCH 001/118] feat: add Team, TeamMembership, TeamAppEnvironment,
 EnvironmentKeyGrant models and server-side key wrapping

---
 .../api/migrations/0120_add_team_models.py    |  73 ++++++++
 .../0121_backfill_environment_key_grants.py   |  46 +++++
 backend/api/models.py                         | 122 +++++++++++++
 backend/api/utils/keys.py                     | 169 ++++++++++++++++++
 4 files changed, 410 insertions(+)
 create mode 100644 backend/api/migrations/0120_add_team_models.py
 create mode 100644 backend/api/migrations/0121_backfill_environment_key_grants.py
 create mode 100644 backend/api/utils/keys.py

diff --git a/backend/api/migrations/0120_add_team_models.py b/backend/api/migrations/0120_add_team_models.py
new file mode 100644
index 000000000..66f16242b
--- /dev/null
+++ b/backend/api/migrations/0120_add_team_models.py
@@ -0,0 +1,73 @@
+# Generated by Django 4.2.29 on 2026-03-30 11:38
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0119_secretevent_type_field'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Team',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=64)),
+                ('description', models.TextField(blank=True, null=True)),
+                ('is_scim_managed', models.BooleanField(default=False)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('created_by', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='created_teams', to='api.organisationmember')),
+                ('member_role', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='teams_as_member_role', to='api.role')),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='teams', to='api.organisation')),
+                ('service_account_role', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='teams_as_sa_role', to='api.role')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='TeamMembership',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('org_member', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='team_memberships', to='api.organisationmember')),
+                ('service_account', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='team_memberships', to='api.serviceaccount')),
+                ('team', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='memberships', to='api.team')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='TeamAppEnvironment',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('app', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.app')),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('team', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='app_environments', to='api.team')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='EnvironmentKeyGrant',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('grant_type', models.CharField(choices=[('individual', 'Individual'), ('team', 'Team')], max_length=20)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('environment_key', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='grants', to='api.environmentkey')),
+                ('team', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='key_grants', to='api.team')),
+            ],
+        ),
+        migrations.AddConstraint(
+            model_name='teammembership',
+            constraint=models.UniqueConstraint(condition=models.Q(('org_member__isnull', False)), fields=('team', 'org_member'), name='unique_team_user'),
+        ),
+        migrations.AddConstraint(
+            model_name='teammembership',
+            constraint=models.UniqueConstraint(condition=models.Q(('service_account__isnull', False)), fields=('team', 'service_account'), name='unique_team_sa'),
+        ),
+        migrations.AddConstraint(
+            model_name='teamappenvironment',
+            constraint=models.UniqueConstraint(fields=('team', 'environment'), name='unique_team_env'),
+        ),
+    ]
diff --git a/backend/api/migrations/0121_backfill_environment_key_grants.py b/backend/api/migrations/0121_backfill_environment_key_grants.py
new file mode 100644
index 000000000..70e975ea4
--- /dev/null
+++ b/backend/api/migrations/0121_backfill_environment_key_grants.py
@@ -0,0 +1,46 @@
+# Generated by Django 4.2.29 on 2026-03-30 11:38
+
+from django.db import migrations
+
+
+def backfill_grants(apps, schema_editor):
+    """
+    Create an 'individual' EnvironmentKeyGrant for every existing EnvironmentKey.
+    This ensures the grant-tracking system works from day one — all pre-existing
+    keys are attributed to individual access.
+    """
+    EnvironmentKey = apps.get_model("api", "EnvironmentKey")
+    EnvironmentKeyGrant = apps.get_model("api", "EnvironmentKeyGrant")
+
+    grants_to_create = []
+    for ek in EnvironmentKey.objects.filter(deleted_at__isnull=True).iterator():
+        grants_to_create.append(
+            EnvironmentKeyGrant(
+                environment_key=ek,
+                grant_type="individual",
+                team=None,
+            )
+        )
+        if len(grants_to_create) >= 1000:
+            EnvironmentKeyGrant.objects.bulk_create(grants_to_create, ignore_conflicts=True)
+            grants_to_create = []
+
+    if grants_to_create:
+        EnvironmentKeyGrant.objects.bulk_create(grants_to_create, ignore_conflicts=True)
+
+
+def reverse_backfill(apps, schema_editor):
+    """Remove all individual grants created by the forward migration."""
+    EnvironmentKeyGrant = apps.get_model("api", "EnvironmentKeyGrant")
+    EnvironmentKeyGrant.objects.filter(grant_type="individual", team__isnull=True).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("api", "0120_add_team_models"),
+    ]
+
+    operations = [
+        migrations.RunPython(backfill_grants, reverse_backfill),
+    ]
diff --git a/backend/api/models.py b/backend/api/models.py
index 771be6308..e6877bea1 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -1060,6 +1060,128 @@ class PersonalSecret(models.Model):
     deleted_at = models.DateTimeField(blank=True, null=True)
 
 
+class Team(models.Model):
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    name = models.CharField(max_length=64)
+    description = models.TextField(null=True, blank=True)
+    organisation = models.ForeignKey(
+        Organisation, on_delete=models.CASCADE, related_name="teams"
+    )
+
+    # Optional roles — when set, override org role's app_permissions for team-accessed apps
+    member_role = models.ForeignKey(
+        Role,
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="teams_as_member_role",
+    )
+    service_account_role = models.ForeignKey(
+        Role,
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="teams_as_sa_role",
+    )
+
+    is_scim_managed = models.BooleanField(default=False)
+    created_by = models.ForeignKey(
+        OrganisationMember,
+        null=True,
+        on_delete=models.SET_NULL,
+        related_name="created_teams",
+    )
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+    updated_at = models.DateTimeField(auto_now=True)
+    deleted_at = models.DateTimeField(null=True, blank=True)
+
+    def delete(self, *args, **kwargs):
+        self.deleted_at = timezone.now()
+        self.save()
+
+    def __str__(self):
+        return f"{self.name} ({self.organisation.name})"
+
+
+class TeamMembership(models.Model):
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    team = models.ForeignKey(
+        Team, on_delete=models.CASCADE, related_name="memberships"
+    )
+    org_member = models.ForeignKey(
+        OrganisationMember,
+        on_delete=models.CASCADE,
+        null=True,
+        blank=True,
+        related_name="team_memberships",
+    )
+    service_account = models.ForeignKey(
+        ServiceAccount,
+        on_delete=models.CASCADE,
+        null=True,
+        blank=True,
+        related_name="team_memberships",
+    )
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+
+    class Meta:
+        constraints = [
+            models.UniqueConstraint(
+                fields=["team", "org_member"],
+                condition=models.Q(org_member__isnull=False),
+                name="unique_team_user",
+            ),
+            models.UniqueConstraint(
+                fields=["team", "service_account"],
+                condition=models.Q(service_account__isnull=False),
+                name="unique_team_sa",
+            ),
+        ]
+
+
+class TeamAppEnvironment(models.Model):
+    """Tracks which environments within an app a team has access to."""
+
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    team = models.ForeignKey(
+        Team, on_delete=models.CASCADE, related_name="app_environments"
+    )
+    app = models.ForeignKey(App, on_delete=models.CASCADE)
+    environment = models.ForeignKey(Environment, on_delete=models.CASCADE)
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+
+    class Meta:
+        constraints = [
+            models.UniqueConstraint(
+                fields=["team", "environment"],
+                name="unique_team_env",
+            )
+        ]
+
+
+class EnvironmentKeyGrant(models.Model):
+    """Tracks why an EnvironmentKey exists — prevents accidental revocation
+    when removing team access."""
+
+    INDIVIDUAL = "individual"
+    TEAM = "team"
+
+    GRANT_TYPE_CHOICES = [
+        (INDIVIDUAL, "Individual"),
+        (TEAM, "Team"),
+    ]
+
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    environment_key = models.ForeignKey(
+        EnvironmentKey, on_delete=models.CASCADE, related_name="grants"
+    )
+    grant_type = models.CharField(max_length=20, choices=GRANT_TYPE_CHOICES)
+    team = models.ForeignKey(
+        Team, on_delete=models.CASCADE, null=True, blank=True, related_name="key_grants"
+    )
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+
+
 class Lockbox(models.Model):
     id = models.TextField(default=uuid4, primary_key=True, editable=False)
     data = models.JSONField()
diff --git a/backend/api/utils/keys.py b/backend/api/utils/keys.py
new file mode 100644
index 000000000..5a0456c0c
--- /dev/null
+++ b/backend/api/utils/keys.py
@@ -0,0 +1,169 @@
+"""
+Server-side key wrapping utilities for team-based access.
+
+When a team is granted access to an SSE-enabled app, the server wraps
+EnvironmentKeys for each team member using ServerEnvironmentKey data.
+"""
+
+from django.apps import apps
+from django.utils import timezone
+from api.utils.crypto import (
+    get_server_keypair,
+    decrypt_asymmetric,
+    encrypt_asymmetric,
+)
+
+
+def server_wrap_env_key_for_member(environment, identity_key):
+    """
+    Unwraps a ServerEnvironmentKey and re-wraps the seed/salt for a user's
+    identity_key. Returns (wrapped_seed, wrapped_salt).
+
+    Requires SSE to be enabled on the app (ServerEnvironmentKey must exist).
+    """
+    ServerEnvironmentKey = apps.get_model("api", "ServerEnvironmentKey")
+
+    server_env_key = ServerEnvironmentKey.objects.get(
+        environment=environment, deleted_at__isnull=True
+    )
+    server_pk, server_sk = get_server_keypair()
+
+    seed = decrypt_asymmetric(
+        server_env_key.wrapped_seed, server_sk.hex(), server_pk.hex()
+    )
+    salt = decrypt_asymmetric(
+        server_env_key.wrapped_salt, server_sk.hex(), server_pk.hex()
+    )
+
+    wrapped_seed = encrypt_asymmetric(seed, identity_key)
+    wrapped_salt = encrypt_asymmetric(salt, identity_key)
+    return wrapped_seed, wrapped_salt
+
+
+def provision_team_environment_keys(team, app, members=None):
+    """
+    Wraps EnvironmentKeys for team members for a given app's team environments.
+
+    Called when:
+    - A team is granted access to an app (AddTeamApps)
+    - A member is added to a team that already has app access (AddTeamMembers)
+    - A SCIM-provisioned user completes their key ceremony (first login)
+
+    Skips members without an identity_key (deferred until first login).
+    """
+    Environment = apps.get_model("api", "Environment")
+    EnvironmentKey = apps.get_model("api", "EnvironmentKey")
+    EnvironmentKeyGrant = apps.get_model("api", "EnvironmentKeyGrant")
+    TeamAppEnvironment = apps.get_model("api", "TeamAppEnvironment")
+
+    if not app.sse_enabled:
+        raise ValueError("Team-based access requires SSE-enabled apps.")
+
+    env_ids = TeamAppEnvironment.objects.filter(
+        team=team, app=app
+    ).values_list("environment_id", flat=True)
+    environments = Environment.objects.filter(id__in=env_ids, deleted_at__isnull=True)
+
+    if members is None:
+        members = team.memberships.all()
+
+    for env in environments:
+        for membership in members:
+            account = membership.org_member or membership.service_account
+            if not account or not account.identity_key:
+                continue  # Deferred until first login
+
+            is_user = membership.org_member is not None
+            key_filter = {
+                "environment": env,
+                "user_id": membership.org_member_id if is_user else None,
+                "service_account_id": (
+                    membership.service_account_id if not is_user else None
+                ),
+            }
+
+            env_key = EnvironmentKey.objects.filter(
+                deleted_at__isnull=True, **key_filter
+            ).first()
+
+            if not env_key:
+                wrapped_seed, wrapped_salt = server_wrap_env_key_for_member(
+                    env, account.identity_key
+                )
+                env_key = EnvironmentKey.objects.create(
+                    **key_filter,
+                    identity_key=account.identity_key,
+                    wrapped_seed=wrapped_seed,
+                    wrapped_salt=wrapped_salt,
+                )
+
+            EnvironmentKeyGrant.objects.get_or_create(
+                environment_key=env_key,
+                grant_type="team",
+                team=team,
+            )
+
+
+def revoke_team_environment_keys(team, app=None, member=None, environments=None):
+    """
+    Removes team-specific EnvironmentKeyGrants.
+    Soft-deletes EnvironmentKeys that have no remaining grants.
+
+    Called when:
+    - A team is removed from an app (RemoveTeamApp)
+    - A member is removed from a team (RemoveTeamMember)
+    - A team is deleted (DeleteTeam)
+    - Specific environments are removed from a team-app link (UpdateTeamAppEnvironments)
+    """
+    EnvironmentKey = apps.get_model("api", "EnvironmentKey")
+    EnvironmentKeyGrant = apps.get_model("api", "EnvironmentKeyGrant")
+
+    grant_filter = {"grant_type": "team", "team": team}
+    if app:
+        grant_filter["environment_key__environment__app"] = app
+    if environments is not None:
+        grant_filter["environment_key__environment__in"] = environments
+    if member:
+        if hasattr(member, "user"):
+            grant_filter["environment_key__user_id"] = member.id
+        else:
+            grant_filter["environment_key__service_account_id"] = member.id
+
+    grants = EnvironmentKeyGrant.objects.filter(**grant_filter)
+    env_key_ids = list(grants.values_list("environment_key_id", flat=True))
+    grants.delete()
+
+    # Soft-delete orphaned EnvironmentKeys (no remaining grants)
+    for ek_id in env_key_ids:
+        if not EnvironmentKeyGrant.objects.filter(environment_key_id=ek_id).exists():
+            EnvironmentKey.objects.filter(id=ek_id).update(
+                deleted_at=timezone.now()
+            )
+
+
+def provision_pending_team_keys(org_member):
+    """
+    Called after a user completes their key ceremony (first login).
+    Wraps EnvironmentKeys for all team-accessible SSE environments
+    that the user didn't yet have keys for.
+    """
+    App = apps.get_model("api", "App")
+    TeamMembership = apps.get_model("api", "TeamMembership")
+    TeamAppEnvironment = apps.get_model("api", "TeamAppEnvironment")
+
+    team_memberships = TeamMembership.objects.filter(
+        org_member=org_member,
+        team__deleted_at__isnull=True,
+    ).select_related("team")
+
+    for tm in team_memberships:
+        team_app_ids = (
+            TeamAppEnvironment.objects.filter(team=tm.team)
+            .values_list("app_id", flat=True)
+            .distinct()
+        )
+
+        for app_id in team_app_ids:
+            app = App.objects.get(id=app_id)
+            if app.sse_enabled:
+                provision_team_environment_keys(tm.team, app, members=[tm])

From 64f7e125510aefe2c215ae85aee7e697bfc91d73 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:18 +0530
Subject: [PATCH 002/118] feat: add Teams permission resource and team role
 override resolution to permission checks

---
 backend/api/utils/access/permissions.py | 75 ++++++++++++++++++++++++-
 backend/api/utils/access/roles.py       |  5 ++
 2 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/backend/api/utils/access/permissions.py b/backend/api/utils/access/permissions.py
index 4a08982a5..add8d74ae 100644
--- a/backend/api/utils/access/permissions.py
+++ b/backend/api/utils/access/permissions.py
@@ -23,12 +23,23 @@ def user_is_org_member(user_id, org_id):
 def user_can_access_app(user_id, app_id):
     OrganisationMember = apps.get_model("api", "OrganisationMember")
     App = apps.get_model("api", "App")
+    TeamMembership = apps.get_model("api", "TeamMembership")
 
     app = App.objects.get(id=app_id)
     org_member = OrganisationMember.objects.get(
         user_id=user_id, organisation=app.organisation, deleted_at=None
     )
-    return org_member in app.members.all()
+
+    # Individual access
+    if org_member in app.members.all():
+        return True
+
+    # Team access
+    return TeamMembership.objects.filter(
+        org_member=org_member,
+        team__app_environments__app=app,
+        team__deleted_at__isnull=True,
+    ).exists()
 
 
 def user_can_access_environment(user_id, env_id):
@@ -88,6 +99,56 @@ def role_has_permission(role, action, resource, is_app_resource=False):
     return action in resource_permissions
 
 
+def _check_app_permission(account, action, resource, app, is_service_account=False):
+    """
+    Check app-level permission considering both individual and team access.
+
+    - Individual access: uses org role's app_permissions
+    - Team access: uses team role's app_permissions (override model)
+    - Multiple teams: union — if ANY team role grants the permission, allow it
+    - Team role is null: uses org role (team is purely an access group)
+    """
+    Team = apps.get_model("api", "Team")
+
+    if is_service_account:
+        has_individual = app.service_accounts.filter(id=account.id).exists()
+        org_role = account.role
+        role_field = "service_account_role"
+        membership_filter = {"memberships__service_account": account}
+    else:
+        has_individual = account in app.members.all()
+        org_role = account.role
+        role_field = "member_role"
+        membership_filter = {"memberships__org_member": account}
+
+    # Individual access → org role, no team override
+    if has_individual:
+        return role_has_permission(org_role, action, resource, is_app_resource=True)
+
+    # Team access — find all teams granting access to this app
+    teams = Team.objects.filter(
+        app_environments__app=app,
+        deleted_at__isnull=True,
+        **membership_filter,
+    ).distinct()
+
+    if not teams.exists():
+        return False  # No access
+
+    # Union: if ANY team role grants this permission, allow it
+    for team in teams:
+        team_role = getattr(team, role_field)
+        if team_role is None:
+            # No team role → use org role (most permissive possible)
+            if role_has_permission(org_role, action, resource, is_app_resource=True):
+                return True
+        else:
+            if role_has_permission(team_role, action, resource, is_app_resource=True):
+                return True
+
+    return False
+
+
 def user_has_permission(
     account,
     action,
@@ -95,6 +156,7 @@ def user_has_permission(
     organisation,
     is_app_resource=False,
     is_service_account=False,
+    app=None,
 ):
     OrganisationMember = apps.get_model("api", "OrganisationMember")
 
@@ -108,7 +170,16 @@ def user_has_permission(
                 user=account, organisation=organisation, deleted_at=None
             )
 
-        return role_has_permission(org_member.role, action, resource, is_app_resource)
+        # Org-level permissions — always use org role
+        if not is_app_resource or app is None:
+            return role_has_permission(
+                org_member.role, action, resource, is_app_resource
+            )
+
+        # App-level permissions — resolve effective role via team access
+        return _check_app_permission(
+            org_member, action, resource, app, is_service_account
+        )
 
     except OrganisationMember.DoesNotExist:
         return False  # User is not a member of the organization
diff --git a/backend/api/utils/access/roles.py b/backend/api/utils/access/roles.py
index b61f249aa..e19823eca 100644
--- a/backend/api/utils/access/roles.py
+++ b/backend/api/utils/access/roles.py
@@ -17,6 +17,7 @@
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
             "SSO": ["create", "read", "update", "delete"],
+            "Teams": ["create", "read", "update", "delete"],
         },
         "app_permissions": {
             "Environments": ["create", "read", "update", "delete"],
@@ -50,6 +51,7 @@
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
             "SSO": ["create", "read", "update", "delete"],
+            "Teams": ["create", "read", "update", "delete"],
         },
         "app_permissions": {
             "Environments": ["create", "read", "update", "delete"],
@@ -82,6 +84,7 @@
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
             "SSO": [],
+            "Teams": ["create", "read", "update", "delete"],
         },
         "app_permissions": {
             "Environments": ["read", "create", "update"],
@@ -118,6 +121,7 @@
             ],
             "NetworkAccessPolicies": ["read"],
             "SSO": [],
+            "Teams": ["read"],
         },
         "app_permissions": {
             "Environments": ["read", "create", "update"],
@@ -150,6 +154,7 @@
             "IntegrationCredentials": ["read"],
             "NetworkAccessPolicies": ["read"],
             "SSO": [],
+            "Teams": [],
         },
         "app_permissions": {
             "Environments": ["read", "create", "update", "delete"],

From 44aae4c692c284b2f631f8af9b8ae682c6092730 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:22 +0530
Subject: [PATCH 003/118] feat: add GraphQL types, mutations, and queries for
 teams

---
 backend/backend/graphene/mutations/teams.py | 451 ++++++++++++++++++++
 backend/backend/graphene/queries/teams.py   |  30 ++
 backend/backend/graphene/types.py           |  86 +++-
 backend/backend/schema.py                   |  67 ++-
 4 files changed, 621 insertions(+), 13 deletions(-)
 create mode 100644 backend/backend/graphene/mutations/teams.py
 create mode 100644 backend/backend/graphene/queries/teams.py

diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
new file mode 100644
index 000000000..175ac3ca9
--- /dev/null
+++ b/backend/backend/graphene/mutations/teams.py
@@ -0,0 +1,451 @@
+import graphene
+from graphql import GraphQLError
+from django.utils import timezone
+from api.models import (
+    App,
+    Environment,
+    Organisation,
+    OrganisationMember,
+    Role,
+    ServiceAccount,
+    Team,
+    TeamAppEnvironment,
+    TeamMembership,
+)
+from api.utils.access.permissions import (
+    user_can_access_app,
+    user_has_permission,
+    user_is_org_member,
+)
+from api.utils.keys import (
+    provision_team_environment_keys,
+    revoke_team_environment_keys,
+)
+from backend.quotas import can_use_teams
+from backend.graphene.types import TeamType, MemberType
+
+
+def _get_org_member(user, org):
+    """Get the requesting user's OrganisationMember."""
+    return OrganisationMember.objects.get(
+        user=user, organisation=org, deleted_at=None
+    )
+
+
+class CreateTeamMutation(graphene.Mutation):
+    class Arguments:
+        organisation_id = graphene.ID(required=True)
+        name = graphene.String(required=True)
+        description = graphene.String(required=False)
+        member_role_id = graphene.ID(required=False)
+        service_account_role_id = graphene.ID(required=False)
+
+    team = graphene.Field(TeamType)
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        organisation_id,
+        name,
+        description=None,
+        member_role_id=None,
+        service_account_role_id=None,
+    ):
+        user = info.context.user
+        org = Organisation.objects.get(id=organisation_id)
+
+        if not user_is_org_member(user.userId, organisation_id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "create", "Teams", org):
+            raise GraphQLError("You don't have permission to create Teams")
+
+        if not can_use_teams(org):
+            raise GraphQLError(
+                "Teams require a Pro or Enterprise plan. Please upgrade to use this feature."
+            )
+
+        if not name or not name.strip():
+            raise GraphQLError("Team name cannot be blank")
+        if len(name) > 64:
+            raise GraphQLError("Team name cannot exceed 64 characters")
+
+        member_role = None
+        if member_role_id:
+            member_role = Role.objects.get(id=member_role_id, organisation=org)
+
+        sa_role = None
+        if service_account_role_id:
+            sa_role = Role.objects.get(id=service_account_role_id, organisation=org)
+
+        org_member = _get_org_member(user, org)
+
+        team = Team.objects.create(
+            name=name.strip(),
+            description=description,
+            organisation=org,
+            member_role=member_role,
+            service_account_role=sa_role,
+            created_by=org_member,
+        )
+
+        # Auto-add the creator as a team member
+        TeamMembership.objects.create(team=team, org_member=org_member)
+
+        return CreateTeamMutation(team=team)
+
+
+class UpdateTeamMutation(graphene.Mutation):
+    class Arguments:
+        team_id = graphene.ID(required=True)
+        name = graphene.String(required=False)
+        description = graphene.String(required=False)
+        member_role_id = graphene.ID(required=False)
+        service_account_role_id = graphene.ID(required=False)
+
+    team = graphene.Field(TeamType)
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        team_id,
+        name=None,
+        description=None,
+        member_role_id=None,
+        service_account_role_id=None,
+    ):
+        user = info.context.user
+        team = Team.objects.get(id=team_id, deleted_at__isnull=True)
+        org = team.organisation
+
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "update", "Teams", org):
+            raise GraphQLError("You don't have permission to update Teams")
+
+        if team.is_scim_managed:
+            raise GraphQLError(
+                "This team is managed by SCIM and cannot be manually updated"
+            )
+
+        if name is not None:
+            if not name or not name.strip():
+                raise GraphQLError("Team name cannot be blank")
+            if len(name) > 64:
+                raise GraphQLError("Team name cannot exceed 64 characters")
+            team.name = name.strip()
+
+        if description is not None:
+            team.description = description
+
+        if member_role_id is not None:
+            if member_role_id == "":
+                team.member_role = None
+            else:
+                team.member_role = Role.objects.get(
+                    id=member_role_id, organisation=org
+                )
+
+        if service_account_role_id is not None:
+            if service_account_role_id == "":
+                team.service_account_role = None
+            else:
+                team.service_account_role = Role.objects.get(
+                    id=service_account_role_id, organisation=org
+                )
+
+        team.save()
+        return UpdateTeamMutation(team=team)
+
+
+class DeleteTeamMutation(graphene.Mutation):
+    class Arguments:
+        team_id = graphene.ID(required=True)
+
+    ok = graphene.Boolean()
+
+    @classmethod
+    def mutate(cls, root, info, team_id):
+        user = info.context.user
+        team = Team.objects.get(id=team_id, deleted_at__isnull=True)
+        org = team.organisation
+
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "delete", "Teams", org):
+            raise GraphQLError("You don't have permission to delete Teams")
+
+        # Revoke all team environment key grants
+        revoke_team_environment_keys(team)
+
+        team.deleted_at = timezone.now()
+        team.save()
+
+        return DeleteTeamMutation(ok=True)
+
+
+class AddTeamMembersMutation(graphene.Mutation):
+    class Arguments:
+        team_id = graphene.ID(required=True)
+        member_ids = graphene.List(graphene.NonNull(graphene.ID), required=True)
+        member_type = MemberType(required=False, default_value=MemberType.USER)
+
+    team = graphene.Field(TeamType)
+
+    @classmethod
+    def mutate(cls, root, info, team_id, member_ids, member_type=MemberType.USER):
+        user = info.context.user
+        team = Team.objects.get(id=team_id, deleted_at__isnull=True)
+        org = team.organisation
+
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "update", "Teams", org):
+            raise GraphQLError("You don't have permission to manage Teams")
+
+        if team.is_scim_managed:
+            raise GraphQLError(
+                "This team is managed by SCIM. Members cannot be manually added."
+            )
+
+        new_memberships = []
+        for mid in member_ids:
+            if member_type == MemberType.USER:
+                member = OrganisationMember.objects.get(
+                    id=mid, organisation=org, deleted_at=None
+                )
+                if TeamMembership.objects.filter(
+                    team=team, org_member=member
+                ).exists():
+                    continue
+                tm = TeamMembership.objects.create(team=team, org_member=member)
+            else:
+                sa = ServiceAccount.objects.get(
+                    id=mid, organisation=org, deleted_at=None
+                )
+                if TeamMembership.objects.filter(
+                    team=team, service_account=sa
+                ).exists():
+                    continue
+                tm = TeamMembership.objects.create(team=team, service_account=sa)
+            new_memberships.append(tm)
+
+        # Provision environment keys for new members on all team apps
+        if new_memberships:
+            app_ids = (
+                TeamAppEnvironment.objects.filter(team=team)
+                .values_list("app_id", flat=True)
+                .distinct()
+            )
+            for app_id in app_ids:
+                app = App.objects.get(id=app_id)
+                if app.sse_enabled:
+                    provision_team_environment_keys(
+                        team, app, members=new_memberships
+                    )
+
+        return AddTeamMembersMutation(team=team)
+
+
+class RemoveTeamMemberMutation(graphene.Mutation):
+    class Arguments:
+        team_id = graphene.ID(required=True)
+        member_id = graphene.ID(required=True)
+        member_type = MemberType(required=False, default_value=MemberType.USER)
+
+    team = graphene.Field(TeamType)
+
+    @classmethod
+    def mutate(cls, root, info, team_id, member_id, member_type=MemberType.USER):
+        user = info.context.user
+        team = Team.objects.get(id=team_id, deleted_at__isnull=True)
+        org = team.organisation
+
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "update", "Teams", org):
+            raise GraphQLError("You don't have permission to manage Teams")
+
+        if team.is_scim_managed:
+            raise GraphQLError(
+                "This team is managed by SCIM. Members cannot be manually removed."
+            )
+
+        if member_type == MemberType.USER:
+            member = OrganisationMember.objects.get(id=member_id, deleted_at=None)
+            membership = TeamMembership.objects.get(team=team, org_member=member)
+            revoke_team_environment_keys(team, member=member)
+        else:
+            member = ServiceAccount.objects.get(id=member_id, deleted_at=None)
+            membership = TeamMembership.objects.get(team=team, service_account=member)
+            revoke_team_environment_keys(team, member=member)
+
+        membership.delete()
+
+        return RemoveTeamMemberMutation(team=team)
+
+
+class AppEnvironmentInput(graphene.InputObjectType):
+    app_id = graphene.ID(required=True)
+    env_ids = graphene.List(graphene.NonNull(graphene.ID), required=True)
+
+
+class AddTeamAppsMutation(graphene.Mutation):
+    class Arguments:
+        team_id = graphene.ID(required=True)
+        app_envs = graphene.List(
+            graphene.NonNull(AppEnvironmentInput), required=True
+        )
+
+    team = graphene.Field(TeamType)
+
+    @classmethod
+    def mutate(cls, root, info, team_id, app_envs):
+        user = info.context.user
+        team = Team.objects.get(id=team_id, deleted_at__isnull=True)
+        org = team.organisation
+
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "update", "Teams", org):
+            raise GraphQLError("You don't have permission to manage Teams")
+
+        for app_env in app_envs:
+            app = App.objects.get(id=app_env.app_id, organisation=org)
+
+            # Actor must have access to the app
+            if not user_can_access_app(user.userId, app.id):
+                raise GraphQLError(
+                    f"You don't have access to app '{app.name}'"
+                )
+
+            # Team access requires SSE
+            if not app.sse_enabled:
+                raise GraphQLError(
+                    f"App '{app.name}' does not have server-side encryption enabled. "
+                    "Team-based access requires SSE."
+                )
+
+            for env_id in app_env.env_ids:
+                env = Environment.objects.get(id=env_id, app=app)
+                TeamAppEnvironment.objects.get_or_create(
+                    team=team, app=app, environment=env
+                )
+
+            # Provision keys for all team members
+            provision_team_environment_keys(team, app)
+
+        return AddTeamAppsMutation(team=team)
+
+
+class RemoveTeamAppMutation(graphene.Mutation):
+    class Arguments:
+        team_id = graphene.ID(required=True)
+        app_id = graphene.ID(required=True)
+
+    team = graphene.Field(TeamType)
+
+    @classmethod
+    def mutate(cls, root, info, team_id, app_id):
+        user = info.context.user
+        team = Team.objects.get(id=team_id, deleted_at__isnull=True)
+        org = team.organisation
+
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "update", "Teams", org):
+            raise GraphQLError("You don't have permission to manage Teams")
+
+        app = App.objects.get(id=app_id, organisation=org)
+
+        # Revoke grants before removing the app-env links
+        revoke_team_environment_keys(team, app=app)
+
+        TeamAppEnvironment.objects.filter(team=team, app=app).delete()
+
+        return RemoveTeamAppMutation(team=team)
+
+
+class UpdateTeamAppEnvironmentsMutation(graphene.Mutation):
+    class Arguments:
+        team_id = graphene.ID(required=True)
+        app_id = graphene.ID(required=True)
+        env_ids = graphene.List(graphene.NonNull(graphene.ID), required=True)
+
+    team = graphene.Field(TeamType)
+
+    @classmethod
+    def mutate(cls, root, info, team_id, app_id, env_ids):
+        user = info.context.user
+        team = Team.objects.get(id=team_id, deleted_at__isnull=True)
+        org = team.organisation
+
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        if not user_has_permission(user, "update", "Teams", org):
+            raise GraphQLError("You don't have permission to manage Teams")
+
+        app = App.objects.get(id=app_id, organisation=org)
+
+        if not user_can_access_app(user.userId, app.id):
+            raise GraphQLError("You don't have access to this app")
+
+        if not app.sse_enabled:
+            raise GraphQLError(
+                "Team-based access requires server-side encryption."
+            )
+
+        # Determine which environments to add/remove
+        current_env_ids = set(
+            TeamAppEnvironment.objects.filter(team=team, app=app).values_list(
+                "environment_id", flat=True
+            )
+        )
+        new_env_ids = set(env_ids)
+
+        # Validate all new env_ids belong to this app
+        valid_env_ids = set(
+            Environment.objects.filter(
+                id__in=new_env_ids, app=app
+            ).values_list("id", flat=True)
+        )
+        invalid = new_env_ids - valid_env_ids
+        if invalid:
+            raise GraphQLError(
+                "Some environment IDs do not belong to this app"
+            )
+
+        to_remove = current_env_ids - new_env_ids
+        to_add = new_env_ids - current_env_ids
+
+        # Remove environments no longer in scope
+        if to_remove:
+            envs_to_remove = Environment.objects.filter(id__in=to_remove)
+            revoke_team_environment_keys(team, app=app, environments=envs_to_remove)
+            TeamAppEnvironment.objects.filter(
+                team=team, app=app, environment_id__in=to_remove
+            ).delete()
+
+        # Add new environments
+        for env_id in to_add:
+            env = Environment.objects.get(id=env_id, app=app)
+            TeamAppEnvironment.objects.get_or_create(
+                team=team, app=app, environment=env
+            )
+
+        # Provision keys for newly added environments
+        if to_add:
+            provision_team_environment_keys(team, app)
+
+        return UpdateTeamAppEnvironmentsMutation(team=team)
diff --git a/backend/backend/graphene/queries/teams.py b/backend/backend/graphene/queries/teams.py
new file mode 100644
index 000000000..b88d207e4
--- /dev/null
+++ b/backend/backend/graphene/queries/teams.py
@@ -0,0 +1,30 @@
+from graphql import GraphQLError
+from api.models import Team, OrganisationMember
+from api.utils.access.permissions import (
+    user_has_permission,
+    user_is_org_member,
+)
+
+
+def resolve_teams(root, info, organisation_id, team_id=None):
+    """Return teams visible to the requesting user."""
+    user = info.context.user
+
+    if not user_is_org_member(user.userId, organisation_id):
+        raise GraphQLError("You don't have access to this organisation")
+
+    org_member = OrganisationMember.objects.get(
+        user_id=user.userId, organisation_id=organisation_id, deleted_at=None
+    )
+
+    if not user_has_permission(user, "read", "Teams", org_member.organisation):
+        return []
+
+    qs = Team.objects.filter(
+        organisation_id=organisation_id, deleted_at__isnull=True
+    ).order_by("name")
+
+    if team_id:
+        qs = qs.filter(id=team_id)
+
+    return qs
diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index ef4580601..8b4eee9b0 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -40,6 +40,9 @@
     ServiceToken,
     UserToken,
     Identity,
+    Team,
+    TeamMembership,
+    TeamAppEnvironment,
 )
 from logs.dynamodb_models import KMSLog
 from django.utils import timezone
@@ -540,7 +543,7 @@ def resolve_history(self, info):
         # Compute can_view_members only once per request
         organisation = self.environment.app.organisation
         can_view_members = user_has_permission(
-            user, "read", "Members", organisation, True
+            user, "read", "Members", organisation, True, app=self.environment.app
         ) or user_has_permission(user, "read", "Members", organisation, False)
         setattr(info.context, "can_view_members", can_view_members)
 
@@ -601,9 +604,9 @@ def resolve_secrets(self, info, path=None):
 
         org = self.app.organisation
         if not user_has_permission(
-            info.context.user, "read", "Secrets", org, True
+            info.context.user, "read", "Secrets", org, True, app=self.app
         ) or not user_has_permission(
-            info.context.user, "read", "Environments", org, True
+            info.context.user, "read", "Environments", org, True, app=self.app
         ):
             raise GraphQLError("You don't have access to read secrets")
 
@@ -1135,3 +1138,80 @@ def resolve_config(self, info):
             )
 
         return None
+
+
+class TeamAppEnvironmentType(DjangoObjectType):
+    class Meta:
+        model = TeamAppEnvironment
+        fields = ("id", "app", "environment", "created_at")
+
+
+class TeamMembershipType(DjangoObjectType):
+    email = graphene.String()
+    full_name = graphene.String()
+    avatar_url = graphene.String()
+
+    class Meta:
+        model = TeamMembership
+        fields = ("id", "org_member", "service_account", "created_at")
+
+    def resolve_email(self, info):
+        if self.org_member:
+            return self.org_member.user.email
+        if self.service_account:
+            return self.service_account.name
+        return None
+
+    def resolve_full_name(self, info):
+        if self.org_member:
+            social_acc = self.org_member.user.socialaccount_set.first()
+            if social_acc:
+                return social_acc.extra_data.get("name")
+        return None
+
+    def resolve_avatar_url(self, info):
+        if self.org_member:
+            social_acc = self.org_member.user.socialaccount_set.first()
+            if social_acc:
+                if social_acc.provider == "google":
+                    return social_acc.extra_data.get("picture")
+                return social_acc.extra_data.get("avatar_url")
+        return None
+
+
+class TeamType(DjangoObjectType):
+    members = graphene.List(graphene.NonNull(TeamMembershipType))
+    apps = graphene.List(graphene.NonNull(AppType))
+    app_environments = graphene.List(graphene.NonNull(TeamAppEnvironmentType))
+    member_count = graphene.Int()
+
+    class Meta:
+        model = Team
+        fields = (
+            "id",
+            "name",
+            "description",
+            "member_role",
+            "service_account_role",
+            "is_scim_managed",
+            "created_by",
+            "created_at",
+            "updated_at",
+        )
+
+    def resolve_members(self, info):
+        return self.memberships.select_related(
+            "org_member__user", "service_account"
+        ).all()
+
+    def resolve_apps(self, info):
+        app_ids = (
+            self.app_environments.values_list("app_id", flat=True).distinct()
+        )
+        return App.objects.filter(id__in=app_ids, is_deleted=False)
+
+    def resolve_app_environments(self, info):
+        return self.app_environments.select_related("app", "environment").all()
+
+    def resolve_member_count(self, info):
+        return self.memberships.count()
diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index 3ce37a4f4..3d4d3cf93 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -124,6 +124,17 @@
 from .graphene.queries.quotas import resolve_organisation_plan
 from .graphene.queries.license import resolve_license, resolve_organisation_license
 from .graphene.queries.auth import resolve_verify_password
+from .graphene.queries.teams import resolve_teams
+from .graphene.mutations.teams import (
+    AddTeamAppsMutation,
+    AddTeamMembersMutation,
+    CreateTeamMutation,
+    DeleteTeamMutation,
+    RemoveTeamAppMutation,
+    RemoveTeamMemberMutation,
+    UpdateTeamAppEnvironmentsMutation,
+    UpdateTeamMutation,
+)
 from .graphene.mutations.environment import (
     BulkCreateSecretMutation,
     BulkDeleteSecretMutation,
@@ -225,6 +236,7 @@
     ServiceAccountType,
     ServiceTokenType,
     ServiceType,
+    TeamType,
     TimeRange,
     UserTokenType,
     AWSValidationResultType,
@@ -247,6 +259,7 @@
     SecretTag,
     ServiceAccount,
     ServiceToken,
+    TeamAppEnvironment,
     UserToken,
 )
 from logs.queries import get_app_log_count, get_app_log_count_range, get_app_logs
@@ -276,6 +289,12 @@ class Query(graphene.ObjectType):
     )
     identities = graphene.List(IdentityType, organisation_id=graphene.ID())
 
+    teams = graphene.List(
+        TeamType,
+        organisation_id=graphene.ID(),
+        team_id=graphene.ID(required=False),
+    )
+
     organisation_name_available = graphene.Boolean(name=graphene.String())
 
     verify_password = graphene.Boolean(auth_hash=graphene.String(required=True))
@@ -558,6 +577,9 @@ def resolve_organisations(root, info):
     resolve_aws_sts_endpoints = resolve_aws_sts_endpoints
     resolve_identity_providers = resolve_identity_providers
 
+    # Teams
+    resolve_teams = resolve_teams
+
     resolve_organisation_plan = resolve_organisation_plan
 
     def resolve_organisation_name_available(root, info, name):
@@ -623,9 +645,22 @@ def resolve_apps(root, info, organisation_id, app_id=None):
         ):
             return []
 
+        # Individual app IDs
+        individual_ids = set(org_member.apps.values_list("id", flat=True))
+
+        # Team app IDs
+        team_ids = set(
+            TeamAppEnvironment.objects.filter(
+                team__memberships__org_member=org_member,
+                team__deleted_at__isnull=True,
+            ).values_list("app_id", flat=True)
+        )
+
+        all_app_ids = individual_ids | team_ids
+
         filter = {
             "organisation_id": organisation_id,
-            "id__in": org_member.apps.all(),
+            "id__in": all_app_ids,
             "is_deleted": False,
         }
 
@@ -640,7 +675,7 @@ def resolve_app_environments(
         app = App.objects.get(id=app_id)
 
         if not user_has_permission(
-            info.context.user, "read", "Environments", app.organisation, True
+            info.context.user, "read", "Environments", app.organisation, True, app=app
         ):
             return []
 
@@ -687,7 +722,7 @@ def resolve_app_users(root, info, app_id):
         app = App.objects.get(id=app_id)
 
         if not user_has_permission(
-            info.context.user, "read", "Members", app.organisation, True
+            info.context.user, "read", "Members", app.organisation, True, app=app
         ):
             raise GraphQLError("You don't have permission to read members of this App")
 
@@ -700,11 +735,13 @@ def resolve_app_users(root, info, app_id):
 
     def resolve_secrets(root, info, env_id, path=None, id=None):
 
-        org = Environment.objects.get(id=env_id).app.organisation
+        env = Environment.objects.get(id=env_id)
+        app = env.app
+        org = app.organisation
         if not user_has_permission(
-            info.context.user, "read", "Secrets", org, True
+            info.context.user, "read", "Secrets", org, True, app=app
         ) or not user_has_permission(
-            info.context.user, "read", "Environments", org, True
+            info.context.user, "read", "Environments", org, True, app=app
         ):
             raise GraphQLError("You don't have access to read secrets")
 
@@ -741,7 +778,7 @@ def resolve_secret_history(root, info, secret_id):
 
         # compute permission once and store it on the request context
         can_view_members = user_has_permission(
-            user, "read", "Members", secret.environment.app.organisation, True
+            user, "read", "Members", secret.environment.app.organisation, True, app=secret.environment.app
         ) or user_has_permission(
             user, "read", "Members", secret.environment.app.organisation, False
         )
@@ -810,7 +847,7 @@ def resolve_user_tokens(root, info, organisation_id):
     def resolve_service_tokens(root, info, app_id):
         app = App.objects.get(id=app_id)
         if not user_has_permission(
-            info.context.user, "read", "Tokens", app.organisation, True
+            info.context.user, "read", "Tokens", app.organisation, True, app=app
         ):
             raise GraphQLError("You don't have permission to view Tokens in this App")
 
@@ -911,11 +948,11 @@ def resolve_secret_logs(
 
         # Permissions
         can_see_members = user_has_permission(
-            user, "read", "Members", app.organisation, True
+            user, "read", "Members", app.organisation, True, app=app
         ) or user_has_permission(user, "read", "Members", app.organisation, False)
         setattr(info.context, "can_view_members", can_see_members)
 
-        if not user_has_permission(user, "read", "Logs", app.organisation, True):
+        if not user_has_permission(user, "read", "Logs", app.organisation, True, app=app):
             return SecretLogsResponseType(logs=[], count=0)
 
         # Base filter
@@ -1114,6 +1151,16 @@ class Mutation(graphene.ObjectType):
     test_organisation_sso_provider = TestOrganisationSSOProviderMutation.Field()
     update_organisation_security = UpdateOrganisationSecurityMutation.Field()
 
+    # Teams
+    create_team = CreateTeamMutation.Field()
+    update_team = UpdateTeamMutation.Field()
+    delete_team = DeleteTeamMutation.Field()
+    add_team_members = AddTeamMembersMutation.Field()
+    remove_team_member = RemoveTeamMemberMutation.Field()
+    add_team_apps = AddTeamAppsMutation.Field()
+    remove_team_app = RemoveTeamAppMutation.Field()
+    update_team_app_environments = UpdateTeamAppEnvironmentsMutation.Field()
+
     # Service Accounts
     create_service_account = CreateServiceAccountMutation.Field()
     enable_service_account_server_side_key_management = (

From cbb56894916a4dc58c2b2888013d1d5865f443e9 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:27 +0530
Subject: [PATCH 004/118] feat: pass app param to permission checks across
 existing mutations and views

---
 backend/api/views/secrets.py                  |  2 ++
 backend/backend/graphene/mutations/app.py     |  6 ++--
 .../backend/graphene/mutations/environment.py | 33 ++++++++++---------
 .../graphene/mutations/organisation.py        | 11 +++++++
 backend/backend/graphene/queries/syncing.py   | 15 +++++----
 .../secrets/dynamic/aws/graphene/mutations.py |  7 ++--
 .../secrets/dynamic/graphene/mutations.py     |  8 ++---
 .../secrets/dynamic/graphene/queries.py       |  6 ++--
 .../secrets/dynamic/graphene/types.py         |  1 +
 .../secrets/dynamic/rest/views.py             |  6 ++++
 10 files changed, 61 insertions(+), 34 deletions(-)

diff --git a/backend/api/views/secrets.py b/backend/api/views/secrets.py
index 4f44773bf..67e1f45bf 100644
--- a/backend/api/views/secrets.py
+++ b/backend/api/views/secrets.py
@@ -90,6 +90,7 @@ def initial(self, request, *args, **kwargs):
                 organisation,
                 True,
                 request.auth.get("service_account") is not None,
+                app=env.app,
             ):
                 raise PermissionDenied(
                     f"You don't have permission to {action} secrets in this environment."
@@ -538,6 +539,7 @@ def initial(self, request, *args, **kwargs):
                 organisation,
                 True,
                 request.auth.get("service_account") is not None,
+                app=env.app,
             ):
                 raise PermissionDenied(
                     f"You don't have permission to {action} secrets in this environment."
diff --git a/backend/backend/graphene/mutations/app.py b/backend/backend/graphene/mutations/app.py
index 3b259951c..a0fa3fc6c 100644
--- a/backend/backend/graphene/mutations/app.py
+++ b/backend/backend/graphene/mutations/app.py
@@ -242,7 +242,7 @@ def mutate(cls, root, info, app_id, members):
                 member = ServiceAccount.objects.get(id=member_id, deleted_at=None)
 
             if not user_has_permission(
-                user, "create", permission_key, app.organisation, True
+                user, "create", permission_key, app.organisation, True, app=app
             ):
                 raise GraphQLError(
                     f"You don't have permission to add {member_type.lower()}s to this App"
@@ -297,7 +297,7 @@ def mutate(
             member = ServiceAccount.objects.get(id=member_id, deleted_at=None)
 
         if not user_has_permission(
-            info.context.user, "create", permission_key, app.organisation, True
+            info.context.user, "create", permission_key, app.organisation, True, app=app
         ):
             raise GraphQLError("You don't have permission to add members to this App")
 
@@ -349,7 +349,7 @@ def mutate(cls, root, info, member_id, app_id, member_type=MemberType.USER):
             permission_key = "ServiceAccounts"
 
         if not user_has_permission(
-            info.context.user, "delete", permission_key, app.organisation, True
+            info.context.user, "delete", permission_key, app.organisation, True, app=app
         ):
             raise GraphQLError(
                 f"You don't have permission to remove {permission_key} from this App"
diff --git a/backend/backend/graphene/mutations/environment.py b/backend/backend/graphene/mutations/environment.py
index c01af8da3..abeb5c0f7 100644
--- a/backend/backend/graphene/mutations/environment.py
+++ b/backend/backend/graphene/mutations/environment.py
@@ -111,7 +111,7 @@ def mutate(
         app = App.objects.get(id=environment_data.app_id)
 
         if not user_has_permission(
-            info.context.user, "create", "Environments", app.organisation, True
+            info.context.user, "create", "Environments", app.organisation, True, app=app
         ):
             raise GraphQLError(
                 "You don't have permission to create environments in this organisation"
@@ -208,7 +208,7 @@ def mutate(cls, root, info, environment_id, name):
         org = environment.app.organisation
 
         if not user_has_permission(
-            info.context.user, "update", "Environments", org, True
+            info.context.user, "update", "Environments", org, True, app=environment.app
         ):
             raise GraphQLError("You do not have permission to rename environments")
 
@@ -250,7 +250,7 @@ def mutate(cls, root, info, environment_id):
         org = environment.app.organisation
 
         if not user_has_permission(
-            info.context.user, "delete", "Environments", org, True
+            info.context.user, "delete", "Environments", org, True, app=environment.app
         ):
             raise GraphQLError("You do not have permission to delete environments")
 
@@ -277,7 +277,7 @@ def mutate(cls, root, info, app_id, environment_order):
         app = App.objects.get(id=app_id)
         org = app.organisation
 
-        if not user_has_permission(user, "update", "Environments", org, True):
+        if not user_has_permission(user, "update", "Environments", org, True, app=app):
             raise GraphQLError("You do not have permission to update environments")
 
         if not can_use_custom_envs(org):
@@ -377,7 +377,7 @@ def mutate(
             permission_key = "ServiceAccounts"
 
         if not user_has_permission(
-            info.context.user, "update", permission_key, app.organisation, True
+            info.context.user, "update", permission_key, app.organisation, True, app=app
         ):
             raise GraphQLError("You don't have permission to update App member access")
 
@@ -546,7 +546,7 @@ def mutate(
         app = App.objects.get(id=app_id)
 
         if not user_has_permission(
-            info.context.user, "create", "Tokens", app.organisation, True
+            info.context.user, "create", "Tokens", app.organisation, True, app=app
         ):
             raise GraphQLError("You don't have permission to create Tokens in this App")
 
@@ -600,7 +600,7 @@ def mutate(cls, root, info, token_id):
         token = ServiceToken.objects.get(id=token_id)
         org = token.app.organisation
 
-        if not user_has_permission(info.context.user, "delete", "Tokens", org, True):
+        if not user_has_permission(info.context.user, "delete", "Tokens", org, True, app=token.app):
             raise GraphQLError("You don't have permission to delete Tokens in this App")
 
         token.deleted_at = timezone.now()
@@ -621,9 +621,11 @@ class Arguments:
     def mutate(cls, root, info, env_id, name, path):
         user = info.context.user
 
-        org = Environment.objects.get(id=env_id).app.organisation
+        env_obj = Environment.objects.get(id=env_id)
+        app = env_obj.app
+        org = app.organisation
 
-        if not user_has_permission(info.context.user, "create", "Secrets", org, True):
+        if not user_has_permission(info.context.user, "create", "Secrets", org, True, app=app):
             raise GraphQLError(
                 "You don't have permission to create folders in this organisation"
             )
@@ -668,6 +670,7 @@ def mutate(cls, root, info, folder_id):
             "Secrets",
             folder.environment.app.organisation,
             True,
+            app=folder.environment.app,
         ):
             raise GraphQLError(
                 "You don't have permission to delete folders in this organisation"
@@ -715,7 +718,7 @@ def mutate(cls, root, info, secret_data):
         env = Environment.objects.get(id=secret_data.env_id)
         org = env.app.organisation
 
-        if not user_has_permission(info.context.user, "create", "Secrets", org, True):
+        if not user_has_permission(info.context.user, "create", "Secrets", org, True, app=env.app):
             raise GraphQLError(
                 "You don't have permission to create secrets in this organisation"
             )
@@ -784,7 +787,7 @@ def mutate(cls, root, info, secrets_data):
             org = env.app.organisation
 
             if not user_has_permission(
-                info.context.user, "create", "Secrets", org, True
+                info.context.user, "create", "Secrets", org, True, app=env.app
             ):
                 raise GraphQLError(
                     "You don't have permission to create secrets in this organisation"
@@ -851,7 +854,7 @@ def mutate(cls, root, info, id, secret_data):
         env = secret.environment
         org = env.app.organisation
 
-        if not user_has_permission(info.context.user, "update", "Secrets", org, True):
+        if not user_has_permission(info.context.user, "update", "Secrets", org, True, app=env.app):
             raise GraphQLError(
                 "You don't have permission to update secrets in this organisation"
             )
@@ -924,7 +927,7 @@ def mutate(cls, root, info, secrets_data):
             org = env.app.organisation
 
             if not user_has_permission(
-                info.context.user, "create", "Secrets", org, True
+                info.context.user, "create", "Secrets", org, True, app=env.app
             ):
                 raise GraphQLError(
                     "You don't have permission to update secrets in this organisation"
@@ -999,7 +1002,7 @@ def mutate(cls, root, info, id):
         env = secret.environment
         org = env.app.organisation
 
-        if not user_has_permission(info.context.user, "delete", "Secrets", org, True):
+        if not user_has_permission(info.context.user, "delete", "Secrets", org, True, app=env.app):
             raise GraphQLError(
                 "You don't have permission to delete secrets in this organisation"
             )
@@ -1037,7 +1040,7 @@ def mutate(cls, root, info, ids):
             org = env.app.organisation
 
             if not user_has_permission(
-                info.context.user, "delete", "Secrets", org, True
+                info.context.user, "delete", "Secrets", org, True, app=env.app
             ):
                 raise GraphQLError(
                     "You don't have permission to delete secrets in this organisation"
diff --git a/backend/backend/graphene/mutations/organisation.py b/backend/backend/graphene/mutations/organisation.py
index 490a87254..28183bbfe 100644
--- a/backend/backend/graphene/mutations/organisation.py
+++ b/backend/backend/graphene/mutations/organisation.py
@@ -6,6 +6,7 @@
     user_is_org_member,
 )
 from api.utils.access.roles import default_roles
+from api.utils.keys import provision_pending_team_keys
 from api.tasks.emails import send_invite_email_job
 from backend.quotas import can_add_account
 import graphene
@@ -129,10 +130,20 @@ def mutate(cls, root, info, org_id, identity_key, wrapped_keyring, wrapped_recov
         except OrganisationMember.DoesNotExist:
             raise GraphQLError("Not a member of this organisation.")
 
+        first_key_ceremony = identity_key and not org_member.identity_key
+
+        if identity_key:
+            org_member.identity_key = identity_key
+
         org_member.wrapped_keyring = wrapped_keyring
         org_member.wrapped_recovery = wrapped_recovery
         org_member.save()
 
+        # Provision team environment keys for SCIM-preprovisioned users
+        # completing their key ceremony for the first time
+        if first_key_ceremony:
+            provision_pending_team_keys(org_member)
+
         return UpdateUserWrappedSecretsMutation(org_member=org_member)
 
 
diff --git a/backend/backend/graphene/queries/syncing.py b/backend/backend/graphene/queries/syncing.py
index 00d06ca6b..5bb5fc7a7 100644
--- a/backend/backend/graphene/queries/syncing.py
+++ b/backend/backend/graphene/queries/syncing.py
@@ -363,9 +363,10 @@ def resolve_syncs(root, info, app_id=None, env_id=None, org_id=None):
 
     # If both app_id and env_id are provided
     if app_id and env_id:
-        org = App.objects.get(id=app_id).organisation
+        app = App.objects.get(id=app_id)
+        org = app.organisation
         if not user_has_permission(
-            info.context.user, "read", "Integrations", org, True
+            info.context.user, "read", "Integrations", org, True, app=app
         ):
             return []
 
@@ -380,9 +381,10 @@ def resolve_syncs(root, info, app_id=None, env_id=None, org_id=None):
     # If only app_id is provided
     elif app_id:
 
-        org = App.objects.get(id=app_id).organisation
+        app = App.objects.get(id=app_id)
+        org = app.organisation
         if not user_has_permission(
-            info.context.user, "read", "Integrations", org, True
+            info.context.user, "read", "Integrations", org, True, app=app
         ):
             return []
 
@@ -395,9 +397,10 @@ def resolve_syncs(root, info, app_id=None, env_id=None, org_id=None):
     # If only env_id is provided
     elif env_id:
 
-        org = Environment.objects.get(id=env_id).app.organisation
+        env = Environment.objects.get(id=env_id)
+        org = env.app.organisation
         if not user_has_permission(
-            info.context.user, "read", "Integrations", org, True
+            info.context.user, "read", "Integrations", org, True, app=env.app
         ):
             return []
 
diff --git a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
index ccc510be6..3fa86c882 100644
--- a/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/aws/graphene/mutations.py
@@ -75,15 +75,14 @@ def mutate(
             raise GraphQLError("You don't have access to this organisation")
 
         org = Organisation.objects.get(id=organisation_id)
+        env = Environment.objects.get(id=environment_id)
 
-        if not user_has_permission(user, "create", "Secrets", org, True):
+        if not user_has_permission(user, "create", "Secrets", org, True, app=env.app):
             raise GraphQLError("You don't have permission to create Dynamic Secrets")
 
         if not user_can_access_environment(user.userId, environment_id):
             raise GraphQLError("You don't have access to this environment")
 
-        env = Environment.objects.get(id=environment_id)
-
         if not env.app.sse_enabled:
             raise GraphQLError("SSE is not enabled!")
 
@@ -166,7 +165,7 @@ def mutate(
 
         env = Environment.objects.get(id=dynamic_secret.environment.id)
 
-        if not user_has_permission(user, "update", "Secrets", org, True):
+        if not user_has_permission(user, "update", "Secrets", org, True, app=env.app):
             raise GraphQLError("You don't have permission to update Dynamic Secrets")
 
         if not user_can_access_environment(user.userId, dynamic_secret.environment.id):
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
index 93b60f8a4..eaa4cc008 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/mutations.py
@@ -49,7 +49,7 @@ def mutate(
         org = secret.environment.app.organisation
 
         # --- permission checks ---
-        if not user_has_permission(user, "delete", "Secrets", org, True):
+        if not user_has_permission(user, "delete", "Secrets", org, True, app=secret.environment.app):
             raise GraphQLError(
                 "You don't have permission to delete secrets in this organisation"
             )
@@ -85,7 +85,7 @@ def mutate(
         if not user_is_org_member(user.userId, org.id):
             raise GraphQLError("You don't have access to this organisation")
 
-        if not user_has_permission(user, "create", "Secrets", org, True):
+        if not user_has_permission(user, "create", "Secrets", org, True, app=secret.environment.app):
             raise GraphQLError("You don't have permission to create Dynamic Secrets")
 
         if not user_can_access_environment(user.userId, secret.environment.id):
@@ -136,7 +136,7 @@ def mutate(
             lease.organisation_member is None
             or lease.organisation_member.id != org_member.id
         ) and not user_has_permission(
-            info.context.user, "update", "DynamicSecretLeases", org, True
+            info.context.user, "update", "DynamicSecretLeases", org, True, app=lease.secret.environment.app
         ):
             raise GraphQLError(
                 "You cannot renew this lease as it wasn't created by you"
@@ -180,7 +180,7 @@ def mutate(
             lease.organisation_member is None
             or lease.organisation_member.id != org_member.id
         ) and not user_has_permission(
-            info.context.user, "delete", "DynamicSecretLeases", org, True
+            info.context.user, "delete", "DynamicSecretLeases", org, True, app=lease.secret.environment.app
         ):
             raise GraphQLError(
                 "You cannot revoke this lease as it wasn't created by you"
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/queries.py b/backend/ee/integrations/secrets/dynamic/graphene/queries.py
index bcbbb9c21..335790954 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/queries.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/queries.py
@@ -35,6 +35,7 @@ def resolve_dynamic_secrets(
     elif path is not None:
         filters["path"] = path
     org = None
+    app = None
 
     # Figure out which org to use
     if app_id:
@@ -42,7 +43,8 @@ def resolve_dynamic_secrets(
         org = app.organisation
     elif env_id:
         env = Environment.objects.get(id=env_id)
-        org = env.app.organisation
+        app = env.app
+        org = app.organisation
     elif org_id:
         org = Organisation.objects.get(id=org_id)
     else:
@@ -51,7 +53,7 @@ def resolve_dynamic_secrets(
         )
 
     # Permission check (common to all cases)
-    if not user_has_permission(user, "read", "Secrets", org, True):
+    if not user_has_permission(user, "read", "Secrets", org, True, app=app):
         return []
 
     # Build filters + access checks
diff --git a/backend/ee/integrations/secrets/dynamic/graphene/types.py b/backend/ee/integrations/secrets/dynamic/graphene/types.py
index 2a5ca0770..5826739cf 100644
--- a/backend/ee/integrations/secrets/dynamic/graphene/types.py
+++ b/backend/ee/integrations/secrets/dynamic/graphene/types.py
@@ -89,6 +89,7 @@ def resolve_leases(self, info):
             "DynamicSecretLeases",
             self.environment.app.organisation,
             True,
+            app=self.environment.app,
         ):
             filter["organisation_member"] = OrganisationMember.objects.get(
                 organisation=self.environment.app.organisation, user=info.context.user
diff --git a/backend/ee/integrations/secrets/dynamic/rest/views.py b/backend/ee/integrations/secrets/dynamic/rest/views.py
index c3ba41760..7c16b699f 100644
--- a/backend/ee/integrations/secrets/dynamic/rest/views.py
+++ b/backend/ee/integrations/secrets/dynamic/rest/views.py
@@ -82,6 +82,7 @@ def initial(self, request, *args, **kwargs):
                 organisation,
                 True,
                 request.auth.get("service_account") is not None,
+                app=env.app,
             ):
                 raise PermissionDenied(
                     f"You don't have permission to {action} secrets in this environment."
@@ -232,6 +233,7 @@ def _assert_can_act_on_lease(self, request, lease: DynamicSecretLease, action: s
             and lease_holder.id == getattr(account, "id", None)
         ):
             return
+        env = request.auth["environment"]
         if not user_has_permission(
             account,
             action,
@@ -239,6 +241,7 @@ def _assert_can_act_on_lease(self, request, lease: DynamicSecretLease, action: s
             organisation,
             True,
             request.auth.get("service_account") is not None,
+            app=env.app,
         ):
             raise PermissionDenied(
                 f"You don't have permission to {action} leases for other accounts."
@@ -252,6 +255,7 @@ def get(self, request, *args, **kwargs):
 
         account, organisation = self._get_account_and_org(request)
 
+        env = request.auth["environment"]
         if not user_has_permission(
             account,
             "read",
@@ -259,6 +263,7 @@ def get(self, request, *args, **kwargs):
             organisation,
             True,
             request.auth.get("service_account") is not None,
+            app=env.app,
         ):
             raise PermissionDenied(
                 f"You don't have permission to read secrets in this environment."
@@ -279,6 +284,7 @@ def get(self, request, *args, **kwargs):
             organisation,
             True,
             request.auth.get("service_account") is not None,
+            app=env.app,
         ):
             if request.auth["org_member"] is not None:
                 leases_filter["organisation_member"] = request.auth["org_member"]

From 1fd088b6ed742236a529e574a1f1b2b237a21f88 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:31 +0530
Subject: [PATCH 005/118] feat: add Pro+ plan gating for teams

---
 backend/backend/quotas.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/backend/backend/quotas.py b/backend/backend/quotas.py
index f053eb702..30d72b6e0 100644
--- a/backend/backend/quotas.py
+++ b/backend/backend/quotas.py
@@ -134,6 +134,16 @@ def can_use_custom_envs(organisation):
     return organisation.plan != "FR"
 
 
+def can_use_teams(organisation):
+    """Teams require a Pro or Enterprise plan (or an activated license)."""
+    ActivatedPhaseLicense = apps.get_model("api", "ActivatedPhaseLicense")
+
+    if ActivatedPhaseLicense.objects.filter(organisation=organisation).exists():
+        return True
+
+    return organisation.plan in ("PR", "EN")
+
+
 def can_add_service_token(app):
     """Check if a new service token can be added to the app."""
 

From db6eb386fb8d8c6110a5681bdf6c3d23ebd43e9e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:34 +0530
Subject: [PATCH 006/118] feat: add GraphQL schema, codegen output, and team
 operation files

---
 frontend/apollo/gql.ts                        | 150 ++---
 frontend/apollo/graphql.ts                    | 603 ++++++++----------
 frontend/apollo/schema.graphql                | 294 +++------
 .../graphql/mutations/teams/addTeamApps.gql   |   7 +
 .../mutations/teams/addTeamMembers.gql        |   7 +
 .../graphql/mutations/teams/createTeam.gql    |  20 +
 .../graphql/mutations/teams/deleteTeam.gql    |   5 +
 .../graphql/mutations/teams/removeTeamApp.gql |   7 +
 .../mutations/teams/removeTeamMember.gql      |   7 +
 .../graphql/mutations/teams/updateTeam.gql    |  20 +
 .../teams/updateTeamAppEnvironments.gql       |   7 +
 frontend/graphql/queries/teams/getTeams.gql   |  78 +++
 12 files changed, 590 insertions(+), 615 deletions(-)
 create mode 100644 frontend/graphql/mutations/teams/addTeamApps.gql
 create mode 100644 frontend/graphql/mutations/teams/addTeamMembers.gql
 create mode 100644 frontend/graphql/mutations/teams/createTeam.gql
 create mode 100644 frontend/graphql/mutations/teams/deleteTeam.gql
 create mode 100644 frontend/graphql/mutations/teams/removeTeamApp.gql
 create mode 100644 frontend/graphql/mutations/teams/removeTeamMember.gql
 create mode 100644 frontend/graphql/mutations/teams/updateTeam.gql
 create mode 100644 frontend/graphql/mutations/teams/updateTeamAppEnvironments.gql
 create mode 100644 frontend/graphql/queries/teams/getTeams.gql

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 7d3f9d707..b7b507e51 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -26,8 +26,6 @@ type Documents = {
     "mutation RemoveMemberFromApp($memberId: ID!, $memberType: MemberType, $appId: ID!) {\n  removeAppMember(memberId: $memberId, memberType: $memberType, appId: $appId) {\n    app {\n      id\n    }\n  }\n}": typeof types.RemoveMemberFromAppDocument,
     "mutation UpdateAppInfoOp($id: ID!, $name: String, $description: String) {\n  updateAppInfo(id: $id, name: $name, description: $description) {\n    app {\n      id\n      name\n      description\n    }\n  }\n}": typeof types.UpdateAppInfoOpDocument,
     "mutation UpdateEnvScope($memberId: ID!, $memberType: MemberType, $appId: ID!, $envKeys: [EnvironmentKeyInput]) {\n  updateMemberEnvironmentScope(\n    memberId: $memberId\n    memberType: $memberType\n    appId: $appId\n    envKeys: $envKeys\n  ) {\n    app {\n      id\n    }\n  }\n}": typeof types.UpdateEnvScopeDocument,
-    "mutation ChangePassword($orgId: ID!, $currentAuthHash: String!, $newAuthHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  changeAccountPassword(\n    orgId: $orgId\n    currentAuthHash: $currentAuthHash\n    newAuthHash: $newAuthHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.ChangePasswordDocument,
-    "mutation RecoverKeyring($orgId: ID!, $authHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  recoverAccountKeyring(\n    orgId: $orgId\n    authHash: $authHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.RecoverKeyringDocument,
     "mutation CancelStripeSubscription($organisationId: ID!, $subscriptionId: String!) {\n  cancelSubscription(\n    organisationId: $organisationId\n    subscriptionId: $subscriptionId\n  ) {\n    success\n  }\n}": typeof types.CancelStripeSubscriptionDocument,
     "mutation CreateStripeSetupIntentOp($organisationId: ID!) {\n  createSetupIntent(organisationId: $organisationId) {\n    clientSecret\n  }\n}": typeof types.CreateStripeSetupIntentOpDocument,
     "mutation DeleteStripePaymentMethod($organisationId: ID!, $paymentMethodId: String!) {\n  deletePaymentMethod(\n    organisationId: $organisationId\n    paymentMethodId: $paymentMethodId\n  ) {\n    ok\n  }\n}": typeof types.DeleteStripePaymentMethodDocument,
@@ -65,16 +63,16 @@ type Documents = {
     "mutation UpdateDynamicSecret($dynamicSecretId: ID!, $organisationId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  updateAwsDynamicSecret(\n    organisationId: $organisationId\n    dynamicSecretId: $dynamicSecretId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}": typeof types.UpdateDynamicSecretDocument,
     "mutation CreateSharedSecret($input: LockboxInput!) {\n  createLockbox(input: $input) {\n    lockbox {\n      id\n      allowedViews\n      expiresAt\n    }\n  }\n}": typeof types.CreateSharedSecretDocument,
     "mutation UpdateEnvOrder($appId: ID!, $environmentOrder: [ID]!) {\n  updateEnvironmentOrder(appId: $appId, environmentOrder: $environmentOrder) {\n    ok\n  }\n}": typeof types.UpdateEnvOrderDocument,
-    "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": typeof types.CreateExtIdentityDocument,
+    "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": typeof types.CreateExtIdentityDocument,
     "mutation DeleteExtIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}": typeof types.DeleteExtIdentityDocument,
-    "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": typeof types.UpdateExtIdentityDocument,
+    "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": typeof types.UpdateExtIdentityDocument,
     "mutation AcceptOrganisationInvite($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!, $inviteId: ID!) {\n  createOrganisationMember(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n    inviteId: $inviteId\n  ) {\n    orgMember {\n      id\n      email\n      createdAt\n      role {\n        name\n      }\n    }\n  }\n}": typeof types.AcceptOrganisationInviteDocument,
     "mutation BulkInviteMembers($orgId: ID!, $invites: [InviteInput!]!) {\n  bulkInviteOrganisationMembers(orgId: $orgId, invites: $invites) {\n    invites {\n      id\n      inviteeEmail\n      expiresAt\n    }\n  }\n}": typeof types.BulkInviteMembersDocument,
     "mutation DeleteOrgInvite($inviteId: ID!) {\n  deleteInvitation(inviteId: $inviteId) {\n    ok\n  }\n}": typeof types.DeleteOrgInviteDocument,
     "mutation RemoveMember($memberId: ID!) {\n  deleteOrganisationMember(memberId: $memberId) {\n    ok\n  }\n}": typeof types.RemoveMemberDocument,
     "mutation TransferOrgOwnership($organisationId: ID!, $newOwnerId: ID!, $billingEmail: String) {\n  transferOrganisationOwnership(\n    organisationId: $organisationId\n    newOwnerId: $newOwnerId\n    billingEmail: $billingEmail\n  ) {\n    ok\n  }\n}": typeof types.TransferOrgOwnershipDocument,
     "mutation UpdateMemberRole($memberId: ID!, $roleId: ID!) {\n  updateOrganisationMemberRole(memberId: $memberId, roleId: $roleId) {\n    orgMember {\n      id\n      role {\n        name\n      }\n    }\n  }\n}": typeof types.UpdateMemberRoleDocument,
-    "mutation UpdateWrappedSecrets($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.UpdateWrappedSecretsDocument,
+    "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.UpdateWrappedSecretsDocument,
     "mutation RotateAppKey($id: ID!, $appToken: String!, $wrappedKeyShare: String!) {\n  rotateAppKeys(id: $id, appToken: $appToken, wrappedKeyShare: $wrappedKeyShare) {\n    app {\n      id\n    }\n  }\n}": typeof types.RotateAppKeyDocument,
     "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": typeof types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": typeof types.CreateSaTokenDocument,
@@ -84,11 +82,6 @@ type Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": typeof types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": typeof types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOpDocument,
-    "mutation CreateOrgSSOProvider($orgId: ID!, $providerType: String!, $name: String!, $config: JSONString!) {\n  createOrganisationSsoProvider(\n    orgId: $orgId\n    providerType: $providerType\n    name: $name\n    config: $config\n  ) {\n    providerId\n  }\n}": typeof types.CreateOrgSsoProviderDocument,
-    "mutation DeleteOrgSSOProvider($providerId: ID!) {\n  deleteOrganisationSsoProvider(providerId: $providerId) {\n    ok\n  }\n}": typeof types.DeleteOrgSsoProviderDocument,
-    "mutation TestOrgSSOProvider($providerId: ID!) {\n  testOrganisationSsoProvider(providerId: $providerId) {\n    success\n    error\n  }\n}": typeof types.TestOrgSsoProviderDocument,
-    "mutation UpdateOrgSSOProvider($providerId: ID!, $name: String, $config: JSONString, $enabled: Boolean) {\n  updateOrganisationSsoProvider(\n    providerId: $providerId\n    name: $name\n    config: $config\n    enabled: $enabled\n  ) {\n    ok\n  }\n}": typeof types.UpdateOrgSsoProviderDocument,
-    "mutation UpdateOrgSecurity($orgId: ID!, $requireSso: Boolean!) {\n  updateOrganisationSecurity(orgId: $orgId, requireSso: $requireSso) {\n    ok\n    sessionInvalidated\n  }\n}": typeof types.UpdateOrgSecurityDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewCfPagesSyncDocument,
@@ -109,6 +102,14 @@ type Documents = {
     "mutation UpdateSyncAuth($syncId: ID!, $credentialId: ID!) {\n  updateSyncAuthentication(syncId: $syncId, credentialId: $credentialId) {\n    sync {\n      id\n      status\n    }\n  }\n}": typeof types.UpdateSyncAuthDocument,
     "mutation CreateNewVaultSync($envId: ID!, $path: String!, $engine: String!, $vaultPath: String!, $credentialId: ID!) {\n  createVaultSync(\n    envId: $envId\n    path: $path\n    engine: $engine\n    vaultPath: $vaultPath\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewVaultSyncDocument,
     "mutation CreateNewVercelSync($envId: ID!, $path: String!, $credentialId: ID!, $projectId: String!, $projectName: String!, $teamId: String!, $teamName: String!, $environment: String!, $secretType: String!) {\n  createVercelSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    projectId: $projectId\n    projectName: $projectName\n    teamId: $teamId\n    teamName: $teamName\n    environment: $environment\n    secretType: $secretType\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewVercelSyncDocument,
+    "mutation AddTeamAppsOp($teamId: ID!, $appEnvs: [AppEnvironmentInput!]!) {\n  addTeamApps(teamId: $teamId, appEnvs: $appEnvs) {\n    team {\n      id\n    }\n  }\n}": typeof types.AddTeamAppsOpDocument,
+    "mutation AddTeamMembersOp($teamId: ID!, $memberIds: [ID!]!, $memberType: MemberType) {\n  addTeamMembers(teamId: $teamId, memberIds: $memberIds, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": typeof types.AddTeamMembersOpDocument,
+    "mutation CreateTeamOp($organisationId: ID!, $name: String!, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  createTeam(\n    organisationId: $organisationId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": typeof types.CreateTeamOpDocument,
+    "mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}": typeof types.DeleteTeamOpDocument,
+    "mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}": typeof types.RemoveTeamAppOpDocument,
+    "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": typeof types.RemoveTeamMemberOpDocument,
+    "mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": typeof types.UpdateTeamOpDocument,
+    "mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}": typeof types.UpdateTeamAppEnvironmentsOpDocument,
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": typeof types.CreateNewUserTokenDocument,
     "mutation RevokeUserToken($tokenId: ID!) {\n  deleteUserToken(tokenId: $tokenId) {\n    ok\n  }\n}": typeof types.RevokeUserTokenDocument,
     "query GetIP {\n  clientIp\n}": typeof types.GetIpDocument,
@@ -116,7 +117,6 @@ type Documents = {
     "query GetAppAccounts($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": typeof types.GetAppAccountsDocument,
     "query GetAppMembers($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n}": typeof types.GetAppMembersDocument,
     "query GetAppServiceAccounts($appId: ID!) {\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": typeof types.GetAppServiceAccountsDocument,
-    "query VerifyPassword($authHash: String!) {\n  verifyPassword(authHash: $authHash)\n}": typeof types.VerifyPasswordDocument,
     "query GetCheckoutDetails($stripeSessionId: String!) {\n  stripeCheckoutDetails(stripeSessionId: $stripeSessionId) {\n    paymentStatus\n    customerEmail\n    billingStartDate\n    billingEndDate\n    subscriptionId\n    planName\n  }\n}": typeof types.GetCheckoutDetailsDocument,
     "query GetCustomerPortalLink($organisationId: ID!) {\n  stripeCustomerPortalUrl(organisationId: $organisationId)\n}": typeof types.GetCustomerPortalLinkDocument,
     "query GetSubscriptionDetails($organisationId: ID!) {\n  stripeSubscriptionDetails(organisationId: $organisationId) {\n    subscriptionId\n    planName\n    planType\n    billingPeriod\n    status\n    nextPaymentAmount\n    currentPeriodStart\n    currentPeriodEnd\n    renewalDate\n    cancelAt\n    cancelAtPeriodEnd\n    paymentMethods {\n      id\n      brand\n      last4\n      expMonth\n      expYear\n      isDefault\n    }\n  }\n}": typeof types.GetSubscriptionDetailsDocument,
@@ -126,10 +126,10 @@ type Documents = {
     "query GetAppKmsLogs($appId: ID!, $start: BigInt, $end: BigInt) {\n  kmsLogs(appId: $appId, start: $start, end: $end) {\n    logs {\n      id\n      timestamp\n      phaseNode\n      eventType\n      ipAddress\n      country\n      city\n      phSize\n    }\n    count\n  }\n}": typeof types.GetAppKmsLogsDocument,
     "query GetApps($organisationId: ID!, $appId: ID) {\n  apps(organisationId: $organisationId, appId: $appId) {\n    id\n    name\n    description\n    identityKey\n    createdAt\n    updatedAt\n    sseEnabled\n    members {\n      id\n      email\n      fullName\n      avatarUrl\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      envType\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": typeof types.GetAppsDocument,
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": typeof types.GetDashboardDocument,
-    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n  }\n}": typeof types.GetOrganisationsDocument,
+    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}": typeof types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": typeof types.GetAwsStsEndpointsDocument,
-    "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": typeof types.GetIdentityProvidersDocument,
-    "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": typeof types.GetOrganisationIdentitiesDocument,
+    "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}": typeof types.GetIdentityProvidersDocument,
+    "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": typeof types.GetOrganisationIdentitiesDocument,
     "query CheckOrganisationNameAvailability($name: String!) {\n  organisationNameAvailable(name: $name)\n}": typeof types.CheckOrganisationNameAvailabilityDocument,
     "query GetGlobalAccessUsers($organisationId: ID!) {\n  organisationGlobalAccessUsers(organisationId: $organisationId) {\n    id\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": typeof types.GetGlobalAccessUsersDocument,
     "query GetInvites($orgId: ID!) {\n  organisationInvites(orgId: $orgId) {\n    id\n    createdAt\n    expiresAt\n    invitedBy {\n      email\n      fullName\n      self\n    }\n    inviteeEmail\n    role {\n      id\n      name\n      description\n      color\n    }\n  }\n}": typeof types.GetInvitesDocument,
@@ -154,11 +154,10 @@ type Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": typeof types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": typeof types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": typeof types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": typeof types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": typeof types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
-    "query GetOrgSSOProviders {\n  organisations {\n    id\n    name\n    requireSso\n    ssoProviders {\n      id\n      providerType\n      name\n      publicConfig\n      enabled\n      createdAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      updatedAt\n      updatedBy {\n        fullName\n        avatarUrl\n        self\n      }\n    }\n  }\n  serverPublicKey\n}": typeof types.GetOrgSsoProvidersDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": typeof types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": typeof types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": typeof types.ValidateAwsAssumeRoleAuthDocument,
@@ -180,6 +179,7 @@ type Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": typeof types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": typeof types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": typeof types.GetVercelProjectsDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": typeof types.GetTeamsDocument,
     "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": typeof types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": typeof types.GetUserTokensDocument,
 };
@@ -196,8 +196,6 @@ const documents: Documents = {
     "mutation RemoveMemberFromApp($memberId: ID!, $memberType: MemberType, $appId: ID!) {\n  removeAppMember(memberId: $memberId, memberType: $memberType, appId: $appId) {\n    app {\n      id\n    }\n  }\n}": types.RemoveMemberFromAppDocument,
     "mutation UpdateAppInfoOp($id: ID!, $name: String, $description: String) {\n  updateAppInfo(id: $id, name: $name, description: $description) {\n    app {\n      id\n      name\n      description\n    }\n  }\n}": types.UpdateAppInfoOpDocument,
     "mutation UpdateEnvScope($memberId: ID!, $memberType: MemberType, $appId: ID!, $envKeys: [EnvironmentKeyInput]) {\n  updateMemberEnvironmentScope(\n    memberId: $memberId\n    memberType: $memberType\n    appId: $appId\n    envKeys: $envKeys\n  ) {\n    app {\n      id\n    }\n  }\n}": types.UpdateEnvScopeDocument,
-    "mutation ChangePassword($orgId: ID!, $currentAuthHash: String!, $newAuthHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  changeAccountPassword(\n    orgId: $orgId\n    currentAuthHash: $currentAuthHash\n    newAuthHash: $newAuthHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.ChangePasswordDocument,
-    "mutation RecoverKeyring($orgId: ID!, $authHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  recoverAccountKeyring(\n    orgId: $orgId\n    authHash: $authHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.RecoverKeyringDocument,
     "mutation CancelStripeSubscription($organisationId: ID!, $subscriptionId: String!) {\n  cancelSubscription(\n    organisationId: $organisationId\n    subscriptionId: $subscriptionId\n  ) {\n    success\n  }\n}": types.CancelStripeSubscriptionDocument,
     "mutation CreateStripeSetupIntentOp($organisationId: ID!) {\n  createSetupIntent(organisationId: $organisationId) {\n    clientSecret\n  }\n}": types.CreateStripeSetupIntentOpDocument,
     "mutation DeleteStripePaymentMethod($organisationId: ID!, $paymentMethodId: String!) {\n  deletePaymentMethod(\n    organisationId: $organisationId\n    paymentMethodId: $paymentMethodId\n  ) {\n    ok\n  }\n}": types.DeleteStripePaymentMethodDocument,
@@ -235,16 +233,16 @@ const documents: Documents = {
     "mutation UpdateDynamicSecret($dynamicSecretId: ID!, $organisationId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  updateAwsDynamicSecret(\n    organisationId: $organisationId\n    dynamicSecretId: $dynamicSecretId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}": types.UpdateDynamicSecretDocument,
     "mutation CreateSharedSecret($input: LockboxInput!) {\n  createLockbox(input: $input) {\n    lockbox {\n      id\n      allowedViews\n      expiresAt\n    }\n  }\n}": types.CreateSharedSecretDocument,
     "mutation UpdateEnvOrder($appId: ID!, $environmentOrder: [ID]!) {\n  updateEnvironmentOrder(appId: $appId, environmentOrder: $environmentOrder) {\n    ok\n  }\n}": types.UpdateEnvOrderDocument,
-    "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.CreateExtIdentityDocument,
+    "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.CreateExtIdentityDocument,
     "mutation DeleteExtIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}": types.DeleteExtIdentityDocument,
-    "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.UpdateExtIdentityDocument,
+    "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.UpdateExtIdentityDocument,
     "mutation AcceptOrganisationInvite($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!, $inviteId: ID!) {\n  createOrganisationMember(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n    inviteId: $inviteId\n  ) {\n    orgMember {\n      id\n      email\n      createdAt\n      role {\n        name\n      }\n    }\n  }\n}": types.AcceptOrganisationInviteDocument,
     "mutation BulkInviteMembers($orgId: ID!, $invites: [InviteInput!]!) {\n  bulkInviteOrganisationMembers(orgId: $orgId, invites: $invites) {\n    invites {\n      id\n      inviteeEmail\n      expiresAt\n    }\n  }\n}": types.BulkInviteMembersDocument,
     "mutation DeleteOrgInvite($inviteId: ID!) {\n  deleteInvitation(inviteId: $inviteId) {\n    ok\n  }\n}": types.DeleteOrgInviteDocument,
     "mutation RemoveMember($memberId: ID!) {\n  deleteOrganisationMember(memberId: $memberId) {\n    ok\n  }\n}": types.RemoveMemberDocument,
     "mutation TransferOrgOwnership($organisationId: ID!, $newOwnerId: ID!, $billingEmail: String) {\n  transferOrganisationOwnership(\n    organisationId: $organisationId\n    newOwnerId: $newOwnerId\n    billingEmail: $billingEmail\n  ) {\n    ok\n  }\n}": types.TransferOrgOwnershipDocument,
     "mutation UpdateMemberRole($memberId: ID!, $roleId: ID!) {\n  updateOrganisationMemberRole(memberId: $memberId, roleId: $roleId) {\n    orgMember {\n      id\n      role {\n        name\n      }\n    }\n  }\n}": types.UpdateMemberRoleDocument,
-    "mutation UpdateWrappedSecrets($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.UpdateWrappedSecretsDocument,
+    "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.UpdateWrappedSecretsDocument,
     "mutation RotateAppKey($id: ID!, $appToken: String!, $wrappedKeyShare: String!) {\n  rotateAppKeys(id: $id, appToken: $appToken, wrappedKeyShare: $wrappedKeyShare) {\n    app {\n      id\n    }\n  }\n}": types.RotateAppKeyDocument,
     "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": types.CreateSaTokenDocument,
@@ -254,11 +252,6 @@ const documents: Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
-    "mutation CreateOrgSSOProvider($orgId: ID!, $providerType: String!, $name: String!, $config: JSONString!) {\n  createOrganisationSsoProvider(\n    orgId: $orgId\n    providerType: $providerType\n    name: $name\n    config: $config\n  ) {\n    providerId\n  }\n}": types.CreateOrgSsoProviderDocument,
-    "mutation DeleteOrgSSOProvider($providerId: ID!) {\n  deleteOrganisationSsoProvider(providerId: $providerId) {\n    ok\n  }\n}": types.DeleteOrgSsoProviderDocument,
-    "mutation TestOrgSSOProvider($providerId: ID!) {\n  testOrganisationSsoProvider(providerId: $providerId) {\n    success\n    error\n  }\n}": types.TestOrgSsoProviderDocument,
-    "mutation UpdateOrgSSOProvider($providerId: ID!, $name: String, $config: JSONString, $enabled: Boolean) {\n  updateOrganisationSsoProvider(\n    providerId: $providerId\n    name: $name\n    config: $config\n    enabled: $enabled\n  ) {\n    ok\n  }\n}": types.UpdateOrgSsoProviderDocument,
-    "mutation UpdateOrgSecurity($orgId: ID!, $requireSso: Boolean!) {\n  updateOrganisationSecurity(orgId: $orgId, requireSso: $requireSso) {\n    ok\n    sessionInvalidated\n  }\n}": types.UpdateOrgSecurityDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewCfPagesSyncDocument,
@@ -279,6 +272,14 @@ const documents: Documents = {
     "mutation UpdateSyncAuth($syncId: ID!, $credentialId: ID!) {\n  updateSyncAuthentication(syncId: $syncId, credentialId: $credentialId) {\n    sync {\n      id\n      status\n    }\n  }\n}": types.UpdateSyncAuthDocument,
     "mutation CreateNewVaultSync($envId: ID!, $path: String!, $engine: String!, $vaultPath: String!, $credentialId: ID!) {\n  createVaultSync(\n    envId: $envId\n    path: $path\n    engine: $engine\n    vaultPath: $vaultPath\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewVaultSyncDocument,
     "mutation CreateNewVercelSync($envId: ID!, $path: String!, $credentialId: ID!, $projectId: String!, $projectName: String!, $teamId: String!, $teamName: String!, $environment: String!, $secretType: String!) {\n  createVercelSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    projectId: $projectId\n    projectName: $projectName\n    teamId: $teamId\n    teamName: $teamName\n    environment: $environment\n    secretType: $secretType\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewVercelSyncDocument,
+    "mutation AddTeamAppsOp($teamId: ID!, $appEnvs: [AppEnvironmentInput!]!) {\n  addTeamApps(teamId: $teamId, appEnvs: $appEnvs) {\n    team {\n      id\n    }\n  }\n}": types.AddTeamAppsOpDocument,
+    "mutation AddTeamMembersOp($teamId: ID!, $memberIds: [ID!]!, $memberType: MemberType) {\n  addTeamMembers(teamId: $teamId, memberIds: $memberIds, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": types.AddTeamMembersOpDocument,
+    "mutation CreateTeamOp($organisationId: ID!, $name: String!, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  createTeam(\n    organisationId: $organisationId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": types.CreateTeamOpDocument,
+    "mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}": types.DeleteTeamOpDocument,
+    "mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}": types.RemoveTeamAppOpDocument,
+    "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": types.RemoveTeamMemberOpDocument,
+    "mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": types.UpdateTeamOpDocument,
+    "mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}": types.UpdateTeamAppEnvironmentsOpDocument,
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": types.CreateNewUserTokenDocument,
     "mutation RevokeUserToken($tokenId: ID!) {\n  deleteUserToken(tokenId: $tokenId) {\n    ok\n  }\n}": types.RevokeUserTokenDocument,
     "query GetIP {\n  clientIp\n}": types.GetIpDocument,
@@ -286,7 +287,6 @@ const documents: Documents = {
     "query GetAppAccounts($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": types.GetAppAccountsDocument,
     "query GetAppMembers($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n}": types.GetAppMembersDocument,
     "query GetAppServiceAccounts($appId: ID!) {\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": types.GetAppServiceAccountsDocument,
-    "query VerifyPassword($authHash: String!) {\n  verifyPassword(authHash: $authHash)\n}": types.VerifyPasswordDocument,
     "query GetCheckoutDetails($stripeSessionId: String!) {\n  stripeCheckoutDetails(stripeSessionId: $stripeSessionId) {\n    paymentStatus\n    customerEmail\n    billingStartDate\n    billingEndDate\n    subscriptionId\n    planName\n  }\n}": types.GetCheckoutDetailsDocument,
     "query GetCustomerPortalLink($organisationId: ID!) {\n  stripeCustomerPortalUrl(organisationId: $organisationId)\n}": types.GetCustomerPortalLinkDocument,
     "query GetSubscriptionDetails($organisationId: ID!) {\n  stripeSubscriptionDetails(organisationId: $organisationId) {\n    subscriptionId\n    planName\n    planType\n    billingPeriod\n    status\n    nextPaymentAmount\n    currentPeriodStart\n    currentPeriodEnd\n    renewalDate\n    cancelAt\n    cancelAtPeriodEnd\n    paymentMethods {\n      id\n      brand\n      last4\n      expMonth\n      expYear\n      isDefault\n    }\n  }\n}": types.GetSubscriptionDetailsDocument,
@@ -296,10 +296,10 @@ const documents: Documents = {
     "query GetAppKmsLogs($appId: ID!, $start: BigInt, $end: BigInt) {\n  kmsLogs(appId: $appId, start: $start, end: $end) {\n    logs {\n      id\n      timestamp\n      phaseNode\n      eventType\n      ipAddress\n      country\n      city\n      phSize\n    }\n    count\n  }\n}": types.GetAppKmsLogsDocument,
     "query GetApps($organisationId: ID!, $appId: ID) {\n  apps(organisationId: $organisationId, appId: $appId) {\n    id\n    name\n    description\n    identityKey\n    createdAt\n    updatedAt\n    sseEnabled\n    members {\n      id\n      email\n      fullName\n      avatarUrl\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      envType\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetAppsDocument,
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": types.GetDashboardDocument,
-    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n  }\n}": types.GetOrganisationsDocument,
+    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}": types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": types.GetAwsStsEndpointsDocument,
-    "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": types.GetIdentityProvidersDocument,
-    "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": types.GetOrganisationIdentitiesDocument,
+    "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}": types.GetIdentityProvidersDocument,
+    "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": types.GetOrganisationIdentitiesDocument,
     "query CheckOrganisationNameAvailability($name: String!) {\n  organisationNameAvailable(name: $name)\n}": types.CheckOrganisationNameAvailabilityDocument,
     "query GetGlobalAccessUsers($organisationId: ID!) {\n  organisationGlobalAccessUsers(organisationId: $organisationId) {\n    id\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetGlobalAccessUsersDocument,
     "query GetInvites($orgId: ID!) {\n  organisationInvites(orgId: $orgId) {\n    id\n    createdAt\n    expiresAt\n    invitedBy {\n      email\n      fullName\n      self\n    }\n    inviteeEmail\n    role {\n      id\n      name\n      description\n      color\n    }\n  }\n}": types.GetInvitesDocument,
@@ -324,11 +324,10 @@ const documents: Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
-    "query GetOrgSSOProviders {\n  organisations {\n    id\n    name\n    requireSso\n    ssoProviders {\n      id\n      providerType\n      name\n      publicConfig\n      enabled\n      createdAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      updatedAt\n      updatedBy {\n        fullName\n        avatarUrl\n        self\n      }\n    }\n  }\n  serverPublicKey\n}": types.GetOrgSsoProvidersDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": types.ValidateAwsAssumeRoleAuthDocument,
@@ -350,6 +349,7 @@ const documents: Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": types.GetVercelProjectsDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": types.GetTeamsDocument,
     "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": types.GetUserTokensDocument,
 };
@@ -416,14 +416,6 @@ export function graphql(source: "mutation UpdateAppInfoOp($id: ID!, $name: Strin
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation UpdateEnvScope($memberId: ID!, $memberType: MemberType, $appId: ID!, $envKeys: [EnvironmentKeyInput]) {\n  updateMemberEnvironmentScope(\n    memberId: $memberId\n    memberType: $memberType\n    appId: $appId\n    envKeys: $envKeys\n  ) {\n    app {\n      id\n    }\n  }\n}"): (typeof documents)["mutation UpdateEnvScope($memberId: ID!, $memberType: MemberType, $appId: ID!, $envKeys: [EnvironmentKeyInput]) {\n  updateMemberEnvironmentScope(\n    memberId: $memberId\n    memberType: $memberType\n    appId: $appId\n    envKeys: $envKeys\n  ) {\n    app {\n      id\n    }\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation ChangePassword($orgId: ID!, $currentAuthHash: String!, $newAuthHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  changeAccountPassword(\n    orgId: $orgId\n    currentAuthHash: $currentAuthHash\n    newAuthHash: $newAuthHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"): (typeof documents)["mutation ChangePassword($orgId: ID!, $currentAuthHash: String!, $newAuthHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  changeAccountPassword(\n    orgId: $orgId\n    currentAuthHash: $currentAuthHash\n    newAuthHash: $newAuthHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation RecoverKeyring($orgId: ID!, $authHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  recoverAccountKeyring(\n    orgId: $orgId\n    authHash: $authHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"): (typeof documents)["mutation RecoverKeyring($orgId: ID!, $authHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  recoverAccountKeyring(\n    orgId: $orgId\n    authHash: $authHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -575,7 +567,7 @@ export function graphql(source: "mutation UpdateEnvOrder($appId: ID!, $environme
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
+export function graphql(source: "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -583,7 +575,7 @@ export function graphql(source: "mutation DeleteExtIdentity($id: ID!) {\n  delet
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
+export function graphql(source: "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -611,7 +603,7 @@ export function graphql(source: "mutation UpdateMemberRole($memberId: ID!, $role
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation UpdateWrappedSecrets($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"): (typeof documents)["mutation UpdateWrappedSecrets($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"];
+export function graphql(source: "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"): (typeof documents)["mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -648,26 +640,6 @@ export function graphql(source: "mutation UpdateServiceAccountHandlerKeys($orgId
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation CreateOrgSSOProvider($orgId: ID!, $providerType: String!, $name: String!, $config: JSONString!) {\n  createOrganisationSsoProvider(\n    orgId: $orgId\n    providerType: $providerType\n    name: $name\n    config: $config\n  ) {\n    providerId\n  }\n}"): (typeof documents)["mutation CreateOrgSSOProvider($orgId: ID!, $providerType: String!, $name: String!, $config: JSONString!) {\n  createOrganisationSsoProvider(\n    orgId: $orgId\n    providerType: $providerType\n    name: $name\n    config: $config\n  ) {\n    providerId\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation DeleteOrgSSOProvider($providerId: ID!) {\n  deleteOrganisationSsoProvider(providerId: $providerId) {\n    ok\n  }\n}"): (typeof documents)["mutation DeleteOrgSSOProvider($providerId: ID!) {\n  deleteOrganisationSsoProvider(providerId: $providerId) {\n    ok\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation TestOrgSSOProvider($providerId: ID!) {\n  testOrganisationSsoProvider(providerId: $providerId) {\n    success\n    error\n  }\n}"): (typeof documents)["mutation TestOrgSSOProvider($providerId: ID!) {\n  testOrganisationSsoProvider(providerId: $providerId) {\n    success\n    error\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation UpdateOrgSSOProvider($providerId: ID!, $name: String, $config: JSONString, $enabled: Boolean) {\n  updateOrganisationSsoProvider(\n    providerId: $providerId\n    name: $name\n    config: $config\n    enabled: $enabled\n  ) {\n    ok\n  }\n}"): (typeof documents)["mutation UpdateOrgSSOProvider($providerId: ID!, $name: String, $config: JSONString, $enabled: Boolean) {\n  updateOrganisationSsoProvider(\n    providerId: $providerId\n    name: $name\n    config: $config\n    enabled: $enabled\n  ) {\n    ok\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation UpdateOrgSecurity($orgId: ID!, $requireSso: Boolean!) {\n  updateOrganisationSecurity(orgId: $orgId, requireSso: $requireSso) {\n    ok\n    sessionInvalidated\n  }\n}"): (typeof documents)["mutation UpdateOrgSecurity($orgId: ID!, $requireSso: Boolean!) {\n  updateOrganisationSecurity(orgId: $orgId, requireSso: $requireSso) {\n    ok\n    sessionInvalidated\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -748,6 +720,38 @@ export function graphql(source: "mutation CreateNewVaultSync($envId: ID!, $path:
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation CreateNewVercelSync($envId: ID!, $path: String!, $credentialId: ID!, $projectId: String!, $projectName: String!, $teamId: String!, $teamName: String!, $environment: String!, $secretType: String!) {\n  createVercelSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    projectId: $projectId\n    projectName: $projectName\n    teamId: $teamId\n    teamName: $teamName\n    environment: $environment\n    secretType: $secretType\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}"): (typeof documents)["mutation CreateNewVercelSync($envId: ID!, $path: String!, $credentialId: ID!, $projectId: String!, $projectName: String!, $teamId: String!, $teamName: String!, $environment: String!, $secretType: String!) {\n  createVercelSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    projectId: $projectId\n    projectName: $projectName\n    teamId: $teamId\n    teamName: $teamName\n    environment: $environment\n    secretType: $secretType\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation AddTeamAppsOp($teamId: ID!, $appEnvs: [AppEnvironmentInput!]!) {\n  addTeamApps(teamId: $teamId, appEnvs: $appEnvs) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation AddTeamAppsOp($teamId: ID!, $appEnvs: [AppEnvironmentInput!]!) {\n  addTeamApps(teamId: $teamId, appEnvs: $appEnvs) {\n    team {\n      id\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation AddTeamMembersOp($teamId: ID!, $memberIds: [ID!]!, $memberType: MemberType) {\n  addTeamMembers(teamId: $teamId, memberIds: $memberIds, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation AddTeamMembersOp($teamId: ID!, $memberIds: [ID!]!, $memberType: MemberType) {\n  addTeamMembers(teamId: $teamId, memberIds: $memberIds, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation CreateTeamOp($organisationId: ID!, $name: String!, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  createTeam(\n    organisationId: $organisationId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}"): (typeof documents)["mutation CreateTeamOp($organisationId: ID!, $name: String!, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  createTeam(\n    organisationId: $organisationId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}"): (typeof documents)["mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}"): (typeof documents)["mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -776,10 +780,6 @@ export function graphql(source: "query GetAppMembers($appId: ID!) {\n  appUsers(
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "query GetAppServiceAccounts($appId: ID!) {\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}"): (typeof documents)["query GetAppServiceAccounts($appId: ID!) {\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "query VerifyPassword($authHash: String!) {\n  verifyPassword(authHash: $authHash)\n}"): (typeof documents)["query VerifyPassword($authHash: String!) {\n  verifyPassword(authHash: $authHash)\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -819,7 +819,7 @@ export function graphql(source: "query GetDashboard($organisationId: ID!) {\n  a
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n  }\n}"): (typeof documents)["query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n  }\n}"];
+export function graphql(source: "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}"): (typeof documents)["query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -827,11 +827,11 @@ export function graphql(source: "query GetAwsStsEndpoints {\n  awsStsEndpoints\n
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}"): (typeof documents)["query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}"];
+export function graphql(source: "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}"): (typeof documents)["query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"): (typeof documents)["query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"): (typeof documents)["query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -931,7 +931,7 @@ export function graphql(source: "query GetServiceTokens($appId: ID!) {\n  servic
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"];
+export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -944,10 +944,6 @@ export function graphql(source: "query GetServiceAccountTokens($orgId: ID!, $id:
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "query GetOrgSSOProviders {\n  organisations {\n    id\n    name\n    requireSso\n    ssoProviders {\n      id\n      providerType\n      name\n      publicConfig\n      enabled\n      createdAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      updatedAt\n      updatedBy {\n        fullName\n        avatarUrl\n        self\n      }\n    }\n  }\n  serverPublicKey\n}"): (typeof documents)["query GetOrgSSOProviders {\n  organisations {\n    id\n    name\n    requireSso\n    ssoProviders {\n      id\n      providerType\n      name\n      publicConfig\n      enabled\n      createdAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      updatedAt\n      updatedBy {\n        fullName\n        avatarUrl\n        self\n      }\n    }\n  }\n  serverPublicKey\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -1032,6 +1028,10 @@ export function graphql(source: "query TestVaultAuth($credentialId: ID!) {\n  te
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}"): (typeof documents)["query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"): (typeof documents)["query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 9d6f58b1c..d94b25fa8 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -115,6 +115,16 @@ export type AddAppMemberMutation = {
   app?: Maybe<AppType>;
 };
 
+export type AddTeamAppsMutation = {
+  __typename?: 'AddTeamAppsMutation';
+  team?: Maybe<TeamType>;
+};
+
+export type AddTeamMembersMutation = {
+  __typename?: 'AddTeamMembersMutation';
+  team?: Maybe<TeamType>;
+};
+
 /** An enumeration. */
 export enum ApiActivatedPhaseLicensePlanChoices {
   /** Enterprise */
@@ -209,14 +219,6 @@ export enum ApiOrganisationPlanChoices {
   Pr = 'PR'
 }
 
-/** An enumeration. */
-export enum ApiOrganisationSsoProviderProviderTypeChoices {
-  /** Microsoft Entra ID */
-  EntraId = 'ENTRA_ID',
-  /** Okta */
-  Okta = 'OKTA'
-}
-
 /** An enumeration. */
 export enum ApiSecretEventEventTypeChoices {
   /** Create */
@@ -249,6 +251,11 @@ export enum ApiSecretTypeChoices {
   Secret = 'SECRET'
 }
 
+export type AppEnvironmentInput = {
+  appId: Scalars['ID']['input'];
+  envIds: Array<Scalars['ID']['input']>;
+};
+
 export type AppMemberInputType = {
   envKeys: Array<InputMaybe<EnvironmentKeyInput>>;
   memberId: Scalars['ID']['input'];
@@ -295,13 +302,6 @@ export type AwsIamConfigType = {
   trustedPrincipals?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
 };
 
-export type AzureEntraConfigType = {
-  __typename?: 'AzureEntraConfigType';
-  allowedServicePrincipalIds?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
-  resource?: Maybe<Scalars['String']['output']>;
-  tenantId?: Maybe<Scalars['String']['output']>;
-};
-
 export type AzureKeyVaultSecretType = {
   __typename?: 'AzureKeyVaultSecretType';
   contentType?: Maybe<Scalars['String']['output']>;
@@ -339,32 +339,6 @@ export type BulkInviteOrganisationMembersMutation = {
   invites?: Maybe<Array<Maybe<OrganisationMemberInviteType>>>;
 };
 
-/**
- * Rotate the user's account password and rewrap the active org's
- * keyring with the new deviceKey. Used by the in-session change-password
- * dialog where the user supplies their current password, a new password,
- * and the org's recovery mnemonic.
- *
- * Three server-side proofs are required:
- *   1. current_auth_hash matches user.password — proves the caller
- *      knows the current login password.
- *   2. identity_key matches the org's stored identity_key — proves the
- *      caller derived the keyring from the right mnemonic.
- *   3. user is a member of the org.
- *
- * On success: user.password is set to new_auth_hash, the org's
- * wrapped_keyring + wrapped_recovery are replaced, and the session is
- * refreshed so the post-rotation HASH_SESSION_KEY stays valid.
- *
- * Only the active org's keyring is rewrapped. Other orgs the user
- * belongs to remain encrypted with the old deviceKey; they'll fall
- * through to per-org recovery on next access.
- */
-export type ChangeAccountPasswordMutation = {
-  __typename?: 'ChangeAccountPasswordMutation';
-  orgMember?: Maybe<OrganisationMemberType>;
-};
-
 export type ChartDataPointType = {
   __typename?: 'ChartDataPointType';
   data?: Maybe<Scalars['Int']['output']>;
@@ -480,11 +454,6 @@ export type CreateOrganisationMutation = {
   organisation?: Maybe<OrganisationType>;
 };
 
-export type CreateOrganisationSsoProviderMutation = {
-  __typename?: 'CreateOrganisationSSOProviderMutation';
-  providerId?: Maybe<Scalars['ID']['output']>;
-};
-
 export type CreatePersonalSecretMutation = {
   __typename?: 'CreatePersonalSecretMutation';
   override?: Maybe<PersonalSecretType>;
@@ -545,6 +514,11 @@ export type CreateSubscriptionCheckoutSession = {
   clientSecret?: Maybe<Scalars['String']['output']>;
 };
 
+export type CreateTeamMutation = {
+  __typename?: 'CreateTeamMutation';
+  team?: Maybe<TeamType>;
+};
+
 export type CreateUserTokenMutation = {
   __typename?: 'CreateUserTokenMutation';
   ok?: Maybe<Scalars['Boolean']['output']>;
@@ -601,11 +575,6 @@ export type DeleteOrganisationMemberMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
-export type DeleteOrganisationSsoProviderMutation = {
-  __typename?: 'DeleteOrganisationSSOProviderMutation';
-  ok?: Maybe<Scalars['Boolean']['output']>;
-};
-
 export type DeletePaymentMethodMutation = {
   __typename?: 'DeletePaymentMethodMutation';
   ok?: Maybe<Scalars['Boolean']['output']>;
@@ -651,6 +620,11 @@ export type DeleteSync = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
+export type DeleteTeamMutation = {
+  __typename?: 'DeleteTeamMutation';
+  ok?: Maybe<Scalars['Boolean']['output']>;
+};
+
 export type DeleteUserTokenMutation = {
   __typename?: 'DeleteUserTokenMutation';
   ok?: Maybe<Scalars['Boolean']['output']>;
@@ -891,7 +865,7 @@ export type GitLabProjectType = {
   webUrl?: Maybe<Scalars['String']['output']>;
 };
 
-export type IdentityConfigUnion = AwsIamConfigType | AzureEntraConfigType;
+export type IdentityConfigUnion = AwsIamConfigType;
 
 export type IdentityProviderType = {
   __typename?: 'IdentityProviderType';
@@ -899,6 +873,7 @@ export type IdentityProviderType = {
   iconId: Scalars['String']['output'];
   id: Scalars['String']['output'];
   name: Scalars['String']['output'];
+  supported: Scalars['Boolean']['output'];
 };
 
 export type IdentityType = {
@@ -1002,31 +977,11 @@ export type MigratePricingMutation = {
 export type Mutation = {
   __typename?: 'Mutation';
   addAppMember?: Maybe<AddAppMemberMutation>;
+  addTeamApps?: Maybe<AddTeamAppsMutation>;
+  addTeamMembers?: Maybe<AddTeamMembersMutation>;
   bulkAddAppMembers?: Maybe<BulkAddAppMembersMutation>;
   bulkInviteOrganisationMembers?: Maybe<BulkInviteOrganisationMembersMutation>;
   cancelSubscription?: Maybe<UpdateSubscriptionResponse>;
-  /**
-   * Rotate the user's account password and rewrap the active org's
-   * keyring with the new deviceKey. Used by the in-session change-password
-   * dialog where the user supplies their current password, a new password,
-   * and the org's recovery mnemonic.
-   *
-   * Three server-side proofs are required:
-   *   1. current_auth_hash matches user.password — proves the caller
-   *      knows the current login password.
-   *   2. identity_key matches the org's stored identity_key — proves the
-   *      caller derived the keyring from the right mnemonic.
-   *   3. user is a member of the org.
-   *
-   * On success: user.password is set to new_auth_hash, the org's
-   * wrapped_keyring + wrapped_recovery are replaced, and the session is
-   * refreshed so the post-rotation HASH_SESSION_KEY stays valid.
-   *
-   * Only the active org's keyring is rewrapped. Other orgs the user
-   * belongs to remain encrypted with the old deviceKey; they'll fall
-   * through to per-org recovery on next access.
-   */
-  changeAccountPassword?: Maybe<ChangeAccountPasswordMutation>;
   createApp?: Maybe<CreateAppMutation>;
   createAwsDynamicSecret?: Maybe<CreateAwsDynamicSecretMutation>;
   createAwsSecretSync?: Maybe<CreateAwsSecretsManagerSync>;
@@ -1047,7 +1002,6 @@ export type Mutation = {
   createNomadSync?: Maybe<CreateNomadSync>;
   createOrganisation?: Maybe<CreateOrganisationMutation>;
   createOrganisationMember?: Maybe<CreateOrganisationMemberMutation>;
-  createOrganisationSsoProvider?: Maybe<CreateOrganisationSsoProviderMutation>;
   createOverride?: Maybe<CreatePersonalSecretMutation>;
   createProviderCredentials?: Maybe<CreateProviderCredentials>;
   createRailwaySync?: Maybe<CreateRailwaySync>;
@@ -1061,6 +1015,7 @@ export type Mutation = {
   createServiceToken?: Maybe<CreateServiceTokenMutation>;
   createSetupIntent?: Maybe<CreateSetupIntentMutation>;
   createSubscriptionCheckoutSession?: Maybe<CreateSubscriptionCheckoutSession>;
+  createTeam?: Maybe<CreateTeamMutation>;
   createUserToken?: Maybe<CreateUserTokenMutation>;
   createVaultSync?: Maybe<CreateVaultSync>;
   createVercelSync?: Maybe<CreateVercelSync>;
@@ -1073,7 +1028,6 @@ export type Mutation = {
   deleteInvitation?: Maybe<DeleteInviteMutation>;
   deleteNetworkAccessPolicy?: Maybe<DeleteNetworkAccessPolicyMutation>;
   deleteOrganisationMember?: Maybe<DeleteOrganisationMemberMutation>;
-  deleteOrganisationSsoProvider?: Maybe<DeleteOrganisationSsoProviderMutation>;
   deletePaymentMethod?: Maybe<DeletePaymentMethodMutation>;
   deleteProviderCredentials?: Maybe<DeleteProviderCredentials>;
   deleteSecret?: Maybe<DeleteSecretMutation>;
@@ -1082,6 +1036,7 @@ export type Mutation = {
   deleteServiceAccount?: Maybe<DeleteServiceAccountMutation>;
   deleteServiceAccountToken?: Maybe<DeleteServiceAccountTokenMutation>;
   deleteServiceToken?: Maybe<DeleteServiceTokenMutation>;
+  deleteTeam?: Maybe<DeleteTeamMutation>;
   deleteUserToken?: Maybe<DeleteUserTokenMutation>;
   editSecret?: Maybe<EditSecretMutation>;
   editSecrets?: Maybe<BulkEditSecretMutation>;
@@ -1091,33 +1046,16 @@ export type Mutation = {
   migratePricing?: Maybe<MigratePricingMutation>;
   modifySubscription?: Maybe<UpdateSubscriptionResponse>;
   readSecret?: Maybe<ReadSecretMutation>;
-  /**
-   * Rewrap THIS org's keyring with a deviceKey derived from the user's
-   * account password. Used by the recovery flow when the local keyring
-   * has been lost (cleared cache, new device) but the user still
-   * remembers their password.
-   *
-   * Two server-side proofs are required:
-   *   1. identity_key matches the org's stored identity_key — proves the
-   *      caller derived the keyring from the right mnemonic.
-   *   2. auth_hash matches user.password — proves the password the user
-   *      is wrapping the keyring with is also their account login auth.
-   *
-   * The mutation does NOT change user.password. The auth_hash check is a
-   * guardrail to keep auth and wrap passwords unified; if it fails, the
-   * user is trying to wrap the keyring with a password that doesn't
-   * authenticate them, which we never persist.
-   */
-  recoverAccountKeyring?: Maybe<RecoverAccountKeyringMutation>;
   removeAppMember?: Maybe<RemoveAppMemberMutation>;
   removeOverride?: Maybe<DeletePersonalSecretMutation>;
+  removeTeamApp?: Maybe<RemoveTeamAppMutation>;
+  removeTeamMember?: Maybe<RemoveTeamMemberMutation>;
   renameEnvironment?: Maybe<RenameEnvironmentMutation>;
   renewDynamicSecretLease?: Maybe<RenewLeaseMutation>;
   resumeSubscription?: Maybe<UpdateSubscriptionResponse>;
   revokeDynamicSecretLease?: Maybe<RevokeLeaseMutation>;
   rotateAppKeys?: Maybe<RotateAppKeysMutation>;
   setDefaultPaymentMethod?: Maybe<SetDefaultPaymentMethodMutation>;
-  testOrganisationSsoProvider?: Maybe<TestOrganisationSsoProviderMutation>;
   toggleSyncActive?: Maybe<ToggleSyncActive>;
   /**
    * Transfer organisation ownership from the current owner to another member.
@@ -1132,27 +1070,15 @@ export type Mutation = {
   updateEnvironmentOrder?: Maybe<UpdateEnvironmentOrderMutation>;
   updateIdentity?: Maybe<UpdateIdentityMutation>;
   updateMemberEnvironmentScope?: Maybe<UpdateMemberEnvScopeMutation>;
-  /**
-   * Re-wrap THIS org's keyring after the caller proves they hold the
-   * recovery mnemonic. Used by SSO recovery (where there's no login
-   * password to verify against, so identity is proven via the mnemonic
-   * alone).
-   *
-   * Requires identity_key matching the org's stored identity_key — proves
-   * the caller derived the keyring from the right mnemonic. Without this
-   * proof, an authenticated user (or session-cookie holder) could
-   * overwrite their own wrapped_keyring with arbitrary garbage and lock
-   * themselves out of the org permanently.
-   */
   updateMemberWrappedSecrets?: Maybe<UpdateUserWrappedSecretsMutation>;
   updateNetworkAccessPolicy?: Maybe<UpdateNetworkAccessPolicyMutation>;
   updateOrganisationMemberRole?: Maybe<UpdateOrganisationMemberRole>;
-  updateOrganisationSecurity?: Maybe<UpdateOrganisationSecurityMutation>;
-  updateOrganisationSsoProvider?: Maybe<UpdateOrganisationSsoProviderMutation>;
   updateProviderCredentials?: Maybe<UpdateProviderCredentials>;
   updateServiceAccount?: Maybe<UpdateServiceAccountMutation>;
   updateServiceAccountHandlers?: Maybe<UpdateServiceAccountHandlersMutation>;
   updateSyncAuthentication?: Maybe<UpdateSyncAuthentication>;
+  updateTeam?: Maybe<UpdateTeamMutation>;
+  updateTeamAppEnvironments?: Maybe<UpdateTeamAppEnvironmentsMutation>;
 };
 
 
@@ -1164,6 +1090,19 @@ export type MutationAddAppMemberArgs = {
 };
 
 
+export type MutationAddTeamAppsArgs = {
+  appEnvs: Array<AppEnvironmentInput>;
+  teamId: Scalars['ID']['input'];
+};
+
+
+export type MutationAddTeamMembersArgs = {
+  memberIds: Array<Scalars['ID']['input']>;
+  memberType?: InputMaybe<MemberType>;
+  teamId: Scalars['ID']['input'];
+};
+
+
 export type MutationBulkAddAppMembersArgs = {
   appId: Scalars['ID']['input'];
   members: Array<InputMaybe<AppMemberInputType>>;
@@ -1182,16 +1121,6 @@ export type MutationCancelSubscriptionArgs = {
 };
 
 
-export type MutationChangeAccountPasswordArgs = {
-  currentAuthHash: Scalars['String']['input'];
-  identityKey: Scalars['String']['input'];
-  newAuthHash: Scalars['String']['input'];
-  orgId: Scalars['ID']['input'];
-  wrappedKeyring: Scalars['String']['input'];
-  wrappedRecovery: Scalars['String']['input'];
-};
-
-
 export type MutationCreateAppArgs = {
   appSeed: Scalars['String']['input'];
   appToken: Scalars['String']['input'];
@@ -1339,10 +1268,8 @@ export type MutationCreateIdentityArgs = {
   name: Scalars['String']['input'];
   organisationId: Scalars['ID']['input'];
   provider: Scalars['String']['input'];
-  resource?: InputMaybe<Scalars['String']['input']>;
   signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   stsEndpoint?: InputMaybe<Scalars['String']['input']>;
-  tenantId?: InputMaybe<Scalars['String']['input']>;
   tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
   trustedPrincipals: Scalars['String']['input'];
 };
@@ -1388,14 +1315,6 @@ export type MutationCreateOrganisationMemberArgs = {
 };
 
 
-export type MutationCreateOrganisationSsoProviderArgs = {
-  config: Scalars['JSONString']['input'];
-  name: Scalars['String']['input'];
-  orgId: Scalars['ID']['input'];
-  providerType: Scalars['String']['input'];
-};
-
-
 export type MutationCreateOverrideArgs = {
   overrideData?: InputMaybe<PersonalSecretInput>;
 };
@@ -1498,6 +1417,15 @@ export type MutationCreateSubscriptionCheckoutSessionArgs = {
 };
 
 
+export type MutationCreateTeamArgs = {
+  description?: InputMaybe<Scalars['String']['input']>;
+  memberRoleId?: InputMaybe<Scalars['ID']['input']>;
+  name: Scalars['String']['input'];
+  organisationId: Scalars['ID']['input'];
+  serviceAccountRoleId?: InputMaybe<Scalars['ID']['input']>;
+};
+
+
 export type MutationCreateUserTokenArgs = {
   expiry?: InputMaybe<Scalars['BigInt']['input']>;
   identityKey: Scalars['String']['input'];
@@ -1575,11 +1503,6 @@ export type MutationDeleteOrganisationMemberArgs = {
 };
 
 
-export type MutationDeleteOrganisationSsoProviderArgs = {
-  providerId: Scalars['ID']['input'];
-};
-
-
 export type MutationDeletePaymentMethodArgs = {
   organisationId?: InputMaybe<Scalars['ID']['input']>;
   paymentMethodId?: InputMaybe<Scalars['String']['input']>;
@@ -1621,6 +1544,11 @@ export type MutationDeleteServiceTokenArgs = {
 };
 
 
+export type MutationDeleteTeamArgs = {
+  teamId: Scalars['ID']['input'];
+};
+
+
 export type MutationDeleteUserTokenArgs = {
   tokenId: Scalars['ID']['input'];
 };
@@ -1673,15 +1601,6 @@ export type MutationReadSecretArgs = {
 };
 
 
-export type MutationRecoverAccountKeyringArgs = {
-  authHash: Scalars['String']['input'];
-  identityKey: Scalars['String']['input'];
-  orgId: Scalars['ID']['input'];
-  wrappedKeyring: Scalars['String']['input'];
-  wrappedRecovery: Scalars['String']['input'];
-};
-
-
 export type MutationRemoveAppMemberArgs = {
   appId?: InputMaybe<Scalars['ID']['input']>;
   memberId?: InputMaybe<Scalars['ID']['input']>;
@@ -1694,6 +1613,19 @@ export type MutationRemoveOverrideArgs = {
 };
 
 
+export type MutationRemoveTeamAppArgs = {
+  appId: Scalars['ID']['input'];
+  teamId: Scalars['ID']['input'];
+};
+
+
+export type MutationRemoveTeamMemberArgs = {
+  memberId: Scalars['ID']['input'];
+  memberType?: InputMaybe<MemberType>;
+  teamId: Scalars['ID']['input'];
+};
+
+
 export type MutationRenameEnvironmentArgs = {
   environmentId: Scalars['ID']['input'];
   name: Scalars['String']['input'];
@@ -1730,11 +1662,6 @@ export type MutationSetDefaultPaymentMethodArgs = {
 };
 
 
-export type MutationTestOrganisationSsoProviderArgs = {
-  providerId: Scalars['ID']['input'];
-};
-
-
 export type MutationToggleSyncActiveArgs = {
   syncId?: InputMaybe<Scalars['ID']['input']>;
 };
@@ -1800,10 +1727,8 @@ export type MutationUpdateIdentityArgs = {
   id: Scalars['ID']['input'];
   maxTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   name?: InputMaybe<Scalars['String']['input']>;
-  resource?: InputMaybe<Scalars['String']['input']>;
   signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   stsEndpoint?: InputMaybe<Scalars['String']['input']>;
-  tenantId?: InputMaybe<Scalars['String']['input']>;
   tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
   trustedPrincipals?: InputMaybe<Scalars['String']['input']>;
 };
@@ -1818,7 +1743,7 @@ export type MutationUpdateMemberEnvironmentScopeArgs = {
 
 
 export type MutationUpdateMemberWrappedSecretsArgs = {
-  identityKey: Scalars['String']['input'];
+  identityKey?: InputMaybe<Scalars['String']['input']>;
   orgId: Scalars['ID']['input'];
   wrappedKeyring: Scalars['String']['input'];
   wrappedRecovery: Scalars['String']['input'];
@@ -1836,20 +1761,6 @@ export type MutationUpdateOrganisationMemberRoleArgs = {
 };
 
 
-export type MutationUpdateOrganisationSecurityArgs = {
-  orgId: Scalars['ID']['input'];
-  requireSso: Scalars['Boolean']['input'];
-};
-
-
-export type MutationUpdateOrganisationSsoProviderArgs = {
-  config?: InputMaybe<Scalars['JSONString']['input']>;
-  enabled?: InputMaybe<Scalars['Boolean']['input']>;
-  name?: InputMaybe<Scalars['String']['input']>;
-  providerId: Scalars['ID']['input'];
-};
-
-
 export type MutationUpdateProviderCredentialsArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
   credentials?: InputMaybe<Scalars['JSONString']['input']>;
@@ -1876,6 +1787,22 @@ export type MutationUpdateSyncAuthenticationArgs = {
   syncId?: InputMaybe<Scalars['ID']['input']>;
 };
 
+
+export type MutationUpdateTeamArgs = {
+  description?: InputMaybe<Scalars['String']['input']>;
+  memberRoleId?: InputMaybe<Scalars['ID']['input']>;
+  name?: InputMaybe<Scalars['String']['input']>;
+  serviceAccountRoleId?: InputMaybe<Scalars['ID']['input']>;
+  teamId: Scalars['ID']['input'];
+};
+
+
+export type MutationUpdateTeamAppEnvironmentsArgs = {
+  appId: Scalars['ID']['input'];
+  envIds: Array<Scalars['ID']['input']>;
+  teamId: Scalars['ID']['input'];
+};
+
 export type NamespaceType = {
   __typename?: 'NamespaceType';
   fullPath?: Maybe<Scalars['String']['output']>;
@@ -1951,19 +1878,6 @@ export type OrganisationPlanType = {
   seatsUsed?: Maybe<SeatsUsed>;
 };
 
-export type OrganisationSsoProviderType = {
-  __typename?: 'OrganisationSSOProviderType';
-  createdAt: Scalars['DateTime']['output'];
-  createdBy?: Maybe<OrganisationMemberType>;
-  enabled: Scalars['Boolean']['output'];
-  id: Scalars['String']['output'];
-  name: Scalars['String']['output'];
-  providerType: ApiOrganisationSsoProviderProviderTypeChoices;
-  publicConfig?: Maybe<Scalars['JSONString']['output']>;
-  updatedAt: Scalars['DateTime']['output'];
-  updatedBy?: Maybe<OrganisationMemberType>;
-};
-
 export type OrganisationType = {
   __typename?: 'OrganisationType';
   createdAt?: Maybe<Scalars['DateTime']['output']>;
@@ -1976,9 +1890,7 @@ export type OrganisationType = {
   planDetail?: Maybe<OrganisationPlanType>;
   pricingVersion: Scalars['Int']['output'];
   recovery?: Maybe<Scalars['String']['output']>;
-  requireSso: Scalars['Boolean']['output'];
   role?: Maybe<RoleType>;
-  ssoProviders?: Maybe<Array<Maybe<OrganisationSsoProviderType>>>;
 };
 
 export type PaymentMethodDetails = {
@@ -2113,6 +2025,7 @@ export type Query = {
   stripeCustomerPortalUrl?: Maybe<Scalars['String']['output']>;
   stripeSubscriptionDetails?: Maybe<StripeSubscriptionDetails>;
   syncs?: Maybe<Array<Maybe<EnvironmentSyncType>>>;
+  teams?: Maybe<Array<Maybe<TeamType>>>;
   testNomadCreds?: Maybe<Scalars['Boolean']['output']>;
   testVaultCreds?: Maybe<Scalars['Boolean']['output']>;
   testVercelCreds?: Maybe<Scalars['Boolean']['output']>;
@@ -2121,7 +2034,6 @@ export type Query = {
   validateAwsAssumeRoleCredentials?: Maybe<AwsValidationResultType>;
   validateInvite?: Maybe<OrganisationMemberInviteType>;
   vercelProjects?: Maybe<Array<Maybe<VercelTeamProjectsType>>>;
-  verifyPassword?: Maybe<Scalars['Boolean']['output']>;
 };
 
 
@@ -2388,6 +2300,12 @@ export type QuerySyncsArgs = {
 };
 
 
+export type QueryTeamsArgs = {
+  organisationId?: InputMaybe<Scalars['ID']['input']>;
+  teamId?: InputMaybe<Scalars['ID']['input']>;
+};
+
+
 export type QueryTestNomadCredsArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
 };
@@ -2424,11 +2342,6 @@ export type QueryVercelProjectsArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
 };
 
-
-export type QueryVerifyPasswordArgs = {
-  authHash: Scalars['String']['input'];
-};
-
 export type RailwayEnvironmentType = {
   __typename?: 'RailwayEnvironmentType';
   id: Scalars['ID']['output'];
@@ -2460,33 +2373,21 @@ export type ReadSecretMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
-/**
- * Rewrap THIS org's keyring with a deviceKey derived from the user's
- * account password. Used by the recovery flow when the local keyring
- * has been lost (cleared cache, new device) but the user still
- * remembers their password.
- *
- * Two server-side proofs are required:
- *   1. identity_key matches the org's stored identity_key — proves the
- *      caller derived the keyring from the right mnemonic.
- *   2. auth_hash matches user.password — proves the password the user
- *      is wrapping the keyring with is also their account login auth.
- *
- * The mutation does NOT change user.password. The auth_hash check is a
- * guardrail to keep auth and wrap passwords unified; if it fails, the
- * user is trying to wrap the keyring with a password that doesn't
- * authenticate them, which we never persist.
- */
-export type RecoverAccountKeyringMutation = {
-  __typename?: 'RecoverAccountKeyringMutation';
-  orgMember?: Maybe<OrganisationMemberType>;
-};
-
 export type RemoveAppMemberMutation = {
   __typename?: 'RemoveAppMemberMutation';
   app?: Maybe<AppType>;
 };
 
+export type RemoveTeamAppMutation = {
+  __typename?: 'RemoveTeamAppMutation';
+  team?: Maybe<TeamType>;
+};
+
+export type RemoveTeamMemberMutation = {
+  __typename?: 'RemoveTeamMemberMutation';
+  team?: Maybe<TeamType>;
+};
+
 export type RenameEnvironmentMutation = {
   __typename?: 'RenameEnvironmentMutation';
   environment?: Maybe<EnvironmentType>;
@@ -2750,10 +2651,40 @@ export type StripeSubscriptionDetails = {
   subscriptionId?: Maybe<Scalars['String']['output']>;
 };
 
-export type TestOrganisationSsoProviderMutation = {
-  __typename?: 'TestOrganisationSSOProviderMutation';
-  error?: Maybe<Scalars['String']['output']>;
-  success?: Maybe<Scalars['Boolean']['output']>;
+export type TeamAppEnvironmentType = {
+  __typename?: 'TeamAppEnvironmentType';
+  app: AppMembershipType;
+  createdAt?: Maybe<Scalars['DateTime']['output']>;
+  environment: EnvironmentType;
+  id: Scalars['String']['output'];
+};
+
+export type TeamMembershipType = {
+  __typename?: 'TeamMembershipType';
+  avatarUrl?: Maybe<Scalars['String']['output']>;
+  createdAt?: Maybe<Scalars['DateTime']['output']>;
+  email?: Maybe<Scalars['String']['output']>;
+  fullName?: Maybe<Scalars['String']['output']>;
+  id: Scalars['String']['output'];
+  orgMember?: Maybe<OrganisationMemberType>;
+  serviceAccount?: Maybe<ServiceAccountType>;
+};
+
+export type TeamType = {
+  __typename?: 'TeamType';
+  appEnvironments?: Maybe<Array<TeamAppEnvironmentType>>;
+  apps?: Maybe<Array<AppType>>;
+  createdAt?: Maybe<Scalars['DateTime']['output']>;
+  createdBy?: Maybe<OrganisationMemberType>;
+  description?: Maybe<Scalars['String']['output']>;
+  id: Scalars['String']['output'];
+  isScimManaged: Scalars['Boolean']['output'];
+  memberCount?: Maybe<Scalars['Int']['output']>;
+  memberRole?: Maybe<RoleType>;
+  members?: Maybe<Array<TeamMembershipType>>;
+  name: Scalars['String']['output'];
+  serviceAccountRole?: Maybe<RoleType>;
+  updatedAt: Scalars['DateTime']['output'];
 };
 
 export enum TimeRange {
@@ -2829,17 +2760,6 @@ export type UpdateOrganisationMemberRole = {
   orgMember?: Maybe<OrganisationMemberType>;
 };
 
-export type UpdateOrganisationSsoProviderMutation = {
-  __typename?: 'UpdateOrganisationSSOProviderMutation';
-  ok?: Maybe<Scalars['Boolean']['output']>;
-};
-
-export type UpdateOrganisationSecurityMutation = {
-  __typename?: 'UpdateOrganisationSecurityMutation';
-  ok?: Maybe<Scalars['Boolean']['output']>;
-  sessionInvalidated?: Maybe<Scalars['Boolean']['output']>;
-};
-
 export type UpdatePolicyInput = {
   allowedIps?: InputMaybe<Scalars['String']['input']>;
   id: Scalars['ID']['input'];
@@ -2875,18 +2795,16 @@ export type UpdateSyncAuthentication = {
   sync?: Maybe<EnvironmentSyncType>;
 };
 
-/**
- * Re-wrap THIS org's keyring after the caller proves they hold the
- * recovery mnemonic. Used by SSO recovery (where there's no login
- * password to verify against, so identity is proven via the mnemonic
- * alone).
- *
- * Requires identity_key matching the org's stored identity_key — proves
- * the caller derived the keyring from the right mnemonic. Without this
- * proof, an authenticated user (or session-cookie holder) could
- * overwrite their own wrapped_keyring with arbitrary garbage and lock
- * themselves out of the org permanently.
- */
+export type UpdateTeamAppEnvironmentsMutation = {
+  __typename?: 'UpdateTeamAppEnvironmentsMutation';
+  team?: Maybe<TeamType>;
+};
+
+export type UpdateTeamMutation = {
+  __typename?: 'UpdateTeamMutation';
+  team?: Maybe<TeamType>;
+};
+
 export type UpdateUserWrappedSecretsMutation = {
   __typename?: 'UpdateUserWrappedSecretsMutation';
   orgMember?: Maybe<OrganisationMemberType>;
@@ -3035,29 +2953,6 @@ export type UpdateEnvScopeMutationVariables = Exact<{
 
 export type UpdateEnvScopeMutation = { __typename?: 'Mutation', updateMemberEnvironmentScope?: { __typename?: 'UpdateMemberEnvScopeMutation', app?: { __typename?: 'AppType', id: string } | null } | null };
 
-export type ChangePasswordMutationVariables = Exact<{
-  orgId: Scalars['ID']['input'];
-  currentAuthHash: Scalars['String']['input'];
-  newAuthHash: Scalars['String']['input'];
-  identityKey: Scalars['String']['input'];
-  wrappedKeyring: Scalars['String']['input'];
-  wrappedRecovery: Scalars['String']['input'];
-}>;
-
-
-export type ChangePasswordMutation = { __typename?: 'Mutation', changeAccountPassword?: { __typename?: 'ChangeAccountPasswordMutation', orgMember?: { __typename?: 'OrganisationMemberType', id: string } | null } | null };
-
-export type RecoverKeyringMutationVariables = Exact<{
-  orgId: Scalars['ID']['input'];
-  authHash: Scalars['String']['input'];
-  identityKey: Scalars['String']['input'];
-  wrappedKeyring: Scalars['String']['input'];
-  wrappedRecovery: Scalars['String']['input'];
-}>;
-
-
-export type RecoverKeyringMutation = { __typename?: 'Mutation', recoverAccountKeyring?: { __typename?: 'RecoverAccountKeyringMutation', orgMember?: { __typename?: 'OrganisationMemberType', id: string } | null } | null };
-
 export type CancelStripeSubscriptionMutationVariables = Exact<{
   organisationId: Scalars['ID']['input'];
   subscriptionId: Scalars['String']['input'];
@@ -3397,18 +3292,13 @@ export type CreateExtIdentityMutationVariables = Exact<{
   trustedPrincipals: Scalars['String']['input'];
   signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   stsEndpoint?: InputMaybe<Scalars['String']['input']>;
-  tenantId?: InputMaybe<Scalars['String']['input']>;
-  resource?: InputMaybe<Scalars['String']['input']>;
   tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
   defaultTtlSeconds: Scalars['Int']['input'];
   maxTtlSeconds: Scalars['Int']['input'];
 }>;
 
 
-export type CreateExtIdentityMutation = { __typename?: 'Mutation', createIdentity?: { __typename?: 'CreateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?:
-        | { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null }
-        | { __typename?: 'AzureEntraConfigType', tenantId?: string | null, resource?: string | null, allowedServicePrincipalIds?: Array<string | null> | null }
-       | null } | null } | null };
+export type CreateExtIdentityMutation = { __typename?: 'Mutation', createIdentity?: { __typename?: 'CreateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
 
 export type DeleteExtIdentityMutationVariables = Exact<{
   id: Scalars['ID']['input'];
@@ -3424,18 +3314,13 @@ export type UpdateExtIdentityMutationVariables = Exact<{
   trustedPrincipals?: InputMaybe<Scalars['String']['input']>;
   signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   stsEndpoint?: InputMaybe<Scalars['String']['input']>;
-  tenantId?: InputMaybe<Scalars['String']['input']>;
-  resource?: InputMaybe<Scalars['String']['input']>;
   tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
   defaultTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   maxTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
 }>;
 
 
-export type UpdateExtIdentityMutation = { __typename?: 'Mutation', updateIdentity?: { __typename?: 'UpdateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?:
-        | { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null }
-        | { __typename?: 'AzureEntraConfigType', tenantId?: string | null, resource?: string | null, allowedServicePrincipalIds?: Array<string | null> | null }
-       | null } | null } | null };
+export type UpdateExtIdentityMutation = { __typename?: 'Mutation', updateIdentity?: { __typename?: 'UpdateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
 
 export type AcceptOrganisationInviteMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -3489,7 +3374,6 @@ export type UpdateMemberRoleMutation = { __typename?: 'Mutation', updateOrganisa
 
 export type UpdateWrappedSecretsMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
-  identityKey: Scalars['String']['input'];
   wrappedKeyring: Scalars['String']['input'];
   wrappedRecovery: Scalars['String']['input'];
 }>;
@@ -3579,48 +3463,6 @@ export type UpdateServiceAccountOpMutationVariables = Exact<{
 
 export type UpdateServiceAccountOpMutation = { __typename?: 'Mutation', updateServiceAccount?: { __typename?: 'UpdateServiceAccountMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string }> | null } | null } | null };
 
-export type CreateOrgSsoProviderMutationVariables = Exact<{
-  orgId: Scalars['ID']['input'];
-  providerType: Scalars['String']['input'];
-  name: Scalars['String']['input'];
-  config: Scalars['JSONString']['input'];
-}>;
-
-
-export type CreateOrgSsoProviderMutation = { __typename?: 'Mutation', createOrganisationSsoProvider?: { __typename?: 'CreateOrganisationSSOProviderMutation', providerId?: string | null } | null };
-
-export type DeleteOrgSsoProviderMutationVariables = Exact<{
-  providerId: Scalars['ID']['input'];
-}>;
-
-
-export type DeleteOrgSsoProviderMutation = { __typename?: 'Mutation', deleteOrganisationSsoProvider?: { __typename?: 'DeleteOrganisationSSOProviderMutation', ok?: boolean | null } | null };
-
-export type TestOrgSsoProviderMutationVariables = Exact<{
-  providerId: Scalars['ID']['input'];
-}>;
-
-
-export type TestOrgSsoProviderMutation = { __typename?: 'Mutation', testOrganisationSsoProvider?: { __typename?: 'TestOrganisationSSOProviderMutation', success?: boolean | null, error?: string | null } | null };
-
-export type UpdateOrgSsoProviderMutationVariables = Exact<{
-  providerId: Scalars['ID']['input'];
-  name?: InputMaybe<Scalars['String']['input']>;
-  config?: InputMaybe<Scalars['JSONString']['input']>;
-  enabled?: InputMaybe<Scalars['Boolean']['input']>;
-}>;
-
-
-export type UpdateOrgSsoProviderMutation = { __typename?: 'Mutation', updateOrganisationSsoProvider?: { __typename?: 'UpdateOrganisationSSOProviderMutation', ok?: boolean | null } | null };
-
-export type UpdateOrgSecurityMutationVariables = Exact<{
-  orgId: Scalars['ID']['input'];
-  requireSso: Scalars['Boolean']['input'];
-}>;
-
-
-export type UpdateOrgSecurityMutation = { __typename?: 'Mutation', updateOrganisationSecurity?: { __typename?: 'UpdateOrganisationSecurityMutation', ok?: boolean | null, sessionInvalidated?: boolean | null } | null };
-
 export type CreateNewAwsSecretsSyncMutationVariables = Exact<{
   envId: Scalars['ID']['input'];
   path: Scalars['String']['input'];
@@ -3832,6 +3674,78 @@ export type CreateNewVercelSyncMutationVariables = Exact<{
 
 export type CreateNewVercelSyncMutation = { __typename?: 'Mutation', createVercelSync?: { __typename?: 'CreateVercelSync', sync?: { __typename?: 'EnvironmentSyncType', id: string, isActive: boolean, lastSync?: any | null, createdAt?: any | null, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices }, serviceInfo?: { __typename?: 'ServiceType', id?: string | null, name?: string | null } | null } | null } | null };
 
+export type AddTeamAppsOpMutationVariables = Exact<{
+  teamId: Scalars['ID']['input'];
+  appEnvs: Array<AppEnvironmentInput> | AppEnvironmentInput;
+}>;
+
+
+export type AddTeamAppsOpMutation = { __typename?: 'Mutation', addTeamApps?: { __typename?: 'AddTeamAppsMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
+
+export type AddTeamMembersOpMutationVariables = Exact<{
+  teamId: Scalars['ID']['input'];
+  memberIds: Array<Scalars['ID']['input']> | Scalars['ID']['input'];
+  memberType?: InputMaybe<MemberType>;
+}>;
+
+
+export type AddTeamMembersOpMutation = { __typename?: 'Mutation', addTeamMembers?: { __typename?: 'AddTeamMembersMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
+
+export type CreateTeamOpMutationVariables = Exact<{
+  organisationId: Scalars['ID']['input'];
+  name: Scalars['String']['input'];
+  description?: InputMaybe<Scalars['String']['input']>;
+  memberRoleId?: InputMaybe<Scalars['ID']['input']>;
+  serviceAccountRoleId?: InputMaybe<Scalars['ID']['input']>;
+}>;
+
+
+export type CreateTeamOpMutation = { __typename?: 'Mutation', createTeam?: { __typename?: 'CreateTeamMutation', team?: { __typename?: 'TeamType', id: string, name: string } | null } | null };
+
+export type DeleteTeamOpMutationVariables = Exact<{
+  teamId: Scalars['ID']['input'];
+}>;
+
+
+export type DeleteTeamOpMutation = { __typename?: 'Mutation', deleteTeam?: { __typename?: 'DeleteTeamMutation', ok?: boolean | null } | null };
+
+export type RemoveTeamAppOpMutationVariables = Exact<{
+  teamId: Scalars['ID']['input'];
+  appId: Scalars['ID']['input'];
+}>;
+
+
+export type RemoveTeamAppOpMutation = { __typename?: 'Mutation', removeTeamApp?: { __typename?: 'RemoveTeamAppMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
+
+export type RemoveTeamMemberOpMutationVariables = Exact<{
+  teamId: Scalars['ID']['input'];
+  memberId: Scalars['ID']['input'];
+  memberType?: InputMaybe<MemberType>;
+}>;
+
+
+export type RemoveTeamMemberOpMutation = { __typename?: 'Mutation', removeTeamMember?: { __typename?: 'RemoveTeamMemberMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
+
+export type UpdateTeamOpMutationVariables = Exact<{
+  teamId: Scalars['ID']['input'];
+  name?: InputMaybe<Scalars['String']['input']>;
+  description?: InputMaybe<Scalars['String']['input']>;
+  memberRoleId?: InputMaybe<Scalars['ID']['input']>;
+  serviceAccountRoleId?: InputMaybe<Scalars['ID']['input']>;
+}>;
+
+
+export type UpdateTeamOpMutation = { __typename?: 'Mutation', updateTeam?: { __typename?: 'UpdateTeamMutation', team?: { __typename?: 'TeamType', id: string, name: string } | null } | null };
+
+export type UpdateTeamAppEnvironmentsOpMutationVariables = Exact<{
+  teamId: Scalars['ID']['input'];
+  appId: Scalars['ID']['input'];
+  envIds: Array<Scalars['ID']['input']> | Scalars['ID']['input'];
+}>;
+
+
+export type UpdateTeamAppEnvironmentsOpMutation = { __typename?: 'Mutation', updateTeamAppEnvironments?: { __typename?: 'UpdateTeamAppEnvironmentsMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
+
 export type CreateNewUserTokenMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
   name: Scalars['String']['input'];
@@ -3884,13 +3798,6 @@ export type GetAppServiceAccountsQueryVariables = Exact<{
 
 export type GetAppServiceAccountsQuery = { __typename?: 'Query', appServiceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, identityKey?: string | null, name: string, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null, color?: string | null } | null, tokens?: Array<{ __typename?: 'ServiceAccountTokenType', id: string, name: string } | null> | null } | null> | null };
 
-export type VerifyPasswordQueryVariables = Exact<{
-  authHash: Scalars['String']['input'];
-}>;
-
-
-export type VerifyPasswordQuery = { __typename?: 'Query', verifyPassword?: boolean | null };
-
 export type GetCheckoutDetailsQueryVariables = Exact<{
   stripeSessionId: Scalars['String']['input'];
 }>;
@@ -3965,7 +3872,7 @@ export type GetDashboardQuery = { __typename?: 'Query', apps?: Array<{ __typenam
 export type GetOrganisationsQueryVariables = Exact<{ [key: string]: never; }>;
 
 
-export type GetOrganisationsQuery = { __typename?: 'Query', organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, identityKey: string, createdAt?: any | null, plan: ApiOrganisationPlanChoices, memberId?: string | null, keyring?: string | null, recovery?: string | null, pricingVersion: number, requireSso: boolean, planDetail?: { __typename?: 'OrganisationPlanType', name?: string | null, maxUsers?: number | null, maxApps?: number | null, maxEnvsPerApp?: number | null, appCount?: number | null, seatsUsed?: { __typename?: 'SeatsUsed', users?: number | null, serviceAccounts?: number | null, total?: number | null } | null } | null, role?: { __typename?: 'RoleType', name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, ssoProviders?: Array<{ __typename?: 'OrganisationSSOProviderType', name: string, providerType: ApiOrganisationSsoProviderProviderTypeChoices, enabled: boolean } | null> | null } | null> | null };
+export type GetOrganisationsQuery = { __typename?: 'Query', organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, identityKey: string, createdAt?: any | null, plan: ApiOrganisationPlanChoices, memberId?: string | null, keyring?: string | null, recovery?: string | null, pricingVersion: number, planDetail?: { __typename?: 'OrganisationPlanType', name?: string | null, maxUsers?: number | null, maxApps?: number | null, maxEnvsPerApp?: number | null, appCount?: number | null, seatsUsed?: { __typename?: 'SeatsUsed', users?: number | null, serviceAccounts?: number | null, total?: number | null } | null } | null, role?: { __typename?: 'RoleType', name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null> | null };
 
 export type GetAwsStsEndpointsQueryVariables = Exact<{ [key: string]: never; }>;
 
@@ -3975,17 +3882,14 @@ export type GetAwsStsEndpointsQuery = { __typename?: 'Query', awsStsEndpoints?:
 export type GetIdentityProvidersQueryVariables = Exact<{ [key: string]: never; }>;
 
 
-export type GetIdentityProvidersQuery = { __typename?: 'Query', identityProviders?: Array<{ __typename?: 'IdentityProviderType', id: string, name: string, description: string, iconId: string } | null> | null };
+export type GetIdentityProvidersQuery = { __typename?: 'Query', identityProviders?: Array<{ __typename?: 'IdentityProviderType', id: string, name: string, description: string, iconId: string, supported: boolean } | null> | null };
 
 export type GetOrganisationIdentitiesQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
 }>;
 
 
-export type GetOrganisationIdentitiesQuery = { __typename?: 'Query', identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, createdAt?: any | null, config?:
-      | { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null }
-      | { __typename?: 'AzureEntraConfigType', tenantId?: string | null, resource?: string | null, allowedServicePrincipalIds?: Array<string | null> | null }
-     | null } | null> | null };
+export type GetOrganisationIdentitiesQuery = { __typename?: 'Query', identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, createdAt?: any | null, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null> | null };
 
 export type CheckOrganisationNameAvailabilityQueryVariables = Exact<{
   name: Scalars['String']['input'];
@@ -4179,7 +4083,7 @@ export type GetServiceAccountDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
+export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string, description?: string | null }> | null } | null> | null };
 
 export type GetServiceAccountHandlersQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -4204,11 +4108,6 @@ export type GetServiceAccountsQueryVariables = Exact<{
 
 export type GetServiceAccountsQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null } | null> | null };
 
-export type GetOrgSsoProvidersQueryVariables = Exact<{ [key: string]: never; }>;
-
-
-export type GetOrgSsoProvidersQuery = { __typename?: 'Query', serverPublicKey?: string | null, organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, requireSso: boolean, ssoProviders?: Array<{ __typename?: 'OrganisationSSOProviderType', id: string, providerType: ApiOrganisationSsoProviderProviderTypeChoices, name: string, publicConfig?: any | null, enabled: boolean, createdAt: any, updatedAt: any, createdBy?: { __typename?: 'OrganisationMemberType', fullName?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, updatedBy?: { __typename?: 'OrganisationMemberType', fullName?: string | null, avatarUrl?: string | null, self?: boolean | null } | null } | null> | null } | null> | null };
-
 export type GetOrganisationSyncsQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
 }>;
@@ -4353,6 +4252,14 @@ export type GetVercelProjectsQueryVariables = Exact<{
 
 export type GetVercelProjectsQuery = { __typename?: 'Query', vercelProjects?: Array<{ __typename?: 'VercelTeamProjectsType', id: string, teamName: string, projects?: Array<{ __typename?: 'VercelProjectType', id: string, name: string, environments?: Array<{ __typename?: 'VercelEnvironmentType', id: string, name: string, slug: string, type?: string | null } | null> | null } | null> | null } | null> | null };
 
+export type GetTeamsQueryVariables = Exact<{
+  organisationId: Scalars['ID']['input'];
+  teamId?: InputMaybe<Scalars['ID']['input']>;
+}>;
+
+
+export type GetTeamsQuery = { __typename?: 'Query', teams?: Array<{ __typename?: 'TeamType', id: string, name: string, description?: string | null, isScimManaged: boolean, createdAt?: any | null, updatedAt: any, memberCount?: number | null, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, serviceAccountRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, members?: Array<{ __typename?: 'TeamMembershipType', id: string, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, orgMember?: { __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null }> | null, apps?: Array<{ __typename?: 'AppType', id: string, name: string, sseEnabled: boolean }> | null, appEnvironments?: Array<{ __typename?: 'TeamAppEnvironmentType', id: string, createdAt?: any | null, app: { __typename?: 'AppMembershipType', id: string, name: string }, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices } }> | null } | null> | null };
+
 export type GetOrganisationMemberDetailQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
   id?: InputMaybe<Scalars['ID']['input']>;
@@ -4381,8 +4288,6 @@ export const BulkAddMembersToAppDocument = {"kind":"Document","definitions":[{"k
 export const RemoveMemberFromAppDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveMemberFromApp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeAppMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveMemberFromAppMutation, RemoveMemberFromAppMutationVariables>;
 export const UpdateAppInfoOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateAppInfoOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateAppInfo"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateAppInfoOpMutation, UpdateAppInfoOpMutationVariables>;
 export const UpdateEnvScopeDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateEnvScope"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envKeys"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"EnvironmentKeyInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberEnvironmentScope"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envKeys"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envKeys"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateEnvScopeMutation, UpdateEnvScopeMutationVariables>;
-export const ChangePasswordDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"ChangePassword"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"currentAuthHash"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"newAuthHash"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"changeAccountPassword"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"currentAuthHash"},"value":{"kind":"Variable","name":{"kind":"Name","value":"currentAuthHash"}}},{"kind":"Argument","name":{"kind":"Name","value":"newAuthHash"},"value":{"kind":"Variable","name":{"kind":"Name","value":"newAuthHash"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<ChangePasswordMutation, ChangePasswordMutationVariables>;
-export const RecoverKeyringDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RecoverKeyring"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"authHash"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"recoverAccountKeyring"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"authHash"},"value":{"kind":"Variable","name":{"kind":"Name","value":"authHash"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RecoverKeyringMutation, RecoverKeyringMutationVariables>;
 export const CancelStripeSubscriptionDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CancelStripeSubscription"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"subscriptionId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"cancelSubscription"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"subscriptionId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"subscriptionId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"success"}}]}}]}}]} as unknown as DocumentNode<CancelStripeSubscriptionMutation, CancelStripeSubscriptionMutationVariables>;
 export const CreateStripeSetupIntentOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateStripeSetupIntentOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createSetupIntent"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"clientSecret"}}]}}]}}]} as unknown as DocumentNode<CreateStripeSetupIntentOpMutation, CreateStripeSetupIntentOpMutationVariables>;
 export const DeleteStripePaymentMethodDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteStripePaymentMethod"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"paymentMethodId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deletePaymentMethod"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"paymentMethodId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"paymentMethodId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteStripePaymentMethodMutation, DeleteStripePaymentMethodMutationVariables>;
@@ -4420,16 +4325,16 @@ export const RevokeDynamicSecretLeaseOpDocument = {"kind":"Document","definition
 export const UpdateDynamicSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateDynamicSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"dynamicSecretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtl"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtl"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"authenticationId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"config"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"keyMap"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"KeyMapInput"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateAwsDynamicSecret"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"dynamicSecretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"dynamicSecretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtl"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtl"}}},{"kind":"Argument","name":{"kind":"Name","value":"authenticationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"authenticationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"config"},"value":{"kind":"Variable","name":{"kind":"Name","value":"config"}}},{"kind":"Argument","name":{"kind":"Name","value":"keyMap"},"value":{"kind":"Variable","name":{"kind":"Name","value":"keyMap"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecret"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateDynamicSecretMutation, UpdateDynamicSecretMutationVariables>;
 export const CreateSharedSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSharedSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"input"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"LockboxInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createLockbox"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"input"},"value":{"kind":"Variable","name":{"kind":"Name","value":"input"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"lockbox"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"allowedViews"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSharedSecretMutation, CreateSharedSecretMutationVariables>;
 export const UpdateEnvOrderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateEnvOrder"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentOrder"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateEnvironmentOrder"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentOrder"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentOrder"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateEnvOrderMutation, UpdateEnvOrderMutationVariables>;
-export const CreateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"provider"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tenantId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"resource"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"provider"},"value":{"kind":"Variable","name":{"kind":"Name","value":"provider"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tenantId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tenantId"}}},{"kind":"Argument","name":{"kind":"Name","value":"resource"},"value":{"kind":"Variable","name":{"kind":"Name","value":"resource"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}},{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AzureEntraConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tenantId"}},{"kind":"Field","name":{"kind":"Name","value":"resource"}},{"kind":"Field","name":{"kind":"Name","value":"allowedServicePrincipalIds"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<CreateExtIdentityMutation, CreateExtIdentityMutationVariables>;
+export const CreateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"provider"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"provider"},"value":{"kind":"Variable","name":{"kind":"Name","value":"provider"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<CreateExtIdentityMutation, CreateExtIdentityMutationVariables>;
 export const DeleteExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteExtIdentityMutation, DeleteExtIdentityMutationVariables>;
-export const UpdateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tenantId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"resource"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tenantId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tenantId"}}},{"kind":"Argument","name":{"kind":"Name","value":"resource"},"value":{"kind":"Variable","name":{"kind":"Name","value":"resource"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}},{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AzureEntraConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tenantId"}},{"kind":"Field","name":{"kind":"Name","value":"resource"}},{"kind":"Field","name":{"kind":"Name","value":"allowedServicePrincipalIds"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateExtIdentityMutation, UpdateExtIdentityMutationVariables>;
+export const UpdateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateExtIdentityMutation, UpdateExtIdentityMutationVariables>;
 export const AcceptOrganisationInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"AcceptOrganisationInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createOrganisationMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}},{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<AcceptOrganisationInviteMutation, AcceptOrganisationInviteMutationVariables>;
 export const BulkInviteMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"BulkInviteMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"invites"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"InviteInput"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"bulkInviteOrganisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"invites"},"value":{"kind":"Variable","name":{"kind":"Name","value":"invites"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"invites"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<BulkInviteMembersMutation, BulkInviteMembersMutationVariables>;
 export const DeleteOrgInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteOrgInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteInvitation"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteOrgInviteMutation, DeleteOrgInviteMutationVariables>;
 export const RemoveMemberDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveMember"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteOrganisationMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<RemoveMemberMutation, RemoveMemberMutationVariables>;
 export const TransferOrgOwnershipDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"TransferOrgOwnership"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"billingEmail"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"transferOrganisationOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"newOwnerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}}},{"kind":"Argument","name":{"kind":"Name","value":"billingEmail"},"value":{"kind":"Variable","name":{"kind":"Name","value":"billingEmail"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<TransferOrgOwnershipMutation, TransferOrgOwnershipMutationVariables>;
 export const UpdateMemberRoleDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateMemberRole"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateOrganisationMemberRole"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateMemberRoleMutation, UpdateMemberRoleMutationVariables>;
-export const UpdateWrappedSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateWrappedSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberWrappedSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateWrappedSecretsMutation, UpdateWrappedSecretsMutationVariables>;
+export const UpdateWrappedSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateWrappedSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberWrappedSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateWrappedSecretsMutation, UpdateWrappedSecretsMutationVariables>;
 export const RotateAppKeyDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RotateAppKey"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appToken"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"rotateAppKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"appToken"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appToken"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RotateAppKeyMutation, RotateAppKeyMutationVariables>;
 export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateServiceAccountOpMutation, CreateServiceAccountOpMutationVariables>;
 export const CreateSaTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSAToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSaTokenMutation, CreateSaTokenMutationVariables>;
@@ -4439,11 +4344,6 @@ export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitio
 export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
 export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}},"type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
-export const CreateOrgSsoProviderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateOrgSSOProvider"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"providerType"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"config"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"JSONString"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createOrganisationSsoProvider"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"providerType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"providerType"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"config"},"value":{"kind":"Variable","name":{"kind":"Name","value":"config"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"providerId"}}]}}]}}]} as unknown as DocumentNode<CreateOrgSsoProviderMutation, CreateOrgSsoProviderMutationVariables>;
-export const DeleteOrgSsoProviderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteOrgSSOProvider"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteOrganisationSsoProvider"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"providerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteOrgSsoProviderMutation, DeleteOrgSsoProviderMutationVariables>;
-export const TestOrgSsoProviderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"TestOrgSSOProvider"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"testOrganisationSsoProvider"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"providerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"success"}},{"kind":"Field","name":{"kind":"Name","value":"error"}}]}}]}}]} as unknown as DocumentNode<TestOrgSsoProviderMutation, TestOrgSsoProviderMutationVariables>;
-export const UpdateOrgSsoProviderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateOrgSSOProvider"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"config"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"JSONString"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateOrganisationSsoProvider"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"providerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"config"},"value":{"kind":"Variable","name":{"kind":"Name","value":"config"}}},{"kind":"Argument","name":{"kind":"Name","value":"enabled"},"value":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateOrgSsoProviderMutation, UpdateOrgSsoProviderMutationVariables>;
-export const UpdateOrgSecurityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateOrgSecurity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"requireSso"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateOrganisationSecurity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"requireSso"},"value":{"kind":"Variable","name":{"kind":"Name","value":"requireSso"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}},{"kind":"Field","name":{"kind":"Name","value":"sessionInvalidated"}}]}}]}}]} as unknown as DocumentNode<UpdateOrgSecurityMutation, UpdateOrgSecurityMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
 export const CreateNewAzureKeyVaultSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAzureKeyVaultSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAzureKeyVaultSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"vaultUri"},"value":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}}},{"kind":"Argument","name":{"kind":"Name","value":"syncMode"},"value":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAzureKeyVaultSyncMutation, CreateNewAzureKeyVaultSyncMutationVariables>;
 export const CreateNewCfPagesSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewCfPagesSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createCloudflarePagesSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}}},{"kind":"Argument","name":{"kind":"Name","value":"deploymentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectEnv"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewCfPagesSyncMutation, CreateNewCfPagesSyncMutationVariables>;
@@ -4464,6 +4364,14 @@ export const UpdateProviderCredsDocument = {"kind":"Document","definitions":[{"k
 export const UpdateSyncAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateSyncAuth"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"syncId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateSyncAuthentication"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"syncId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"syncId"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateSyncAuthMutation, UpdateSyncAuthMutationVariables>;
 export const CreateNewVaultSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewVaultSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"engine"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"vaultPath"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createVaultSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"engine"},"value":{"kind":"Variable","name":{"kind":"Name","value":"engine"}}},{"kind":"Argument","name":{"kind":"Name","value":"vaultPath"},"value":{"kind":"Variable","name":{"kind":"Name","value":"vaultPath"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewVaultSyncMutation, CreateNewVaultSyncMutationVariables>;
 export const CreateNewVercelSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewVercelSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environment"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretType"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createVercelSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectId"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamName"}}},{"kind":"Argument","name":{"kind":"Name","value":"environment"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environment"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewVercelSyncMutation, CreateNewVercelSyncMutationVariables>;
+export const AddTeamAppsOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"AddTeamAppsOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appEnvs"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"AppEnvironmentInput"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"addTeamApps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appEnvs"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appEnvs"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<AddTeamAppsOpMutation, AddTeamAppsOpMutationVariables>;
+export const AddTeamMembersOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"AddTeamMembersOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberIds"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"addTeamMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberIds"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<AddTeamMembersOpMutation, AddTeamMembersOpMutationVariables>;
+export const CreateTeamOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateTeamOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createTeam"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<CreateTeamOpMutation, CreateTeamOpMutationVariables>;
+export const DeleteTeamOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteTeamOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteTeam"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteTeamOpMutation, DeleteTeamOpMutationVariables>;
+export const RemoveTeamAppOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveTeamAppOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeTeamApp"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveTeamAppOpMutation, RemoveTeamAppOpMutationVariables>;
+export const RemoveTeamMemberOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveTeamMemberOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeTeamMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveTeamMemberOpMutation, RemoveTeamMemberOpMutationVariables>;
+export const UpdateTeamOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateTeamOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateTeam"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateTeamOpMutation, UpdateTeamOpMutationVariables>;
+export const UpdateTeamAppEnvironmentsOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateTeamAppEnvironmentsOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envIds"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateTeamAppEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateTeamAppEnvironmentsOpMutation, UpdateTeamAppEnvironmentsOpMutationVariables>;
 export const CreateNewUserTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewUserToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createUserToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<CreateNewUserTokenMutation, CreateNewUserTokenMutationVariables>;
 export const RevokeUserTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RevokeUserToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteUserToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<RevokeUserTokenMutation, RevokeUserTokenMutationVariables>;
 export const GetIpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIP"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"clientIp"}}]}}]} as unknown as DocumentNode<GetIpQuery, GetIpQueryVariables>;
@@ -4471,7 +4379,6 @@ export const GetNetworkPoliciesDocument = {"kind":"Document","definitions":[{"ki
 export const GetAppAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appServiceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppAccountsQuery, GetAppAccountsQueryVariables>;
 export const GetAppMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppMembersQuery, GetAppMembersQueryVariables>;
 export const GetAppServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appServiceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppServiceAccountsQuery, GetAppServiceAccountsQueryVariables>;
-export const VerifyPasswordDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"VerifyPassword"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"authHash"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"verifyPassword"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"authHash"},"value":{"kind":"Variable","name":{"kind":"Name","value":"authHash"}}}]}]}}]} as unknown as DocumentNode<VerifyPasswordQuery, VerifyPasswordQueryVariables>;
 export const GetCheckoutDetailsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetCheckoutDetails"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stripeSessionId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"stripeCheckoutDetails"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"stripeSessionId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stripeSessionId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"paymentStatus"}},{"kind":"Field","name":{"kind":"Name","value":"customerEmail"}},{"kind":"Field","name":{"kind":"Name","value":"billingStartDate"}},{"kind":"Field","name":{"kind":"Name","value":"billingEndDate"}},{"kind":"Field","name":{"kind":"Name","value":"subscriptionId"}},{"kind":"Field","name":{"kind":"Name","value":"planName"}}]}}]}}]} as unknown as DocumentNode<GetCheckoutDetailsQuery, GetCheckoutDetailsQueryVariables>;
 export const GetCustomerPortalLinkDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetCustomerPortalLink"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"stripeCustomerPortalUrl"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}]}]}}]} as unknown as DocumentNode<GetCustomerPortalLinkQuery, GetCustomerPortalLinkQueryVariables>;
 export const GetSubscriptionDetailsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSubscriptionDetails"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"stripeSubscriptionDetails"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"subscriptionId"}},{"kind":"Field","name":{"kind":"Name","value":"planName"}},{"kind":"Field","name":{"kind":"Name","value":"planType"}},{"kind":"Field","name":{"kind":"Name","value":"billingPeriod"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"nextPaymentAmount"}},{"kind":"Field","name":{"kind":"Name","value":"currentPeriodStart"}},{"kind":"Field","name":{"kind":"Name","value":"currentPeriodEnd"}},{"kind":"Field","name":{"kind":"Name","value":"renewalDate"}},{"kind":"Field","name":{"kind":"Name","value":"cancelAt"}},{"kind":"Field","name":{"kind":"Name","value":"cancelAtPeriodEnd"}},{"kind":"Field","name":{"kind":"Name","value":"paymentMethods"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"brand"}},{"kind":"Field","name":{"kind":"Name","value":"last4"}},{"kind":"Field","name":{"kind":"Name","value":"expMonth"}},{"kind":"Field","name":{"kind":"Name","value":"expYear"}},{"kind":"Field","name":{"kind":"Name","value":"isDefault"}}]}}]}}]}}]} as unknown as DocumentNode<GetSubscriptionDetailsQuery, GetSubscriptionDetailsQueryVariables>;
@@ -4481,10 +4388,10 @@ export const GetAppDetailDocument = {"kind":"Document","definitions":[{"kind":"O
 export const GetAppKmsLogsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppKmsLogs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"kmsLogs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"logs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"phaseNode"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"country"}},{"kind":"Field","name":{"kind":"Name","value":"city"}},{"kind":"Field","name":{"kind":"Name","value":"phSize"}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}}]}}]} as unknown as DocumentNode<GetAppKmsLogsQuery, GetAppKmsLogsQueryVariables>;
 export const GetAppsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetApps"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetAppsQuery, GetAppsQueryVariables>;
 export const GetDashboardDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDashboard"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"role"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]} as unknown as DocumentNode<GetDashboardQuery, GetDashboardQueryVariables>;
-export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}},{"kind":"Field","name":{"kind":"Name","value":"pricingVersion"}},{"kind":"Field","name":{"kind":"Name","value":"requireSso"}},{"kind":"Field","name":{"kind":"Name","value":"ssoProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"providerType"}},{"kind":"Field","name":{"kind":"Name","value":"enabled"}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
+export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}},{"kind":"Field","name":{"kind":"Name","value":"pricingVersion"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
 export const GetAwsStsEndpointsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsStsEndpoints"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsStsEndpoints"}}]}}]} as unknown as DocumentNode<GetAwsStsEndpointsQuery, GetAwsStsEndpointsQueryVariables>;
-export const GetIdentityProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIdentityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"iconId"}}]}}]}}]} as unknown as DocumentNode<GetIdentityProvidersQuery, GetIdentityProvidersQueryVariables>;
-export const GetOrganisationIdentitiesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationIdentities"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identities"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}},{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AzureEntraConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tenantId"}},{"kind":"Field","name":{"kind":"Name","value":"resource"}},{"kind":"Field","name":{"kind":"Name","value":"allowedServicePrincipalIds"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationIdentitiesQuery, GetOrganisationIdentitiesQueryVariables>;
+export const GetIdentityProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIdentityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"iconId"}},{"kind":"Field","name":{"kind":"Name","value":"supported"}}]}}]}}]} as unknown as DocumentNode<GetIdentityProvidersQuery, GetIdentityProvidersQueryVariables>;
+export const GetOrganisationIdentitiesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationIdentities"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identities"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationIdentitiesQuery, GetOrganisationIdentitiesQueryVariables>;
 export const CheckOrganisationNameAvailabilityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"CheckOrganisationNameAvailability"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationNameAvailable"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}}]}]}}]} as unknown as DocumentNode<CheckOrganisationNameAvailabilityQuery, CheckOrganisationNameAvailabilityQueryVariables>;
 export const GetGlobalAccessUsersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetGlobalAccessUsers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationGlobalAccessUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetGlobalAccessUsersQuery, GetGlobalAccessUsersQueryVariables>;
 export const GetInvitesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetInvites"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"invitedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]}}]} as unknown as DocumentNode<GetInvitesQuery, GetInvitesQueryVariables>;
@@ -4509,11 +4416,10 @@ export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind"
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
 export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"type"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
-export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
+export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
 export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
-export const GetOrgSsoProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrgSSOProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"requireSso"}},{"kind":"Field","name":{"kind":"Name","value":"ssoProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"providerType"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"publicConfig"}},{"kind":"Field","name":{"kind":"Name","value":"enabled"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetOrgSsoProvidersQuery, GetOrgSsoProvidersQueryVariables>;
 export const GetOrganisationSyncsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationSyncs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"completedAt"}},{"kind":"Field","name":{"kind":"Name","value":"meta"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"expectedCredentials"}},{"kind":"Field","name":{"kind":"Name","value":"optionalCredentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationSyncsQuery, GetOrganisationSyncsQueryVariables>;
 export const GetAwsSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"arn"}}]}}]}}]} as unknown as DocumentNode<GetAwsSecretsQuery, GetAwsSecretsQueryVariables>;
 export const ValidateAwsAssumeRoleAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"ValidateAWSAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateAwsAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"valid"}},{"kind":"Field","name":{"kind":"Name","value":"message"}},{"kind":"Field","name":{"kind":"Name","value":"method"}},{"kind":"Field","name":{"kind":"Name","value":"error"}}]}}]}}]} as unknown as DocumentNode<ValidateAwsAssumeRoleAuthQuery, ValidateAwsAssumeRoleAuthQueryVariables>;
@@ -4535,5 +4441,6 @@ export const GetRailwayProjectsDocument = {"kind":"Document","definitions":[{"ki
 export const GetRenderResourcesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetRenderResources"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"renderServices"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}},{"kind":"Field","name":{"kind":"Name","value":"renderEnvgroups"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]} as unknown as DocumentNode<GetRenderResourcesQuery, GetRenderResourcesQueryVariables>;
 export const TestVaultAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"TestVaultAuth"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"testVaultCreds"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}]}]}}]} as unknown as DocumentNode<TestVaultAuthQuery, TestVaultAuthQueryVariables>;
 export const GetVercelProjectsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetVercelProjects"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"vercelProjects"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"teamName"}},{"kind":"Field","name":{"kind":"Name","value":"projects"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"slug"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetVercelProjectsQuery, GetVercelProjectsQueryVariables>;
+export const GetTeamsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetTeams"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"teams"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"memberCount"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<GetTeamsQuery, GetTeamsQueryVariables>;
 export const GetOrganisationMemberDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationMemberDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastLogin"}},{"kind":"Field","name":{"kind":"Name","value":"self"}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationMemberDetailQuery, GetOrganisationMemberDetailQueryVariables>;
 export const GetUserTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetUserTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyShare"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]} as unknown as DocumentNode<GetUserTokensQuery, GetUserTokensQueryVariables>;
\ No newline at end of file
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 831f3fd45..a6f8aaf57 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -4,8 +4,8 @@ type Query {
   roles(orgId: ID): [RoleType]
   networkAccessPolicies(organisationId: ID): [NetworkAccessPolicyType]
   identities(organisationId: ID): [IdentityType]
+  teams(organisationId: ID, teamId: ID): [TeamType]
   organisationNameAvailable(name: String): Boolean
-  verifyPassword(authHash: String!): Boolean
   license: PhaseLicenseType
   organisationLicense(organisationId: ID): ActivatedPhaseLicenseType
   organisationPlan(organisationId: ID): OrganisationPlanType
@@ -72,13 +72,11 @@ type OrganisationType {
   createdAt: DateTime
   plan: ApiOrganisationPlanChoices!
   pricingVersion: Int!
-  requireSso: Boolean!
   role: RoleType
   memberId: ID
   keyring: String
   recovery: String
   planDetail: OrganisationPlanType
-  ssoProviders: [OrganisationSSOProviderType]
 }
 
 """
@@ -133,25 +131,23 @@ type SeatsUsed {
   total: Int
 }
 
-type OrganisationSSOProviderType {
+type NetworkAccessPolicyType {
   id: String!
-  providerType: ApiOrganisationSSOProviderProviderTypeChoices!
   name: String!
-  enabled: Boolean!
+  organisation: OrganisationType!
+
+  """
+  Comma-separated list of IP addresses or CIDR ranges (e.g. 192.168.1.1, 10.0.0.0/24)
+  """
+  allowedIps: String!
+  isGlobal: Boolean!
   createdAt: DateTime!
-  updatedAt: DateTime!
-  publicConfig: JSONString
   createdBy: OrganisationMemberType
+  updatedAt: DateTime!
   updatedBy: OrganisationMemberType
-}
-
-"""An enumeration."""
-enum ApiOrganisationSSOProviderProviderTypeChoices {
-  """Microsoft Entra ID"""
-  ENTRA_ID
-
-  """Okta"""
-  OKTA
+  members: [OrganisationMemberType!]!
+  serviceAccounts: [ServiceAccountType!]
+  organisationMembers: [OrganisationMemberType!]
 }
 
 type OrganisationMemberType {
@@ -347,25 +343,6 @@ type ServiceAccountTokenType {
   lastUsed: DateTime
 }
 
-type NetworkAccessPolicyType {
-  id: String!
-  name: String!
-  organisation: OrganisationType!
-
-  """
-  Comma-separated list of IP addresses or CIDR ranges (e.g. 192.168.1.1, 10.0.0.0/24)
-  """
-  allowedIps: String!
-  isGlobal: Boolean!
-  createdAt: DateTime!
-  createdBy: OrganisationMemberType
-  updatedAt: DateTime!
-  updatedBy: OrganisationMemberType
-  members: [OrganisationMemberType!]!
-  serviceAccounts: [ServiceAccountType!]
-  organisationMembers: [OrganisationMemberType!]
-}
-
 type IdentityType {
   id: String!
   organisation: OrganisationType!
@@ -382,7 +359,7 @@ type IdentityType {
   serviceAccounts: [ServiceAccountType!]!
 }
 
-union IdentityConfigUnion = AwsIamConfigType | AzureEntraConfigType
+union IdentityConfigUnion = AwsIamConfigType
 
 type AwsIamConfigType {
   trustedPrincipals: [String]
@@ -390,12 +367,6 @@ type AwsIamConfigType {
   stsEndpoint: String
 }
 
-type AzureEntraConfigType {
-  tenantId: String
-  resource: String
-  allowedServicePrincipalIds: [String]
-}
-
 """An enumeration."""
 enum ApiSecretEventTypeChoices {
   """Secret"""
@@ -654,6 +625,56 @@ type UserTokenType {
   createdBy: OrganisationMemberType
 }
 
+type TeamType {
+  id: String!
+  name: String!
+  description: String
+  memberRole: RoleType
+  serviceAccountRole: RoleType
+  isScimManaged: Boolean!
+  createdBy: OrganisationMemberType
+  createdAt: DateTime
+  updatedAt: DateTime!
+  members: [TeamMembershipType!]
+  apps: [AppType!]
+  appEnvironments: [TeamAppEnvironmentType!]
+  memberCount: Int
+}
+
+type TeamMembershipType {
+  id: String!
+  orgMember: OrganisationMemberType
+  serviceAccount: ServiceAccountType
+  createdAt: DateTime
+  email: String
+  fullName: String
+  avatarUrl: String
+}
+
+type AppType {
+  id: String!
+  name: String!
+  description: String
+  identityKey: String!
+  appVersion: Int!
+  appToken: String!
+  appSeed: String!
+  wrappedKeyShare: String!
+  createdAt: DateTime
+  updatedAt: DateTime!
+  sseEnabled: Boolean!
+  serviceAccounts: [ServiceAccountType]!
+  environments: [EnvironmentType]!
+  members: [OrganisationMemberType]!
+}
+
+type TeamAppEnvironmentType {
+  id: String!
+  app: AppMembershipType!
+  environment: EnvironmentType!
+  createdAt: DateTime
+}
+
 type PhaseLicenseType {
   id: String
   customerName: String
@@ -725,23 +746,6 @@ type OrganisationMemberInviteType {
   expiresAt: DateTime!
 }
 
-type AppType {
-  id: String!
-  name: String!
-  description: String
-  identityKey: String!
-  appVersion: Int!
-  appToken: String!
-  appSeed: String!
-  wrappedKeyShare: String!
-  createdAt: DateTime
-  updatedAt: DateTime!
-  sseEnabled: Boolean!
-  serviceAccounts: [ServiceAccountType]!
-  environments: [EnvironmentType]!
-  members: [OrganisationMemberType]!
-}
-
 type KMSLogsResponseType {
   logs: [KMSLogType]
   count: Int
@@ -827,6 +831,7 @@ type IdentityProviderType {
   name: String!
   description: String!
   iconId: String!
+  supported: Boolean!
 }
 
 type CloudFlarePagesType {
@@ -1049,62 +1054,7 @@ type Mutation {
   The new owner must have global access (Admin role) to ensure they have all necessary keys.
   """
   transferOrganisationOwnership(billingEmail: String, newOwnerId: ID!, organisationId: ID!): TransferOrganisationOwnershipMutation
-
-  """
-  Re-wrap THIS org's keyring after the caller proves they hold the
-  recovery mnemonic. Used by SSO recovery (where there's no login
-  password to verify against, so identity is proven via the mnemonic
-  alone).
-  
-  Requires identity_key matching the org's stored identity_key — proves
-  the caller derived the keyring from the right mnemonic. Without this
-  proof, an authenticated user (or session-cookie holder) could
-  overwrite their own wrapped_keyring with arbitrary garbage and lock
-  themselves out of the org permanently.
-  """
-  updateMemberWrappedSecrets(identityKey: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
-
-  """
-  Rewrap THIS org's keyring with a deviceKey derived from the user's
-  account password. Used by the recovery flow when the local keyring
-  has been lost (cleared cache, new device) but the user still
-  remembers their password.
-  
-  Two server-side proofs are required:
-    1. identity_key matches the org's stored identity_key — proves the
-       caller derived the keyring from the right mnemonic.
-    2. auth_hash matches user.password — proves the password the user
-       is wrapping the keyring with is also their account login auth.
-  
-  The mutation does NOT change user.password. The auth_hash check is a
-  guardrail to keep auth and wrap passwords unified; if it fails, the
-  user is trying to wrap the keyring with a password that doesn't
-  authenticate them, which we never persist.
-  """
-  recoverAccountKeyring(authHash: String!, identityKey: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): RecoverAccountKeyringMutation
-
-  """
-  Rotate the user's account password and rewrap the active org's
-  keyring with the new deviceKey. Used by the in-session change-password
-  dialog where the user supplies their current password, a new password,
-  and the org's recovery mnemonic.
-  
-  Three server-side proofs are required:
-    1. current_auth_hash matches user.password — proves the caller
-       knows the current login password.
-    2. identity_key matches the org's stored identity_key — proves the
-       caller derived the keyring from the right mnemonic.
-    3. user is a member of the org.
-  
-  On success: user.password is set to new_auth_hash, the org's
-  wrapped_keyring + wrapped_recovery are replaced, and the session is
-  refreshed so the post-rotation HASH_SESSION_KEY stays valid.
-  
-  Only the active org's keyring is rewrapped. Other orgs the user
-  belongs to remain encrypted with the old deviceKey; they'll fall
-  through to per-org recovery on next access.
-  """
-  changeAccountPassword(currentAuthHash: String!, identityKey: String!, newAuthHash: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): ChangeAccountPasswordMutation
+  updateMemberWrappedSecrets(identityKey: String, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
   deleteInvitation(inviteId: ID!): DeleteInviteMutation
   createApp(appSeed: String!, appToken: String!, appVersion: Int!, id: ID!, identityKey: String!, name: String!, organisationId: ID!, wrappedKeyShare: String!): CreateAppMutation
   rotateAppKeys(appToken: String!, id: ID!, wrappedKeyShare: String!): RotateAppKeysMutation
@@ -1127,14 +1077,17 @@ type Mutation {
   updateNetworkAccessPolicy(policyInputs: [UpdatePolicyInput]): UpdateNetworkAccessPolicyMutation
   deleteNetworkAccessPolicy(id: ID!): DeleteNetworkAccessPolicyMutation
   updateAccountNetworkAccessPolicies(accountInputs: [AccountPolicyInput], organisationId: ID!): UpdateAccountNetworkAccessPolicies
-  createIdentity(defaultTtlSeconds: Int!, description: String, maxTtlSeconds: Int!, name: String!, organisationId: ID!, provider: String!, resource: String, signatureTtlSeconds: Int, stsEndpoint: String, tenantId: String, tokenNamePattern: String, trustedPrincipals: String!): CreateIdentityMutation
-  updateIdentity(defaultTtlSeconds: Int, description: String, id: ID!, maxTtlSeconds: Int, name: String, resource: String, signatureTtlSeconds: Int, stsEndpoint: String, tenantId: String, tokenNamePattern: String, trustedPrincipals: String): UpdateIdentityMutation
+  createIdentity(defaultTtlSeconds: Int!, description: String, maxTtlSeconds: Int!, name: String!, organisationId: ID!, provider: String!, signatureTtlSeconds: Int, stsEndpoint: String, tokenNamePattern: String, trustedPrincipals: String!): CreateIdentityMutation
+  updateIdentity(defaultTtlSeconds: Int, description: String, id: ID!, maxTtlSeconds: Int, name: String, signatureTtlSeconds: Int, stsEndpoint: String, tokenNamePattern: String, trustedPrincipals: String): UpdateIdentityMutation
   deleteIdentity(id: ID!): DeleteIdentityMutation
-  createOrganisationSsoProvider(config: JSONString!, name: String!, orgId: ID!, providerType: String!): CreateOrganisationSSOProviderMutation
-  updateOrganisationSsoProvider(config: JSONString, enabled: Boolean, name: String, providerId: ID!): UpdateOrganisationSSOProviderMutation
-  deleteOrganisationSsoProvider(providerId: ID!): DeleteOrganisationSSOProviderMutation
-  testOrganisationSsoProvider(providerId: ID!): TestOrganisationSSOProviderMutation
-  updateOrganisationSecurity(orgId: ID!, requireSso: Boolean!): UpdateOrganisationSecurityMutation
+  createTeam(description: String, memberRoleId: ID, name: String!, organisationId: ID!, serviceAccountRoleId: ID): CreateTeamMutation
+  updateTeam(description: String, memberRoleId: ID, name: String, serviceAccountRoleId: ID, teamId: ID!): UpdateTeamMutation
+  deleteTeam(teamId: ID!): DeleteTeamMutation
+  addTeamMembers(memberIds: [ID!]!, memberType: MemberType = USER, teamId: ID!): AddTeamMembersMutation
+  removeTeamMember(memberId: ID!, memberType: MemberType = USER, teamId: ID!): RemoveTeamMemberMutation
+  addTeamApps(appEnvs: [AppEnvironmentInput!]!, teamId: ID!): AddTeamAppsMutation
+  removeTeamApp(appId: ID!, teamId: ID!): RemoveTeamAppMutation
+  updateTeamAppEnvironments(appId: ID!, envIds: [ID!]!, teamId: ID!): UpdateTeamAppEnvironmentsMutation
   createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
   enableServiceAccountServerSideKeyManagement(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountServerSideKeyManagementMutation
   enableServiceAccountClientSideKeyManagement(serviceAccountId: ID): EnableServiceAccountClientSideKeyManagementMutation
@@ -1235,68 +1188,10 @@ type TransferOrganisationOwnershipMutation {
   ok: Boolean
 }
 
-"""
-Re-wrap THIS org's keyring after the caller proves they hold the
-recovery mnemonic. Used by SSO recovery (where there's no login
-password to verify against, so identity is proven via the mnemonic
-alone).
-
-Requires identity_key matching the org's stored identity_key — proves
-the caller derived the keyring from the right mnemonic. Without this
-proof, an authenticated user (or session-cookie holder) could
-overwrite their own wrapped_keyring with arbitrary garbage and lock
-themselves out of the org permanently.
-"""
 type UpdateUserWrappedSecretsMutation {
   orgMember: OrganisationMemberType
 }
 
-"""
-Rewrap THIS org's keyring with a deviceKey derived from the user's
-account password. Used by the recovery flow when the local keyring
-has been lost (cleared cache, new device) but the user still
-remembers their password.
-
-Two server-side proofs are required:
-  1. identity_key matches the org's stored identity_key — proves the
-     caller derived the keyring from the right mnemonic.
-  2. auth_hash matches user.password — proves the password the user
-     is wrapping the keyring with is also their account login auth.
-
-The mutation does NOT change user.password. The auth_hash check is a
-guardrail to keep auth and wrap passwords unified; if it fails, the
-user is trying to wrap the keyring with a password that doesn't
-authenticate them, which we never persist.
-"""
-type RecoverAccountKeyringMutation {
-  orgMember: OrganisationMemberType
-}
-
-"""
-Rotate the user's account password and rewrap the active org's
-keyring with the new deviceKey. Used by the in-session change-password
-dialog where the user supplies their current password, a new password,
-and the org's recovery mnemonic.
-
-Three server-side proofs are required:
-  1. current_auth_hash matches user.password — proves the caller
-     knows the current login password.
-  2. identity_key matches the org's stored identity_key — proves the
-     caller derived the keyring from the right mnemonic.
-  3. user is a member of the org.
-
-On success: user.password is set to new_auth_hash, the org's
-wrapped_keyring + wrapped_recovery are replaced, and the session is
-refreshed so the post-rotation HASH_SESSION_KEY stays valid.
-
-Only the active org's keyring is rewrapped. Other orgs the user
-belongs to remain encrypted with the old deviceKey; they'll fall
-through to per-org recovery on next access.
-"""
-type ChangeAccountPasswordMutation {
-  orgMember: OrganisationMemberType
-}
-
 type DeleteInviteMutation {
   ok: Boolean
 }
@@ -1438,26 +1333,41 @@ type DeleteIdentityMutation {
   ok: Boolean
 }
 
-type CreateOrganisationSSOProviderMutation {
-  providerId: ID
+type CreateTeamMutation {
+  team: TeamType
 }
 
-type UpdateOrganisationSSOProviderMutation {
-  ok: Boolean
+type UpdateTeamMutation {
+  team: TeamType
 }
 
-type DeleteOrganisationSSOProviderMutation {
+type DeleteTeamMutation {
   ok: Boolean
 }
 
-type TestOrganisationSSOProviderMutation {
-  success: Boolean
-  error: String
+type AddTeamMembersMutation {
+  team: TeamType
 }
 
-type UpdateOrganisationSecurityMutation {
-  ok: Boolean
-  sessionInvalidated: Boolean
+type RemoveTeamMemberMutation {
+  team: TeamType
+}
+
+type AddTeamAppsMutation {
+  team: TeamType
+}
+
+input AppEnvironmentInput {
+  appId: ID!
+  envIds: [ID!]!
+}
+
+type RemoveTeamAppMutation {
+  team: TeamType
+}
+
+type UpdateTeamAppEnvironmentsMutation {
+  team: TeamType
 }
 
 type CreateServiceAccountMutation {
diff --git a/frontend/graphql/mutations/teams/addTeamApps.gql b/frontend/graphql/mutations/teams/addTeamApps.gql
new file mode 100644
index 000000000..b46f18f5b
--- /dev/null
+++ b/frontend/graphql/mutations/teams/addTeamApps.gql
@@ -0,0 +1,7 @@
+mutation AddTeamAppsOp($teamId: ID!, $appEnvs: [AppEnvironmentInput!]!) {
+  addTeamApps(teamId: $teamId, appEnvs: $appEnvs) {
+    team {
+      id
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/teams/addTeamMembers.gql b/frontend/graphql/mutations/teams/addTeamMembers.gql
new file mode 100644
index 000000000..d0cbbbc3a
--- /dev/null
+++ b/frontend/graphql/mutations/teams/addTeamMembers.gql
@@ -0,0 +1,7 @@
+mutation AddTeamMembersOp($teamId: ID!, $memberIds: [ID!]!, $memberType: MemberType) {
+  addTeamMembers(teamId: $teamId, memberIds: $memberIds, memberType: $memberType) {
+    team {
+      id
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/teams/createTeam.gql b/frontend/graphql/mutations/teams/createTeam.gql
new file mode 100644
index 000000000..7c1e1d051
--- /dev/null
+++ b/frontend/graphql/mutations/teams/createTeam.gql
@@ -0,0 +1,20 @@
+mutation CreateTeamOp(
+  $organisationId: ID!
+  $name: String!
+  $description: String
+  $memberRoleId: ID
+  $serviceAccountRoleId: ID
+) {
+  createTeam(
+    organisationId: $organisationId
+    name: $name
+    description: $description
+    memberRoleId: $memberRoleId
+    serviceAccountRoleId: $serviceAccountRoleId
+  ) {
+    team {
+      id
+      name
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/teams/deleteTeam.gql b/frontend/graphql/mutations/teams/deleteTeam.gql
new file mode 100644
index 000000000..120122120
--- /dev/null
+++ b/frontend/graphql/mutations/teams/deleteTeam.gql
@@ -0,0 +1,5 @@
+mutation DeleteTeamOp($teamId: ID!) {
+  deleteTeam(teamId: $teamId) {
+    ok
+  }
+}
diff --git a/frontend/graphql/mutations/teams/removeTeamApp.gql b/frontend/graphql/mutations/teams/removeTeamApp.gql
new file mode 100644
index 000000000..08c5a31a6
--- /dev/null
+++ b/frontend/graphql/mutations/teams/removeTeamApp.gql
@@ -0,0 +1,7 @@
+mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {
+  removeTeamApp(teamId: $teamId, appId: $appId) {
+    team {
+      id
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/teams/removeTeamMember.gql b/frontend/graphql/mutations/teams/removeTeamMember.gql
new file mode 100644
index 000000000..af6dd2fda
--- /dev/null
+++ b/frontend/graphql/mutations/teams/removeTeamMember.gql
@@ -0,0 +1,7 @@
+mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {
+  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {
+    team {
+      id
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/teams/updateTeam.gql b/frontend/graphql/mutations/teams/updateTeam.gql
new file mode 100644
index 000000000..a103737f6
--- /dev/null
+++ b/frontend/graphql/mutations/teams/updateTeam.gql
@@ -0,0 +1,20 @@
+mutation UpdateTeamOp(
+  $teamId: ID!
+  $name: String
+  $description: String
+  $memberRoleId: ID
+  $serviceAccountRoleId: ID
+) {
+  updateTeam(
+    teamId: $teamId
+    name: $name
+    description: $description
+    memberRoleId: $memberRoleId
+    serviceAccountRoleId: $serviceAccountRoleId
+  ) {
+    team {
+      id
+      name
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/teams/updateTeamAppEnvironments.gql b/frontend/graphql/mutations/teams/updateTeamAppEnvironments.gql
new file mode 100644
index 000000000..45e3bffa6
--- /dev/null
+++ b/frontend/graphql/mutations/teams/updateTeamAppEnvironments.gql
@@ -0,0 +1,7 @@
+mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {
+  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {
+    team {
+      id
+    }
+  }
+}
diff --git a/frontend/graphql/queries/teams/getTeams.gql b/frontend/graphql/queries/teams/getTeams.gql
new file mode 100644
index 000000000..d8cd06e24
--- /dev/null
+++ b/frontend/graphql/queries/teams/getTeams.gql
@@ -0,0 +1,78 @@
+query GetTeams($organisationId: ID!, $teamId: ID) {
+  teams(organisationId: $organisationId, teamId: $teamId) {
+    id
+    name
+    description
+    memberRole {
+      id
+      name
+      description
+      color
+      permissions
+    }
+    serviceAccountRole {
+      id
+      name
+      description
+      color
+      permissions
+    }
+    isScimManaged
+    createdBy {
+      id
+      fullName
+      email
+      avatarUrl
+    }
+    createdAt
+    updatedAt
+    memberCount
+    members {
+      id
+      orgMember {
+        id
+        identityKey
+        role {
+          id
+          name
+          description
+          color
+          permissions
+        }
+      }
+      serviceAccount {
+        id
+        name
+        role {
+          id
+          name
+          description
+          color
+          permissions
+        }
+      }
+      email
+      fullName
+      avatarUrl
+      createdAt
+    }
+    apps {
+      id
+      name
+      sseEnabled
+    }
+    appEnvironments {
+      id
+      app {
+        id
+        name
+      }
+      environment {
+        id
+        name
+        envType
+      }
+      createdAt
+    }
+  }
+}

From 7f9bac16d016e8107629c20ebc11726230fa3c6a Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:39 +0530
Subject: [PATCH 007/118] feat: add org-level teams list and detail pages with
 CRUD dialogs

---
 .../_components/AddTeamAppsDialog.tsx         | 271 +++++++++++++
 .../_components/AddTeamMembersDialog.tsx      | 325 +++++++++++++++
 .../_components/RemoveTeamMemberDialog.tsx    |  73 ++++
 .../[teamId]/_components/UpdateTeamDialog.tsx | 205 ++++++++++
 .../app/[team]/access/teams/[teamId]/page.tsx | 370 ++++++++++++++++++
 .../teams/_components/CreateTeamDialog.tsx    | 204 ++++++++++
 .../teams/_components/DeleteTeamDialog.tsx    |  86 ++++
 frontend/app/[team]/access/teams/page.tsx     | 323 +++++++++++++++
 8 files changed, 1857 insertions(+)
 create mode 100644 frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx
 create mode 100644 frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
 create mode 100644 frontend/app/[team]/access/teams/[teamId]/_components/RemoveTeamMemberDialog.tsx
 create mode 100644 frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx
 create mode 100644 frontend/app/[team]/access/teams/[teamId]/page.tsx
 create mode 100644 frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx
 create mode 100644 frontend/app/[team]/access/teams/_components/DeleteTeamDialog.tsx
 create mode 100644 frontend/app/[team]/access/teams/page.tsx

diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx
new file mode 100644
index 000000000..9f7bc2dc1
--- /dev/null
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx
@@ -0,0 +1,271 @@
+'use client'
+
+import { AppType, TeamType } from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetApps } from '@/graphql/queries/getApps.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { AddTeamAppsOp } from '@/graphql/mutations/teams/addTeamApps.gql'
+import { useMutation, useQuery } from '@apollo/client'
+import { useContext, useRef, useState } from 'react'
+import { useParams } from 'next/navigation'
+import Link from 'next/link'
+import { FaExclamationTriangle, FaSearch, FaTimesCircle, FaChevronDown } from 'react-icons/fa'
+import clsx from 'clsx'
+import { toast } from 'react-toastify'
+import { Disclosure } from '@headlessui/react'
+import { FaCubes } from 'react-icons/fa6'
+
+export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+  const params = useParams<{ team: string }>()
+
+  const { data: appsData } = useQuery(GetApps, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation,
+  })
+
+  const [addApps, { loading }] = useMutation(AddTeamAppsOp)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+  const [selectedEnvs, setSelectedEnvs] = useState<Record<string, Set<string>>>({})
+  const [searchQuery, setSearchQuery] = useState('')
+
+  const existingAppIds = new Set(team.apps?.map((a) => a!.id) || [])
+
+  const allApps: AppType[] =
+    appsData?.apps?.filter((app: AppType) => !existingAppIds.has(app.id)) || []
+
+  const sseApps = allApps.filter((app) => app.sseEnabled)
+  const nonSseApps = allApps.filter((app) => !app.sseEnabled)
+
+  const filteredSseApps =
+    searchQuery !== ''
+      ? sseApps.filter((app) => app.name?.toLowerCase().includes(searchQuery.toLowerCase()))
+      : sseApps
+
+  const filteredNonSseApps =
+    searchQuery !== ''
+      ? nonSseApps.filter((app) => app.name?.toLowerCase().includes(searchQuery.toLowerCase()))
+      : nonSseApps
+
+  const toggleEnv = (appId: string, envId: string) => {
+    setSelectedEnvs((prev) => {
+      const next = { ...prev }
+      if (!next[appId]) next[appId] = new Set()
+      else next[appId] = new Set(next[appId])
+
+      if (next[appId].has(envId)) next[appId].delete(envId)
+      else next[appId].add(envId)
+
+      if (next[appId].size === 0) delete next[appId]
+      return next
+    })
+  }
+
+  const toggleAllEnvs = (appId: string, envIds: string[]) => {
+    setSelectedEnvs((prev) => {
+      const next = { ...prev }
+      const current = next[appId] || new Set()
+      const allSelected = envIds.every((id) => current.has(id))
+
+      if (allSelected) {
+        delete next[appId]
+      } else {
+        next[appId] = new Set(envIds)
+      }
+      return next
+    })
+  }
+
+  const selectedCount = Object.keys(selectedEnvs).length
+
+  const handleSubmit = async () => {
+    if (selectedCount === 0) return
+    try {
+      const appEnvs = Object.entries(selectedEnvs).map(([appId, envIds]) => ({
+        appId,
+        envIds: Array.from(envIds),
+      }))
+      await addApps({
+        variables: {
+          teamId: team.id,
+          appEnvs,
+        },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id, teamId: team.id },
+          },
+        ],
+      })
+      toast.success(`Granted access to ${selectedCount} app${selectedCount !== 1 ? 's' : ''}`)
+      reset()
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  const reset = () => {
+    setSelectedEnvs({})
+    setSearchQuery('')
+  }
+
+  return (
+    <GenericDialog
+      title="Manage app access"
+      buttonContent={
+        <>
+          <FaCubes /> Manage app Access
+        </>
+      }
+      buttonVariant="primary"
+      ref={dialogRef}
+      size="lg"
+      onClose={reset}
+    >
+      <div className="space-y-3 pt-4">
+        <p className="text-2xs text-neutral-500">
+          Grant this team access to apps and environments. Only SSE-enabled apps can be assigned to
+          teams.
+        </p>
+
+        <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2">
+          <FaSearch className="text-neutral-500 text-xs shrink-0" />
+          <input
+            placeholder="Search apps"
+            className="custom bg-zinc-100 dark:bg-zinc-800 placeholder:text-neutral-500 w-full text-xs py-1.5"
+            value={searchQuery}
+            onChange={(e) => setSearchQuery(e.target.value)}
+          />
+          <FaTimesCircle
+            className={clsx(
+              'cursor-pointer text-neutral-500 transition-opacity ease absolute right-2 text-xs',
+              searchQuery ? 'opacity-100' : 'opacity-0'
+            )}
+            role="button"
+            onClick={() => setSearchQuery('')}
+          />
+        </div>
+
+        {filteredSseApps.length === 0 && filteredNonSseApps.length === 0 ? (
+          <p className="text-xs text-neutral-500 text-center py-4">
+            {searchQuery
+              ? 'No apps match your search'
+              : 'No available apps. All SSE-enabled apps are already assigned to this team.'}
+          </p>
+        ) : (
+          <div className="max-h-[80vh] overflow-y-auto space-y-1.5">
+            {filteredSseApps.map((app: AppType) => {
+              const envIds = app.environments?.filter(Boolean).map((e) => e!.id) || []
+              const appSelected = selectedEnvs[app.id]
+              const allEnvsSelected = appSelected && envIds.every((id) => appSelected.has(id))
+
+              return (
+                <Disclosure key={app.id}>
+                  {({ open }) => (
+                    <div className="border border-zinc-500/20 rounded-lg overflow-hidden">
+                      <Disclosure.Button className="w-full flex items-center justify-between px-3 py-2 hover:bg-zinc-100 dark:hover:bg-zinc-800">
+                        <div className="flex items-center gap-2">
+                          <span className="font-medium text-xs text-zinc-900 dark:text-zinc-100">{app.name}</span>
+                          {appSelected && (
+                            <span className="text-2xs px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
+                              {appSelected.size} env{appSelected.size !== 1 ? 's' : ''}
+                            </span>
+                          )}
+                        </div>
+                        <FaChevronDown
+                          className={clsx(
+                            'text-neutral-500 text-2xs transition-transform',
+                            open && 'rotate-180'
+                          )}
+                        />
+                      </Disclosure.Button>
+                      <Disclosure.Panel className="px-3 pb-2 border-t border-zinc-500/20">
+                        <div
+                          className="flex items-center justify-between py-2 cursor-pointer"
+                          onClick={() => toggleAllEnvs(app.id, envIds)}
+                        >
+                          <span className="text-2xs text-neutral-500">All environments</span>
+                          <ToggleSwitch
+                            size="sm"
+                            value={!!allEnvsSelected}
+                            onToggle={() => toggleAllEnvs(app.id, envIds)}
+                          />
+                        </div>
+                        <div className="flex flex-wrap gap-1.5">
+                          {app.environments?.map((env) => {
+                            if (!env) return null
+                            const isSelected = !!appSelected?.has(env.id)
+                            return (
+                              <div
+                                key={env.id}
+                                className={clsx(
+                                  'flex items-center gap-1.5 py-1 px-2 cursor-pointer rounded-full border transition',
+                                  isSelected
+                                    ? 'border-emerald-500/40 bg-emerald-500/10'
+                                    : 'border-zinc-500/20 hover:border-zinc-500/40'
+                                )}
+                                onClick={() => toggleEnv(app.id, env.id)}
+                              >
+                                <span className="text-2xs text-zinc-900 dark:text-zinc-100">{env.name}</span>
+                                <ToggleSwitch
+                                  size="sm"
+                                  value={isSelected}
+                                  onToggle={() => toggleEnv(app.id, env.id)}
+                                />
+                              </div>
+                            )
+                          })}
+                        </div>
+                      </Disclosure.Panel>
+                    </div>
+                  )}
+                </Disclosure>
+              )
+            })}
+
+            {filteredNonSseApps.length > 0 && (
+              <div className="pt-2">
+                <div className="flex items-center gap-1.5 text-2xs text-amber-500 mb-1">
+                  <FaExclamationTriangle className="shrink-0" />
+                  <span>These apps need SSE enabled in settings before they can be assigned:</span>
+                </div>
+                <p className="text-2xs text-neutral-500 px-0.5">
+                  {filteredNonSseApps.map((app: AppType, i: number) => (
+                    <span key={app.id}>
+                      <Link
+                        href={`/${params!.team}/apps/${app.id}/settings`}
+                        className="text-zinc-900 dark:text-zinc-100 hover:text-emerald-500 dark:hover:text-emerald-400 underline underline-offset-2 decoration-neutral-500/40 hover:decoration-emerald-500 transition"
+                      >
+                        {app.name}
+                      </Link>
+                      {i < filteredNonSseApps.length - 1 && ', '}
+                    </span>
+                  ))}
+                </p>
+              </div>
+            )}
+          </div>
+        )}
+
+        <div className="flex justify-between items-center pt-1">
+          <span className="text-2xs text-neutral-500">
+            {selectedCount} app{selectedCount !== 1 ? 's' : ''} selected
+          </span>
+          <Button
+            variant="primary"
+            onClick={handleSubmit}
+            isLoading={loading}
+            disabled={selectedCount === 0}
+          >
+            Grant Access
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
new file mode 100644
index 000000000..620d4fa96
--- /dev/null
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
@@ -0,0 +1,325 @@
+'use client'
+
+import {
+  OrganisationMemberType,
+  ServiceAccountType,
+  TeamMembershipType,
+} from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { Avatar } from '@/components/common/Avatar'
+import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { organisationContext } from '@/contexts/organisationContext'
+import GetOrganisationMembers from '@/graphql/queries/organisation/getOrganisationMembers.gql'
+import { GetServiceAccounts } from '@/graphql/queries/service-accounts/getServiceAccounts.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { AddTeamMembersOp } from '@/graphql/mutations/teams/addTeamMembers.gql'
+import { useApolloClient, useMutation, useQuery } from '@apollo/client'
+import { useContext, useRef, useState } from 'react'
+import { FaPlus, FaSearch, FaTimesCircle, FaUsers, FaRobot } from 'react-icons/fa'
+import clsx from 'clsx'
+import { toast } from 'react-toastify'
+import { Tab } from '@headlessui/react'
+
+export const AddTeamMembersDialog = ({
+  teamId,
+  existingMembers,
+}: {
+  teamId: string
+  existingMembers: TeamMembershipType[]
+}) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const { data: membersData } = useQuery(GetOrganisationMembers, {
+    variables: { organisationId: organisation?.id, role: null },
+    skip: !organisation,
+  })
+
+  const { data: saData } = useQuery(GetServiceAccounts, {
+    variables: { orgId: organisation?.id },
+    skip: !organisation,
+  })
+
+  const client = useApolloClient()
+  const [addMembers, { loading }] = useMutation(AddTeamMembersOp)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+  const [selectedMembers, setSelectedMembers] = useState<Set<string>>(new Set())
+  const [selectedSAs, setSelectedSAs] = useState<Set<string>>(new Set())
+  const [searchQuery, setSearchQuery] = useState('')
+
+  const existingMemberIds = new Set(
+    existingMembers.filter((m) => m.orgMember).map((m) => m.orgMember!.id)
+  )
+
+  const existingSaIds = new Set(
+    existingMembers.filter((m) => m.serviceAccount).map((m) => m.serviceAccount!.id)
+  )
+
+  const availableMembers: OrganisationMemberType[] =
+    membersData?.organisationMembers?.filter(
+      (m: OrganisationMemberType) => !existingMemberIds.has(m.id)
+    ) || []
+
+  const availableSAs: ServiceAccountType[] =
+    saData?.serviceAccounts?.filter(
+      (sa: ServiceAccountType) => !existingSaIds.has(sa.id)
+    ) || []
+
+  const filteredMembers =
+    searchQuery !== ''
+      ? availableMembers.filter(
+          (m) =>
+            m.fullName?.toLowerCase().includes(searchQuery.toLowerCase()) ||
+            m.email?.toLowerCase().includes(searchQuery.toLowerCase())
+        )
+      : availableMembers
+
+  const filteredSAs =
+    searchQuery !== ''
+      ? availableSAs.filter((sa) =>
+          sa.name?.toLowerCase().includes(searchQuery.toLowerCase())
+        )
+      : availableSAs
+
+  const toggleMember = (id: string) => {
+    setSelectedMembers((prev) => {
+      const next = new Set(prev)
+      if (next.has(id)) next.delete(id)
+      else next.add(id)
+      return next
+    })
+  }
+
+  const toggleSA = (id: string) => {
+    setSelectedSAs((prev) => {
+      const next = new Set(prev)
+      if (next.has(id)) next.delete(id)
+      else next.add(id)
+      return next
+    })
+  }
+
+  const totalSelected = selectedMembers.size + selectedSAs.size
+
+  const handleSubmit = async () => {
+    if (totalSelected === 0) return
+    try {
+      const promises: Promise<any>[] = []
+
+      if (selectedMembers.size > 0) {
+        promises.push(
+          addMembers({
+            variables: {
+              teamId,
+              memberIds: Array.from(selectedMembers),
+              memberType: 'USER',
+            },
+          })
+        )
+      }
+
+      if (selectedSAs.size > 0) {
+        promises.push(
+          addMembers({
+            variables: {
+              teamId,
+              memberIds: Array.from(selectedSAs),
+              memberType: 'SERVICE',
+            },
+          })
+        )
+      }
+
+      await Promise.all(promises)
+
+      await client.refetchQueries({
+        include: [GetTeams],
+      })
+
+      const parts: string[] = []
+      if (selectedMembers.size > 0)
+        parts.push(`${selectedMembers.size} member${selectedMembers.size !== 1 ? 's' : ''}`)
+      if (selectedSAs.size > 0)
+        parts.push(
+          `${selectedSAs.size} service account${selectedSAs.size !== 1 ? 's' : ''}`
+        )
+      toast.success(`Added ${parts.join(' and ')} to team`)
+      reset()
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  const reset = () => {
+    setSelectedMembers(new Set())
+    setSelectedSAs(new Set())
+    setSearchQuery('')
+  }
+
+  const selectedSummary = () => {
+    const parts: string[] = []
+    if (selectedMembers.size > 0)
+      parts.push(`${selectedMembers.size} member${selectedMembers.size !== 1 ? 's' : ''}`)
+    if (selectedSAs.size > 0)
+      parts.push(`${selectedSAs.size} SA${selectedSAs.size !== 1 ? 's' : ''}`)
+    return parts.length > 0 ? parts.join(', ') : '0 selected'
+  }
+
+  return (
+    <GenericDialog
+      title="Add members to team"
+      buttonContent={
+        <>
+          <FaPlus /> Add Members
+        </>
+      }
+      buttonVariant="primary"
+      ref={dialogRef}
+      onClose={reset}
+    >
+      <div className="space-y-3 pt-4">
+        <Tab.Group
+          onChange={() => {
+            setSearchQuery('')
+          }}
+        >
+          <Tab.List className="flex gap-2 w-full border-b border-neutral-500/20">
+            <Tab
+              className={({ selected }) =>
+                clsx(
+                  'p-2 text-xs font-medium border-b -mb-px focus:outline-none transition ease flex items-center gap-1.5',
+                  selected
+                    ? 'border-emerald-500 font-semibold text-zinc-900 dark:text-zinc-100'
+                    : 'border-transparent text-zinc-600 dark:text-zinc-400 hover:text-zinc-900 dark:hover:text-zinc-100'
+                )
+              }
+            >
+              <FaUsers className="text-xs" /> Members
+              {selectedMembers.size > 0 && (
+                <span className="text-2xs px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
+                  {selectedMembers.size}
+                </span>
+              )}
+            </Tab>
+            <Tab
+              className={({ selected }) =>
+                clsx(
+                  'p-2 text-xs font-medium border-b -mb-px focus:outline-none transition ease flex items-center gap-1.5',
+                  selected
+                    ? 'border-emerald-500 font-semibold text-zinc-900 dark:text-zinc-100'
+                    : 'border-transparent text-zinc-600 dark:text-zinc-400 hover:text-zinc-900 dark:hover:text-zinc-100'
+                )
+              }
+            >
+              <FaRobot className="text-xs" /> Service Accounts
+              {selectedSAs.size > 0 && (
+                <span className="text-2xs px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
+                  {selectedSAs.size}
+                </span>
+              )}
+            </Tab>
+          </Tab.List>
+
+          <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2">
+            <FaSearch className="text-neutral-500 text-xs shrink-0" />
+            <input
+              placeholder="Search accounts"
+              className="custom bg-zinc-100 dark:bg-zinc-800 placeholder:text-neutral-500 w-full text-xs py-1.5"
+              value={searchQuery}
+              onChange={(e) => setSearchQuery(e.target.value)}
+            />
+            <FaTimesCircle
+              className={clsx(
+                'cursor-pointer text-neutral-500 transition-opacity ease absolute right-2 text-xs',
+                searchQuery ? 'opacity-100' : 'opacity-0'
+              )}
+              role="button"
+              onClick={() => setSearchQuery('')}
+            />
+          </div>
+
+          <Tab.Panels>
+            <Tab.Panel className="max-h-80 overflow-y-auto divide-y divide-zinc-500/20">
+              {filteredMembers.length === 0 ? (
+                <p className="text-xs text-neutral-500 text-center py-4">
+                  {availableMembers.length === 0
+                    ? 'All organisation members are already in this team'
+                    : 'No members match your search'}
+                </p>
+              ) : (
+                filteredMembers.map((member: OrganisationMemberType) => (
+                  <div
+                    key={member.id}
+                    className="flex items-center justify-between py-1 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 px-2 rounded"
+                    onClick={() => toggleMember(member.id)}
+                  >
+                    <div className="flex items-center gap-2">
+                      <Avatar member={member} size="md" />
+                      <div>
+                        <div className="text-xs font-medium">
+                          {member.fullName || member.email}
+                        </div>
+                        {member.fullName && (
+                          <div className="text-2xs text-neutral-500">{member.email}</div>
+                        )}
+                      </div>
+                    </div>
+                    <ToggleSwitch
+                      size="sm"
+                      value={selectedMembers.has(member.id)}
+                      onToggle={() => toggleMember(member.id)}
+                    />
+                  </div>
+                ))
+              )}
+            </Tab.Panel>
+            <Tab.Panel className="max-h-80 overflow-y-auto divide-y divide-zinc-500/20">
+              {filteredSAs.length === 0 ? (
+                <p className="text-xs text-neutral-500 text-center py-4">
+                  {availableSAs.length === 0
+                    ? 'All service accounts are already in this team'
+                    : 'No service accounts match your search'}
+                </p>
+              ) : (
+                filteredSAs.map((sa: ServiceAccountType) => (
+                  <div
+                    key={sa.id}
+                    className="flex items-center justify-between py-1 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 px-2 rounded"
+                    onClick={() => toggleSA(sa.id)}
+                  >
+                    <div className="flex items-center gap-2">
+                      <Avatar serviceAccount={sa} size="md" />
+                      <div>
+                        <div className="text-xs font-medium">{sa.name}</div>
+                        <div className="text-2xs text-neutral-500 font-mono">{sa.id}</div>
+                      </div>
+                    </div>
+                    <ToggleSwitch
+                      size="sm"
+                      value={selectedSAs.has(sa.id)}
+                      onToggle={() => toggleSA(sa.id)}
+                    />
+                  </div>
+                ))
+              )}
+            </Tab.Panel>
+          </Tab.Panels>
+        </Tab.Group>
+
+        <div className="flex justify-between items-center">
+          <span className="text-2xs text-neutral-500">{selectedSummary()}</span>
+          <Button
+            variant="primary"
+            onClick={handleSubmit}
+            isLoading={loading}
+            disabled={totalSelected === 0}
+          >
+            Add to Team
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/RemoveTeamMemberDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/RemoveTeamMemberDialog.tsx
new file mode 100644
index 000000000..6a77e5526
--- /dev/null
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/RemoveTeamMemberDialog.tsx
@@ -0,0 +1,73 @@
+'use client'
+
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { RemoveTeamMemberOp } from '@/graphql/mutations/teams/removeTeamMember.gql'
+import { useMutation } from '@apollo/client'
+import { useContext, useRef } from 'react'
+import { FaTimes } from 'react-icons/fa'
+import { toast } from 'react-toastify'
+
+export const RemoveTeamMemberDialog = ({
+  teamId,
+  memberId,
+  memberName,
+  memberType = 'USER',
+}: {
+  teamId: string
+  memberId: string
+  memberName: string
+  memberType?: string
+}) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const [removeMember, { loading }] = useMutation(RemoveTeamMemberOp)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const handleRemove = async () => {
+    try {
+      await removeMember({
+        variables: {
+          teamId,
+          memberId,
+          memberType,
+        },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id, teamId },
+          },
+        ],
+      })
+      toast.success(`Removed ${memberName} from team`)
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  return (
+    <GenericDialog
+      title={`Remove ${memberName}`}
+      buttonContent={<><FaTimes /> Remove from team</>}
+      buttonVariant="danger"
+      ref={dialogRef}
+      size="sm"
+    >
+      <div className="space-y-4 pt-4">
+        <p className="text-sm text-neutral-500">
+          Remove <strong>{memberName}</strong> from this team? Their team-based environment key
+          grants will be revoked.
+        </p>
+        <div className="flex justify-end gap-2">
+          <Button variant="danger" onClick={handleRemove} isLoading={loading}>
+            Remove
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx
new file mode 100644
index 000000000..21f30d8f2
--- /dev/null
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx
@@ -0,0 +1,205 @@
+'use client'
+
+import { RoleType, TeamType } from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { Input } from '@/components/common/Input'
+import { RoleLabel } from '@/components/users/RoleLabel'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { GetRoles } from '@/graphql/queries/organisation/getRoles.gql'
+import { UpdateTeamOp } from '@/graphql/mutations/teams/updateTeam.gql'
+import { useMutation, useQuery } from '@apollo/client'
+import { Fragment, useContext, useRef, useState } from 'react'
+import { FaCog, FaChevronDown, FaUserShield, FaRobot } from 'react-icons/fa'
+import { Listbox } from '@headlessui/react'
+import clsx from 'clsx'
+import { toast } from 'react-toastify'
+
+const RoleSelector = ({
+  value,
+  onChange,
+  options,
+  icon,
+  title,
+  subtitle,
+}: {
+  value: RoleType | null
+  onChange: (v: RoleType | null) => void
+  options: RoleType[]
+  icon: React.ReactNode
+  title: string
+  subtitle: string
+}) => (
+  <div className="space-y-2 w-full">
+    <div className="flex items-start gap-3">
+      <div className="text-neutral-500 mt-0.5 text-lg shrink-0">{icon}</div>
+      <div className="flex-1 min-w-0">
+        <label className="block text-sm font-medium text-zinc-900 dark:text-zinc-100">
+          {title}
+        </label>
+        <p className="text-xs text-neutral-500 mt-0.5">{subtitle}</p>
+        <div className="mt-2 relative">
+          <Listbox value={value} onChange={onChange}>
+            {({ open }) => (
+              <>
+                <Listbox.Button as={Fragment}>
+                  <div className="py-2 flex items-center justify-between w-full rounded-md border border-zinc-500/20 px-3 h-10 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 transition">
+                    {value ? (
+                      <RoleLabel role={value} />
+                    ) : (
+                      <span className="text-neutral-500 text-sm">None (use org role)</span>
+                    )}
+                    <FaChevronDown
+                      className={clsx(
+                        'transition-transform ease duration-300 text-neutral-500 text-xs',
+                        open ? 'rotate-180' : 'rotate-0'
+                      )}
+                    />
+                  </div>
+                </Listbox.Button>
+                <Listbox.Options className="bg-zinc-200 dark:bg-zinc-800 p-2 rounded-md shadow-2xl absolute z-10 w-full focus:outline-none mt-1">
+                  <Listbox.Option value={null} as={Fragment}>
+                    {({ active }) => (
+                      <div
+                        className={clsx(
+                          'flex items-center gap-2 p-2 cursor-pointer rounded-full text-sm',
+                          active && 'bg-zinc-300 dark:bg-zinc-700'
+                        )}
+                      >
+                        None (use org role)
+                      </div>
+                    )}
+                  </Listbox.Option>
+                  {options.map((role: RoleType) => (
+                    <Listbox.Option key={role.id} value={role} as={Fragment}>
+                      {({ active }) => (
+                        <div
+                          className={clsx(
+                            'flex items-center gap-2 p-2 cursor-pointer rounded-full',
+                            active && 'bg-zinc-300 dark:bg-zinc-700'
+                          )}
+                        >
+                          <RoleLabel role={role} />
+                        </div>
+                      )}
+                    </Listbox.Option>
+                  ))}
+                </Listbox.Options>
+              </>
+            )}
+          </Listbox>
+        </div>
+      </div>
+    </div>
+  </div>
+)
+
+export const UpdateTeamDialog = ({ team }: { team: TeamType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const { data: roleData } = useQuery(GetRoles, {
+    variables: { orgId: organisation?.id },
+    skip: !organisation,
+  })
+
+  const [updateTeam, { loading }] = useMutation(UpdateTeamOp)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const [name, setName] = useState(team.name)
+  const [description, setDescription] = useState(team.description || '')
+  const [memberRole, setMemberRole] = useState<RoleType | null>(
+    (team.memberRole as RoleType) || null
+  )
+  const [saRole, setSaRole] = useState<RoleType | null>(
+    (team.serviceAccountRole as RoleType) || null
+  )
+
+  const roleOptions = roleData?.roles || []
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+    try {
+      await updateTeam({
+        variables: {
+          teamId: team.id,
+          name,
+          description: description || null,
+          memberRoleId: memberRole?.id || '',
+          serviceAccountRoleId: saRole?.id || '',
+        },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id, teamId: team.id },
+          },
+        ],
+      })
+      toast.success('Team updated')
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  return (
+    <GenericDialog
+      title="Team settings"
+      buttonContent={
+        <>
+          <FaCog /> Settings
+        </>
+      }
+      buttonVariant="secondary"
+      ref={dialogRef}
+      onClose={() => {
+        setName(team.name)
+        setDescription(team.description || '')
+        setMemberRole((team.memberRole as RoleType) || null)
+        setSaRole((team.serviceAccountRole as RoleType) || null)
+      }}
+    >
+      <form onSubmit={handleSubmit} className="space-y-6 pt-4">
+        <Input value={name} setValue={setName} label="Team name" required maxLength={64} />
+
+        <div className="space-y-2 w-full">
+          <label className="block text-neutral-500 text-xs">Description</label>
+          <textarea
+            value={description}
+            onChange={(e) => setDescription(e.target.value)}
+            className="w-full rounded-md bg-zinc-100 dark:bg-zinc-800 text-zinc-900 dark:text-zinc-100 p-2 text-sm resize-none"
+            rows={3}
+            placeholder="Optional team description"
+          />
+        </div>
+
+        <div className="space-y-4">
+          <RoleSelector
+            value={memberRole}
+            onChange={setMemberRole}
+            options={roleOptions}
+            icon={<FaUserShield />}
+            title="Member role"
+            subtitle="Choose a role that overrides org-level permissions for team members within apps assigned to this team."
+          />
+
+          <RoleSelector
+            value={saRole}
+            onChange={setSaRole}
+            options={roleOptions}
+            icon={<FaRobot />}
+            title="Service account role"
+            subtitle="Choose a role that overrides org-level permissions for service accounts within apps assigned to this team."
+          />
+        </div>
+
+        <div className="flex justify-end items-center gap-2">
+          <Button type="submit" variant="primary" isLoading={loading}>
+            Save Changes
+          </Button>
+        </div>
+      </form>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
new file mode 100644
index 000000000..eca59a97a
--- /dev/null
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -0,0 +1,370 @@
+'use client'
+
+import { AppType, TeamAppEnvironmentType, TeamMembershipType, TeamType } from '@/apollo/graphql'
+import { Button } from '@/components/common/Button'
+import { EmptyState } from '@/components/common/EmptyState'
+import Spinner from '@/components/common/Spinner'
+import { Avatar } from '@/components/common/Avatar'
+import { RoleLabel } from '@/components/users/RoleLabel'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { userHasPermission } from '@/utils/access/permissions'
+import { relativeTimeFromDates } from '@/utils/time'
+import { useQuery } from '@apollo/client'
+import Link from 'next/link'
+import { useRouter } from 'next/navigation'
+import { useContext } from 'react'
+import {
+  FaBan,
+  FaChevronLeft,
+  FaClock,
+  FaCog,
+  FaExternalLinkAlt,
+  FaRobot,
+  FaUsers,
+} from 'react-icons/fa'
+import { AddTeamMembersDialog } from './_components/AddTeamMembersDialog'
+import { AddTeamAppsDialog } from './_components/AddTeamAppsDialog'
+import { RemoveTeamMemberDialog } from './_components/RemoveTeamMemberDialog'
+import { UpdateTeamDialog } from './_components/UpdateTeamDialog'
+import { DeleteTeamDialog } from '../_components/DeleteTeamDialog'
+
+export default function TeamDetail({ params }: { params: { team: string; teamId: string } }) {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+  const router = useRouter()
+
+  const userCanReadTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
+    : false
+
+  const userCanUpdateTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'update')
+    : false
+
+  const userCanDeleteTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'delete')
+    : false
+
+  const { data, loading } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id, teamId: params.teamId },
+    skip: !organisation || !userCanReadTeams,
+    pollInterval: 10000,
+  })
+
+  const team: TeamType | null = data?.teams?.[0] || null
+
+  if (loading || !organisation)
+    return (
+      <div className="flex items-center justify-center h-full w-full">
+        <Spinner size="md" />
+      </div>
+    )
+
+  if (!userCanReadTeams)
+    return (
+      <section className="p-4">
+        <EmptyState
+          title="Access restricted"
+          subtitle="You don't have the permissions required to view this team."
+          graphic={
+            <div className="text-neutral-300 dark:text-neutral-700 text-7xl">
+              <FaBan />
+            </div>
+          }
+        >
+          <Link
+            href={`/${params.team}/access/teams`}
+            className="text-neutral-500 flex items-center gap-2 text-sm hover:text-zinc-800 dark:hover:text-zinc-200 transition ease"
+          >
+            <FaChevronLeft /> Back to teams
+          </Link>
+        </EmptyState>
+      </section>
+    )
+
+  if (!team)
+    return (
+      <section className="p-4">
+        <EmptyState title="Team not found" subtitle="This team may have been deleted.">
+          <Link
+            href={`/${params.team}/access/teams`}
+            className="text-neutral-500 flex items-center gap-2 text-sm hover:text-zinc-800 dark:hover:text-zinc-200 transition ease"
+          >
+            <FaChevronLeft /> Back to teams
+          </Link>
+        </EmptyState>
+      </section>
+    )
+
+  // Group environments by app
+  const envsByApp: Record<string, { app: AppType; envs: TeamAppEnvironmentType[] }> = {}
+  for (const tae of team.appEnvironments || []) {
+    const appId = tae!.app!.id
+    if (!envsByApp[appId]) {
+      envsByApp[appId] = { app: tae!.app as unknown as AppType, envs: [] }
+    }
+    envsByApp[appId].envs.push(tae!)
+  }
+
+  return (
+    <section className="flex flex-col px-3 sm:px-4 lg:px-6">
+      <div className="pb-4">
+        <Link
+          href={`/${params.team}/access/teams`}
+          className="text-neutral-500 inline-flex items-center gap-2 text-sm hover:text-zinc-800 dark:hover:text-zinc-200 transition ease"
+        >
+          <FaChevronLeft /> Back to teams
+        </Link>
+      </div>
+
+      <div className="flex-grow overflow-y-auto space-y-6 py-4">
+        {/* Header: Team name, badge, metadata */}
+        <div>
+          <div className="flex items-center justify-between">
+            <div className="flex flex-col gap-0.5">
+              <h3 className="text-lg font-medium flex items-center gap-2">
+                {team.name}
+                {team.isScimManaged && (
+                  <span className="text-2xs px-1 rounded ring-1 ring-inset ring-purple-500/40 bg-purple-500/20 text-purple-400 uppercase font-medium">
+                    <FaRobot className="inline mr-0.5" />
+                    SCIM
+                  </span>
+                )}
+              </h3>
+              {team.description && (
+                <span className="text-neutral-500 text-sm">{team.description}</span>
+              )}
+              <span className="text-neutral-500 text-xs">
+                {team.members?.filter((m) => m.orgMember).length || 0} member
+                {(team.members?.filter((m) => m.orgMember).length || 0) !== 1 ? 's' : ''} and{' '}
+                {team.members?.filter((m) => m.serviceAccount).length || 0} service account
+                {(team.members?.filter((m) => m.serviceAccount).length || 0) !== 1 ? 's' : ''} with
+                access to {Object.keys(envsByApp).length} app
+                {Object.keys(envsByApp).length !== 1 ? 's' : ''}
+              </span>
+            </div>
+            <div className="flex flex-col items-end gap-2">
+              {userCanUpdateTeams && !team.isScimManaged && <UpdateTeamDialog team={team} />}
+              <span
+                className="text-neutral-500 text-2xs flex items-center gap-1 cursor-help"
+                title={new Date(team.createdAt).toLocaleString()}
+              >
+                <FaClock /> Created {relativeTimeFromDates(new Date(team.createdAt))}
+                {team.createdBy && ` by ${team.createdBy.fullName || team.createdBy.email}`}
+              </span>
+            </div>
+          </div>
+
+          {/* Role overrides */}
+          {(team.memberRole || team.serviceAccountRole) && (
+            <div className="flex items-center gap-4 mt-3">
+              {team.memberRole && (
+                <div className="flex items-center gap-1.5 text-xs text-neutral-500">
+                  <FaUsers className="text-xs" />
+                  <span>Member role:</span>
+                  <RoleLabel role={team.memberRole} />
+                </div>
+              )}
+              {team.serviceAccountRole && (
+                <div className="flex items-center gap-1.5 text-xs text-neutral-500">
+                  <FaRobot className="text-xs" />
+                  <span>SA role:</span>
+                  <RoleLabel role={team.serviceAccountRole} />
+                </div>
+              )}
+            </div>
+          )}
+        </div>
+
+        {/* Members Section */}
+        <div className="pt-4 space-y-3 border-t border-neutral-500/40">
+          <div className="flex items-center justify-between">
+            <div>
+              <div className="text-base font-medium">Members</div>
+              <div className="text-neutral-500 text-sm">
+                Members and service accounts in this team
+              </div>
+            </div>
+            {userCanUpdateTeams && !team.isScimManaged && (
+              <AddTeamMembersDialog teamId={team.id} existingMembers={team.members || []} />
+            )}
+          </div>
+
+          <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
+            {team.members && team.members.length > 0 ? (
+              team.members.map((membership: TeamMembershipType) => {
+                const isUser = !!membership.orgMember
+                const memberId = isUser ? membership.orgMember!.id : membership.serviceAccount!.id
+                const displayName = isUser
+                  ? membership.fullName || membership.email || 'Unknown'
+                  : membership.serviceAccount!.name || 'Service Account'
+
+                return (
+                  <div
+                    key={membership.id}
+                    className="grid grid-cols-1 md:grid-cols-4 gap-4 items-center py-1.5 px-2 group"
+                  >
+                    <div className="flex items-center gap-2">
+                      {isUser ? (
+                        <Avatar
+                          user={{
+                            name: membership.fullName,
+                            email: membership.email,
+                            image: membership.avatarUrl,
+                          }}
+                          size="md"
+                        />
+                      ) : (
+                        <Avatar serviceAccount={membership.serviceAccount!} size="md" />
+                      )}
+                      <div>
+                        <div className="text-sm font-medium">{displayName}</div>
+                        {isUser && membership.fullName && (
+                          <div className="text-xs text-neutral-500">{membership.email}</div>
+                        )}
+                        {!isUser && (
+                          <div className="text-2xs text-neutral-500 font-mono">{memberId}</div>
+                        )}
+                      </div>
+                    </div>
+
+                    <div>
+                      {isUser && membership.orgMember?.role && (
+                        <RoleLabel role={membership.orgMember.role} size="xs" />
+                      )}
+                      {!isUser && membership.serviceAccount?.role && (
+                        <RoleLabel role={membership.serviceAccount.role} size="xs" />
+                      )}
+                    </div>
+
+                    <div className="text-2xs text-neutral-500">
+                      Added {relativeTimeFromDates(new Date(membership.createdAt))}
+                    </div>
+
+                    <div className="flex justify-end gap-1 opacity-0 group-hover:opacity-100 transition ease">
+                      <Link
+                        href={
+                          isUser
+                            ? `/${params.team}/access/members/${memberId}`
+                            : `/${params.team}/access/service-accounts/${memberId}`
+                        }
+                        title={`View ${displayName}`}
+                      >
+                        <Button variant="secondary">
+                          <FaExternalLinkAlt /> Manage account
+                        </Button>
+                      </Link>
+                      {userCanUpdateTeams &&
+                        !team.isScimManaged &&
+                        !(isUser && team.createdBy?.id === membership.orgMember?.id) && (
+                          <RemoveTeamMemberDialog
+                            teamId={team.id}
+                            memberId={memberId}
+                            memberName={displayName}
+                            memberType={isUser ? 'USER' : 'SERVICE'}
+                          />
+                        )}
+                    </div>
+                  </div>
+                )
+              })
+            ) : (
+              <div className="py-8 text-center text-neutral-500">
+                This team does not have any members yet.
+              </div>
+            )}
+          </div>
+        </div>
+
+        {/* App Access Section */}
+        <div className="pt-4 space-y-3 border-t border-neutral-500/40">
+          <div className="flex items-center justify-between">
+            <div>
+              <div className="text-base font-medium">App Access</div>
+              <div className="text-neutral-500 text-sm">
+                Apps and environments this team has access to
+              </div>
+            </div>
+            {userCanUpdateTeams && <AddTeamAppsDialog team={team} />}
+          </div>
+
+          <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
+            {Object.keys(envsByApp).length > 0 ? (
+              Object.entries(envsByApp).map(([appId, { app, envs }]) => (
+                <div
+                  key={appId}
+                  className="grid grid-cols-1 md:grid-cols-4 gap-4 items-center py-1.5 px-2 group"
+                >
+                  <div className="space-y-0.5">
+                    <div className="font-medium text-sm text-zinc-900 dark:text-zinc-100">
+                      {app.name}
+                    </div>
+                  </div>
+
+                  <div className="col-span-2">
+                    <div className="text-2xs uppercase tracking-widest text-neutral-500 mb-1">
+                      Environments
+                    </div>
+                    <div className="flex items-center gap-1 flex-wrap">
+                      {envs.map((tae) => (
+                        <span
+                          key={tae.id}
+                          className="text-2xs px-1.5 py-0.5 rounded bg-zinc-200 dark:bg-zinc-800 text-zinc-600 dark:text-zinc-400"
+                        >
+                          {tae.environment!.name}
+                        </span>
+                      ))}
+                    </div>
+                  </div>
+
+                  <div className="flex justify-end">
+                    <Link
+                      className="opacity-0 group-hover:opacity-100 transition ease"
+                      href={`/${params.team}/apps/${appId}/access/teams`}
+                      title={`Manage team access to ${app.name}`}
+                    >
+                      <Button variant="secondary" icon={FaCog}>
+                        Manage
+                      </Button>
+                    </Link>
+                  </div>
+                </div>
+              ))
+            ) : (
+              <div className="py-8 text-center text-neutral-500">
+                This team does not have access to any apps. To grant access, go to an app&apos;s
+                Access &gt; Teams tab.
+              </div>
+            )}
+          </div>
+        </div>
+
+        {/* Danger Zone */}
+        {userCanDeleteTeams && !team.isScimManaged && (
+          <div className="pt-4 space-y-2 border-t border-neutral-500/40">
+            <div>
+              <div className="text-base font-medium">Danger Zone</div>
+              <div className="text-neutral-500 text-sm">
+                This action is destructive and cannot be reversed
+              </div>
+            </div>
+
+            <div className="flex justify-between items-center ring-1 ring-inset ring-red-500/40 bg-red-400/10 rounded-lg p-3">
+              <div>
+                <div className="font-medium text-sm text-red-400">Delete team</div>
+                <div className="text-neutral-500 text-xs">
+                  Permanently delete this team and revoke all team-based access.
+                </div>
+              </div>
+              <DeleteTeamDialog
+                teamId={team.id}
+                teamName={team.name}
+                onDelete={() => router.push(`/${params.team}/access/teams`)}
+              />
+            </div>
+          </div>
+        )}
+      </div>
+    </section>
+  )
+}
diff --git a/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx b/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx
new file mode 100644
index 000000000..b8eac97c0
--- /dev/null
+++ b/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx
@@ -0,0 +1,204 @@
+'use client'
+
+import { RoleType } from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { Input } from '@/components/common/Input'
+import { RoleLabel } from '@/components/users/RoleLabel'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { GetRoles } from '@/graphql/queries/organisation/getRoles.gql'
+import { CreateTeamOp } from '@/graphql/mutations/teams/createTeam.gql'
+import { useMutation, useQuery } from '@apollo/client'
+import { Fragment, useContext, useRef, useState } from 'react'
+import { FaChevronDown, FaPlus, FaUserShield, FaRobot } from 'react-icons/fa'
+import { Listbox } from '@headlessui/react'
+import clsx from 'clsx'
+import { toast } from 'react-toastify'
+
+const RoleSelector = ({
+  value,
+  onChange,
+  options,
+  icon,
+  title,
+  subtitle,
+}: {
+  value: RoleType | null
+  onChange: (v: RoleType | null) => void
+  options: RoleType[]
+  icon: React.ReactNode
+  title: string
+  subtitle: string
+}) => (
+  <div className="space-y-2 w-full">
+    <div className="flex items-start gap-3">
+      <div className="text-neutral-500 mt-0.5 text-lg shrink-0">{icon}</div>
+      <div className="flex-1 min-w-0">
+        <label className="block text-sm font-medium text-zinc-900 dark:text-zinc-100">
+          {title}
+        </label>
+        <p className="text-xs text-neutral-500 mt-0.5">{subtitle}</p>
+        <div className="mt-2 relative">
+          <Listbox value={value} onChange={onChange}>
+            {({ open }) => (
+              <>
+                <Listbox.Button as={Fragment}>
+                  <div className="py-2 flex items-center justify-between w-full rounded-md border border-zinc-500/20 px-3 h-10 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 transition">
+                    {value ? (
+                      <RoleLabel role={value} />
+                    ) : (
+                      <span className="text-neutral-500 text-sm">None (use org role)</span>
+                    )}
+                    <FaChevronDown
+                      className={clsx(
+                        'transition-transform ease duration-300 text-neutral-500 text-xs',
+                        open ? 'rotate-180' : 'rotate-0'
+                      )}
+                    />
+                  </div>
+                </Listbox.Button>
+                <Listbox.Options className="bg-zinc-200 dark:bg-zinc-800 p-2 rounded-md shadow-2xl absolute z-10 w-full focus:outline-none mt-1">
+                  <Listbox.Option value={null} as={Fragment}>
+                    {({ active }) => (
+                      <div
+                        className={clsx(
+                          'flex items-center gap-2 p-2 cursor-pointer rounded-full text-sm',
+                          active && 'bg-zinc-300 dark:bg-zinc-700'
+                        )}
+                      >
+                        None (use org role)
+                      </div>
+                    )}
+                  </Listbox.Option>
+                  {options.map((role: RoleType) => (
+                    <Listbox.Option key={role.id} value={role} as={Fragment}>
+                      {({ active }) => (
+                        <div
+                          className={clsx(
+                            'flex items-center gap-2 p-2 cursor-pointer rounded-full',
+                            active && 'bg-zinc-300 dark:bg-zinc-700'
+                          )}
+                        >
+                          <RoleLabel role={role} />
+                        </div>
+                      )}
+                    </Listbox.Option>
+                  ))}
+                </Listbox.Options>
+              </>
+            )}
+          </Listbox>
+        </div>
+      </div>
+    </div>
+  </div>
+)
+
+export const CreateTeamDialog = () => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const { data: roleData } = useQuery(GetRoles, {
+    variables: { orgId: organisation?.id },
+    skip: !organisation,
+  })
+
+  const [createTeam, { loading: createPending }] = useMutation(CreateTeamOp)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const [name, setName] = useState('')
+  const [description, setDescription] = useState('')
+  const [memberRole, setMemberRole] = useState<RoleType | null>(null)
+  const [saRole, setSaRole] = useState<RoleType | null>(null)
+
+  const reset = () => {
+    setName('')
+    setDescription('')
+    setMemberRole(null)
+    setSaRole(null)
+  }
+
+  const roleOptions = roleData?.roles || []
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+    try {
+      await createTeam({
+        variables: {
+          organisationId: organisation!.id,
+          name,
+          description: description || null,
+          memberRoleId: memberRole?.id || null,
+          serviceAccountRoleId: saRole?.id || null,
+        },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id },
+          },
+        ],
+      })
+      toast.success('Team created!')
+      reset()
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  return (
+    <GenericDialog
+      title="Create a new Team"
+      buttonContent={
+        <>
+          <FaPlus /> Create Team
+        </>
+      }
+      buttonVariant="primary"
+      ref={dialogRef}
+      onClose={reset}
+    >
+      <form onSubmit={handleSubmit} className="space-y-6 pt-4">
+        <Input value={name} setValue={setName} label="Team name" required maxLength={64} />
+
+        <div className="space-y-2 w-full">
+          <label className="block text-neutral-500 text-xs">Description</label>
+          <textarea
+            value={description}
+            onChange={(e) => setDescription(e.target.value)}
+            className="w-full rounded-md bg-zinc-100 dark:bg-zinc-800 text-zinc-900 dark:text-zinc-100 p-2 text-sm resize-none"
+            rows={3}
+            placeholder="Optional team description"
+          />
+        </div>
+
+        <div className="space-y-4">
+          <RoleSelector
+            value={memberRole}
+            onChange={setMemberRole}
+            options={roleOptions}
+            icon={<FaUserShield />}
+            title="Member role (optional)"
+            subtitle="Choose a role that overrides org-level permissions for team members within apps assigned to this team."
+          />
+
+          <RoleSelector
+            value={saRole}
+            onChange={setSaRole}
+            options={roleOptions}
+            icon={<FaRobot />}
+            title="Service account role (optional)"
+            subtitle="Choose a role that overrides org-level permissions for service accounts within apps assigned to this team."
+          />
+        </div>
+
+        <div className="flex justify-end items-center gap-2">
+          <Button type="submit" variant="primary" isLoading={createPending}>
+            Create Team
+          </Button>
+        </div>
+      </form>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/access/teams/_components/DeleteTeamDialog.tsx b/frontend/app/[team]/access/teams/_components/DeleteTeamDialog.tsx
new file mode 100644
index 000000000..8135a7c84
--- /dev/null
+++ b/frontend/app/[team]/access/teams/_components/DeleteTeamDialog.tsx
@@ -0,0 +1,86 @@
+'use client'
+
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { DeleteTeamOp } from '@/graphql/mutations/teams/deleteTeam.gql'
+import { useMutation } from '@apollo/client'
+import { useContext, useRef, useState } from 'react'
+import { FaTrashAlt } from 'react-icons/fa'
+import { toast } from 'react-toastify'
+
+export const DeleteTeamDialog = ({
+  teamId,
+  teamName,
+  onDelete,
+}: {
+  teamId: string
+  teamName: string
+  onDelete?: () => void
+}) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const [deleteTeam, { loading }] = useMutation(DeleteTeamOp)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+  const [confirmName, setConfirmName] = useState('')
+
+  const handleDelete = async () => {
+    try {
+      await deleteTeam({
+        variables: { teamId },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id },
+          },
+        ],
+      })
+      toast.success('Team deleted')
+      dialogRef.current?.closeModal()
+      onDelete?.()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  return (
+    <GenericDialog
+      title={`Delete ${teamName}`}
+      buttonContent={<FaTrashAlt />}
+      buttonVariant="danger"
+      buttonProps={{ classString: 'py-0.5' }}
+      ref={dialogRef}
+      onClose={() => setConfirmName('')}
+    >
+      <div className="space-y-4 pt-4">
+        <p className="text-sm text-neutral-500">
+          This will permanently delete the team <strong>{teamName}</strong> and revoke all
+          environment key grants associated with it. This action cannot be undone.
+        </p>
+        <div className="space-y-2">
+          <label className="block text-neutral-500 text-xs">
+            Type <strong>{teamName}</strong> to confirm
+          </label>
+          <input
+            value={confirmName}
+            onChange={(e) => setConfirmName(e.target.value)}
+            className="w-full rounded-md bg-zinc-100 dark:bg-zinc-800 text-zinc-900 dark:text-zinc-100 p-2 text-sm"
+            placeholder={teamName}
+          />
+        </div>
+        <div className="flex justify-end gap-2">
+          <Button
+            variant="danger"
+            onClick={handleDelete}
+            isLoading={loading}
+            disabled={confirmName !== teamName}
+          >
+            Delete Team
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/access/teams/page.tsx b/frontend/app/[team]/access/teams/page.tsx
new file mode 100644
index 000000000..074848fa1
--- /dev/null
+++ b/frontend/app/[team]/access/teams/page.tsx
@@ -0,0 +1,323 @@
+'use client'
+
+import { TeamType } from '@/apollo/graphql'
+import { Button } from '@/components/common/Button'
+import { EmptyState } from '@/components/common/EmptyState'
+import Spinner from '@/components/common/Spinner'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { userHasPermission } from '@/utils/access/permissions'
+import { relativeTimeFromDates } from '@/utils/time'
+import { useQuery } from '@apollo/client'
+import Link from 'next/link'
+import { useContext, useState } from 'react'
+import {
+  FaBan,
+  FaChevronRight,
+  FaSearch,
+  FaTimesCircle,
+  FaUsers,
+  FaRobot,
+} from 'react-icons/fa'
+import { Avatar } from '@/components/common/Avatar'
+import { MdSearchOff } from 'react-icons/md'
+import clsx from 'clsx'
+import { CreateTeamDialog } from './_components/CreateTeamDialog'
+import { RoleLabel } from '@/components/users/RoleLabel'
+
+export default function Teams({ params }: { params: { team: string } }) {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const [searchQuery, setSearchQuery] = useState('')
+
+  const userCanReadTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
+    : false
+
+  const userCanCreateTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'create')
+    : false
+
+  const { data, loading } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadTeams,
+    pollInterval: 10000,
+  })
+
+  const teams: TeamType[] = data?.teams || []
+
+  const filteredTeams =
+    searchQuery !== ''
+      ? teams.filter(
+          (team: TeamType) =>
+            team.name?.toLowerCase().includes(searchQuery.toLowerCase()) ||
+            team.description?.toLowerCase().includes(searchQuery.toLowerCase())
+        )
+      : teams
+
+  if (!organisation)
+    return (
+      <div className="flex items-center justify-center p-10">
+        <Spinner size="md" />
+      </div>
+    )
+
+  return (
+    <section className="px-3 sm:px-4 lg:px-6">
+      <div className="w-full space-y-4 text-zinc-900 dark:text-zinc-100">
+        <div>
+          <h2 className="text-base font-medium">{params.team} Teams</h2>
+          <p className="text-neutral-500 text-sm">
+            Manage teams and their access to apps and environments.
+          </p>
+        </div>
+        <div className="space-y-4">
+          <div className="flex items-center justify-between">
+            <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2 w-full max-w-sm">
+              <div>
+                <FaSearch className="text-neutral-500" />
+              </div>
+              <input
+                placeholder="Search"
+                className="custom bg-zinc-100 dark:bg-zinc-800 placeholder:text-neutral-500"
+                value={searchQuery}
+                onChange={(e) => setSearchQuery(e.target.value)}
+              />
+              <FaTimesCircle
+                className={clsx(
+                  'cursor-pointer text-neutral-500 transition-opacity ease absolute right-2',
+                  searchQuery ? 'opacity-100' : 'opacity-0'
+                )}
+                role="button"
+                onClick={() => setSearchQuery('')}
+              />
+            </div>
+
+            {userCanCreateTeams && (
+              <div className="flex justify-end">
+                <CreateTeamDialog />
+              </div>
+            )}
+          </div>
+
+          {userCanReadTeams ? (
+            loading && !data ? (
+              <div className="flex items-center justify-center p-10">
+                <Spinner size="md" />
+              </div>
+            ) : teams.length === 0 ? (
+              <EmptyState
+                title="No teams yet"
+                subtitle="Create a team to manage group-based access to apps and environments."
+                graphic={
+                  <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                    <FaUsers />
+                  </div>
+                }
+              >
+                {userCanCreateTeams && <CreateTeamDialog />}
+              </EmptyState>
+            ) : (
+              <table className="table-auto min-w-full divide-y divide-zinc-500/40">
+                <thead>
+                  <tr>
+                    <th className="py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                      Team
+                    </th>
+                    <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                      Role overrides
+                    </th>
+                    <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                      Members
+                    </th>
+                    <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                      Apps
+                    </th>
+                    <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                      Created
+                    </th>
+                    <th className="px-6 py-3"></th>
+                  </tr>
+                </thead>
+                <tbody className="divide-y divide-zinc-500/20">
+                  {filteredTeams.map((team: TeamType) => {
+                    const orgMembers =
+                      team.members?.filter((m) => m.orgMember) || []
+                    const serviceAccounts =
+                      team.members?.filter((m) => m.serviceAccount) || []
+                    const surplusMemberCount =
+                      orgMembers.length > 5 ? orgMembers.length - 5 : 0
+                    const surplusSaCount =
+                      serviceAccounts.length > 3 ? serviceAccounts.length - 3 : 0
+
+                    return (
+                      <tr key={team.id} className="group">
+                        <td className="py-2">
+                          <div className="flex items-center gap-3">
+                            <div className="text-2xl text-neutral-500">
+                              <FaUsers />
+                            </div>
+                            <div>
+                              <div className="font-medium flex items-center gap-2">
+                                {team.name}
+                                {team.isScimManaged && (
+                                  <span className="text-2xs px-1 rounded ring-1 ring-inset ring-purple-500/40 bg-purple-500/20 text-purple-400 uppercase font-medium">
+                                    <FaRobot className="inline mr-0.5" />
+                                    SCIM
+                                  </span>
+                                )}
+                              </div>
+                              {team.description && (
+                                <div className="text-sm text-neutral-500 truncate max-w-xs">
+                                  {team.description}
+                                </div>
+                              )}
+                            </div>
+                          </div>
+                        </td>
+                        <td className="px-6 py-2">
+                          <div className="flex flex-col gap-1">
+                            {team.memberRole ? (
+                              <div className="flex items-center gap-1.5 text-2xs text-neutral-500">
+                                <FaUsers className="text-2xs shrink-0" />
+                                <RoleLabel role={team.memberRole} />
+                              </div>
+                            ) : null}
+                            {team.serviceAccountRole ? (
+                              <div className="flex items-center gap-1.5 text-2xs text-neutral-500">
+                                <FaRobot className="text-2xs shrink-0" />
+                                <RoleLabel role={team.serviceAccountRole} />
+                              </div>
+                            ) : null}
+                            {!team.memberRole && !team.serviceAccountRole && (
+                              <span className="text-neutral-500 text-xs">Org role</span>
+                            )}
+                          </div>
+                        </td>
+                        <td className="px-6 py-2">
+                          <div className="space-y-1.5">
+                            {orgMembers.length > 0 && (
+                              <div className="flex items-center gap-1.5">
+                                <div className="flex items-center">
+                                  {orgMembers.slice(0, 5).map((m, i) => (
+                                    <div
+                                      key={m.id}
+                                      className={clsx(
+                                        'rounded-full',
+                                        i !== 0 && '-ml-2'
+                                      )}
+                                      style={{ zIndex: i }}
+                                    >
+                                      <Avatar
+                                        user={{
+                                          name: m.fullName,
+                                          email: m.email,
+                                          image: m.avatarUrl,
+                                        }}
+                                        size="xs"
+                                        showTitle={false}
+                                      />
+                                    </div>
+                                  ))}
+                                  {surplusMemberCount > 0 && (
+                                    <span className="text-neutral-500 text-xs ml-1">
+                                      +{surplusMemberCount}
+                                    </span>
+                                  )}
+                                </div>
+                                <span className="text-2xs text-neutral-500">
+                                  {orgMembers.length} member
+                                  {orgMembers.length !== 1 ? 's' : ''}
+                                </span>
+                              </div>
+                            )}
+                            {serviceAccounts.length > 0 && (
+                              <div className="flex items-center gap-1.5">
+                                <div className="flex items-center">
+                                  {serviceAccounts.slice(0, 3).map((m, i) => (
+                                    <div
+                                      key={m.id}
+                                      className={clsx(
+                                        'rounded-full',
+                                        i !== 0 && '-ml-2'
+                                      )}
+                                      style={{ zIndex: i }}
+                                    >
+                                      <Avatar
+                                        serviceAccount={m.serviceAccount!}
+                                        size="xs"
+                                        showTitle={false}
+                                      />
+                                    </div>
+                                  ))}
+                                  {surplusSaCount > 0 && (
+                                    <span className="text-neutral-500 text-xs ml-1">
+                                      +{surplusSaCount}
+                                    </span>
+                                  )}
+                                </div>
+                                <span className="text-2xs text-neutral-500">
+                                  {serviceAccounts.length} SA
+                                  {serviceAccounts.length !== 1 ? 's' : ''}
+                                </span>
+                              </div>
+                            )}
+                            {orgMembers.length === 0 &&
+                              serviceAccounts.length === 0 && (
+                                <span className="text-2xs text-neutral-500">
+                                  No members
+                                </span>
+                              )}
+                          </div>
+                        </td>
+                        <td className="px-6 py-2 text-sm">
+                          {team.apps?.length || 0}
+                        </td>
+                        <td className="px-6 py-2 text-sm">
+                          {relativeTimeFromDates(new Date(team.createdAt))}
+                        </td>
+                        <td className="px-6 py-2 whitespace-nowrap text-right">
+                          <Link href={`/${params.team}/access/teams/${team.id}`}>
+                            <Button variant="secondary">
+                              Manage <FaChevronRight />
+                            </Button>
+                          </Link>
+                        </td>
+                      </tr>
+                    )
+                  })}
+                </tbody>
+              </table>
+            )
+          ) : (
+            <EmptyState
+              title="Access restricted"
+              subtitle="You don't have the permissions required to view teams in this organisation."
+              graphic={
+                <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                  <FaBan />
+                </div>
+              }
+            >
+              <></>
+            </EmptyState>
+          )}
+
+          {searchQuery && filteredTeams.length === 0 && teams.length > 0 && (
+            <EmptyState
+              title={`No results for "${searchQuery}"`}
+              subtitle="Try adjusting your search term"
+              graphic={
+                <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                  <MdSearchOff />
+                </div>
+              }
+            >
+              <></>
+            </EmptyState>
+          )}
+        </div>
+      </div>
+    </section>
+  )
+}

From 7b4df216587cb1086ed31f5f3e4276e3cc4229dd Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:43 +0530
Subject: [PATCH 008/118] feat: add app-level teams page with add, remove, and
 manage env dialogs

---
 .../teams/_components/AddTeamToAppDialog.tsx  | 249 ++++++++++++++++
 .../_components/ManageTeamEnvsDialog.tsx      | 193 +++++++++++++
 .../_components/RemoveTeamFromAppDialog.tsx   |  70 +++++
 .../[team]/apps/[app]/access/teams/page.tsx   | 270 ++++++++++++++++++
 4 files changed, 782 insertions(+)
 create mode 100644 frontend/app/[team]/apps/[app]/access/teams/_components/AddTeamToAppDialog.tsx
 create mode 100644 frontend/app/[team]/apps/[app]/access/teams/_components/ManageTeamEnvsDialog.tsx
 create mode 100644 frontend/app/[team]/apps/[app]/access/teams/_components/RemoveTeamFromAppDialog.tsx
 create mode 100644 frontend/app/[team]/apps/[app]/access/teams/page.tsx

diff --git a/frontend/app/[team]/apps/[app]/access/teams/_components/AddTeamToAppDialog.tsx b/frontend/app/[team]/apps/[app]/access/teams/_components/AddTeamToAppDialog.tsx
new file mode 100644
index 000000000..2984d2f5a
--- /dev/null
+++ b/frontend/app/[team]/apps/[app]/access/teams/_components/AddTeamToAppDialog.tsx
@@ -0,0 +1,249 @@
+'use client'
+
+import { AppType, EnvironmentType, TeamType } from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { GetApps } from '@/graphql/queries/getApps.gql'
+import { AddTeamAppsOp } from '@/graphql/mutations/teams/addTeamApps.gql'
+import { useMutation, useQuery } from '@apollo/client'
+import { useContext, useRef, useState } from 'react'
+import { FaPlus, FaCheck, FaUsers, FaChevronDown } from 'react-icons/fa'
+import clsx from 'clsx'
+import { toast } from 'react-toastify'
+import { Disclosure } from '@headlessui/react'
+
+export const AddTeamToAppDialog = ({
+  appId,
+  appEnvironments,
+}: {
+  appId: string
+  appEnvironments: EnvironmentType[]
+}) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const { data: teamsData } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation,
+  })
+
+  const [addTeamApps, { loading }] = useMutation(AddTeamAppsOp)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+  const [selectedTeamId, setSelectedTeamId] = useState<string | null>(null)
+  const [selectedEnvIds, setSelectedEnvIds] = useState<Set<string>>(new Set())
+
+  // Filter out teams that already have access to this app
+  const availableTeams: TeamType[] =
+    teamsData?.teams?.filter(
+      (team: TeamType) => !team.apps?.some((a) => a!.id === appId)
+    ) || []
+
+  const envIds = appEnvironments.map((e) => e.id)
+
+  const toggleEnv = (envId: string) => {
+    setSelectedEnvIds((prev) => {
+      const next = new Set(prev)
+      if (next.has(envId)) next.delete(envId)
+      else next.add(envId)
+      return next
+    })
+  }
+
+  const toggleAllEnvs = () => {
+    setSelectedEnvIds((prev) => {
+      const allSelected = envIds.every((id) => prev.has(id))
+      return allSelected ? new Set() : new Set(envIds)
+    })
+  }
+
+  const handleSubmit = async () => {
+    if (!selectedTeamId || selectedEnvIds.size === 0) return
+    try {
+      await addTeamApps({
+        variables: {
+          teamId: selectedTeamId,
+          appEnvs: [
+            {
+              appId,
+              envIds: Array.from(selectedEnvIds),
+            },
+          ],
+        },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id },
+          },
+          {
+            query: GetApps,
+            variables: { organisationId: organisation!.id, appId },
+          },
+        ],
+      })
+      toast.success('Team added to app')
+      reset()
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  const reset = () => {
+    setSelectedTeamId(null)
+    setSelectedEnvIds(new Set())
+  }
+
+  const selectedTeam = availableTeams.find((t) => t.id === selectedTeamId)
+
+  return (
+    <GenericDialog
+      title="Add team to app"
+      buttonContent={
+        <>
+          <FaPlus /> Add Team
+        </>
+      }
+      buttonVariant="primary"
+      ref={dialogRef}
+      onClose={reset}
+    >
+      <div className="space-y-4 py-4">
+        {availableTeams.length === 0 ? (
+          <p className="text-sm text-neutral-500 text-center py-4">
+            No available teams. All teams already have access to this app, or no teams exist.
+          </p>
+        ) : (
+          <>
+            {/* Team Selection */}
+            <div className="space-y-2">
+              <label className="block text-neutral-500 text-xs">Select a team</label>
+              <div className="max-h-48 overflow-y-auto divide-y divide-zinc-500/20 border border-zinc-500/20 rounded-lg">
+                {availableTeams.map((team: TeamType) => (
+                  <div
+                    key={team.id}
+                    className={clsx(
+                      'flex items-center justify-between py-2.5 px-3 cursor-pointer transition',
+                      selectedTeamId === team.id
+                        ? 'bg-emerald-500/10'
+                        : 'hover:bg-zinc-100 dark:hover:bg-zinc-800'
+                    )}
+                    onClick={() => {
+                      setSelectedTeamId(team.id)
+                      // Auto-select all envs when a team is picked
+                      setSelectedEnvIds(new Set(envIds))
+                    }}
+                  >
+                    <div className="flex items-center gap-2">
+                      <FaUsers className="text-neutral-500 text-sm" />
+                      <div>
+                        <div className="text-sm font-medium">{team.name}</div>
+                        <div className="text-xs text-neutral-500">
+                          {team.memberCount} member{team.memberCount !== 1 ? 's' : ''}
+                        </div>
+                      </div>
+                    </div>
+                    <div
+                      className={clsx(
+                        'w-5 h-5 rounded-full border flex items-center justify-center transition',
+                        selectedTeamId === team.id
+                          ? 'bg-emerald-500 border-emerald-500 text-white'
+                          : 'border-neutral-500/40'
+                      )}
+                    >
+                      {selectedTeamId === team.id && <FaCheck className="text-xs" />}
+                    </div>
+                  </div>
+                ))}
+              </div>
+            </div>
+
+            {/* Environment Selection */}
+            {selectedTeam && (
+              <Disclosure defaultOpen>
+                {({ open }) => (
+                  <div className="border border-zinc-500/20 rounded-lg overflow-hidden">
+                    <Disclosure.Button className="w-full flex items-center justify-between p-3 hover:bg-zinc-100 dark:hover:bg-zinc-800">
+                      <span className="text-sm font-medium">
+                        Environment access
+                        {selectedEnvIds.size > 0 && (
+                          <span className="text-2xs ml-2 px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
+                            {selectedEnvIds.size} selected
+                          </span>
+                        )}
+                      </span>
+                      <FaChevronDown
+                        className={clsx(
+                          'text-neutral-500 transition-transform',
+                          open && 'rotate-180'
+                        )}
+                      />
+                    </Disclosure.Button>
+                    <Disclosure.Panel className="p-3 border-t border-zinc-500/20">
+                      <div className="space-y-1">
+                        <div
+                          className="flex items-center gap-2 p-1.5 cursor-pointer text-sm text-neutral-500 hover:text-zinc-900 dark:hover:text-zinc-100"
+                          onClick={toggleAllEnvs}
+                        >
+                          <div
+                            className={clsx(
+                              'w-4 h-4 rounded border flex items-center justify-center transition',
+                              envIds.every((id) => selectedEnvIds.has(id))
+                                ? 'bg-emerald-500 border-emerald-500 text-white'
+                                : 'border-neutral-500/40'
+                            )}
+                          >
+                            {envIds.every((id) => selectedEnvIds.has(id)) && (
+                              <FaCheck className="text-2xs" />
+                            )}
+                          </div>
+                          Select all environments
+                        </div>
+                        {appEnvironments.map((env) => (
+                          <div
+                            key={env.id}
+                            className="flex items-center gap-2 p-1.5 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 rounded"
+                            onClick={() => toggleEnv(env.id)}
+                          >
+                            <div
+                              className={clsx(
+                                'w-4 h-4 rounded border flex items-center justify-center transition',
+                                selectedEnvIds.has(env.id)
+                                  ? 'bg-emerald-500 border-emerald-500 text-white'
+                                  : 'border-neutral-500/40'
+                              )}
+                            >
+                              {selectedEnvIds.has(env.id) && (
+                                <FaCheck className="text-2xs" />
+                              )}
+                            </div>
+                            <span className="text-sm">{env.name}</span>
+                            <span className="text-2xs text-neutral-500 uppercase">
+                              {env.envType}
+                            </span>
+                          </div>
+                        ))}
+                      </div>
+                    </Disclosure.Panel>
+                  </div>
+                )}
+              </Disclosure>
+            )}
+          </>
+        )}
+
+        <div className="flex justify-end items-center">
+          <Button
+            variant="primary"
+            onClick={handleSubmit}
+            isLoading={loading}
+            disabled={!selectedTeamId || selectedEnvIds.size === 0}
+          >
+            Add Team
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/apps/[app]/access/teams/_components/ManageTeamEnvsDialog.tsx b/frontend/app/[team]/apps/[app]/access/teams/_components/ManageTeamEnvsDialog.tsx
new file mode 100644
index 000000000..0ba6ab696
--- /dev/null
+++ b/frontend/app/[team]/apps/[app]/access/teams/_components/ManageTeamEnvsDialog.tsx
@@ -0,0 +1,193 @@
+'use client'
+
+import { EnvironmentType, TeamAppEnvironmentType } from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { GetApps } from '@/graphql/queries/getApps.gql'
+import { UpdateTeamAppEnvironmentsOp } from '@/graphql/mutations/teams/updateTeamAppEnvironments.gql'
+import { useMutation } from '@apollo/client'
+import { useContext, useEffect, useMemo, useRef, useState } from 'react'
+import { FaCog } from 'react-icons/fa'
+import clsx from 'clsx'
+import { toast } from 'react-toastify'
+
+export const ManageTeamEnvsDialog = ({
+  teamId,
+  teamName,
+  appId,
+  appEnvironments,
+  teamEnvs,
+}: {
+  teamId: string
+  teamName: string
+  appId: string
+  appEnvironments: EnvironmentType[]
+  teamEnvs: TeamAppEnvironmentType[]
+}) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+  const [updateEnvs, { loading }] = useMutation(UpdateTeamAppEnvironmentsOp)
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const initialIds = useMemo(
+    () => new Set(teamEnvs.filter((tae) => tae.environment).map((tae) => tae.environment!.id)),
+    [teamEnvs]
+  )
+
+  const [selectedIds, setSelectedIds] = useState<Set<string>>(new Set(initialIds))
+
+  useEffect(() => {
+    setSelectedIds(new Set(initialIds))
+  }, [initialIds])
+
+  const scopeUpdated = useMemo(() => {
+    if (selectedIds.size !== initialIds.size) return true
+    for (const id of selectedIds) {
+      if (!initialIds.has(id)) return true
+    }
+    return false
+  }, [selectedIds, initialIds])
+
+  const allEnvIds = appEnvironments.map((e) => e.id)
+  const allSelected = allEnvIds.length > 0 && allEnvIds.every((id) => selectedIds.has(id))
+
+  const toggleEnv = (envId: string) => {
+    setSelectedIds((prev) => {
+      const next = new Set(prev)
+      if (next.has(envId)) next.delete(envId)
+      else next.add(envId)
+      return next
+    })
+  }
+
+  const toggleAll = () => {
+    if (allSelected) {
+      setSelectedIds(new Set())
+    } else {
+      setSelectedIds(new Set(allEnvIds))
+    }
+  }
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+    if (selectedIds.size === 0) return
+    try {
+      await updateEnvs({
+        variables: {
+          teamId,
+          appId,
+          envIds: Array.from(selectedIds),
+        },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id },
+          },
+          {
+            query: GetApps,
+            variables: { organisationId: organisation!.id, appId },
+          },
+        ],
+      })
+      toast.success(`Updated environment access for ${teamName}`)
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  const handleClose = () => {
+    setSelectedIds(new Set(initialIds))
+  }
+
+  const handleCancel = () => {
+    if (scopeUpdated) {
+      setSelectedIds(new Set(initialIds))
+    } else {
+      dialogRef.current?.closeModal()
+    }
+  }
+
+  const scopeLabel = appEnvironments
+    .filter((e) => initialIds.has(e.id))
+    .map((e) => e.name)
+    .join(' + ')
+
+  return (
+    <div className="flex items-center gap-4">
+      <span className="text-zinc-900 dark:text-zinc-100 text-2xs font-medium">
+        {scopeLabel || 'None'}
+      </span>
+      <div className="opacity-0 group-hover:opacity-100 transition ease flex items-center gap-2">
+        <GenericDialog
+          ref={dialogRef}
+          title={`Manage environment access for ${teamName}`}
+          buttonVariant="secondary"
+          buttonContent={
+            <>
+              <FaCog /> Manage
+            </>
+          }
+          onClose={handleClose}
+        >
+          <form className="space-y-6 pt-4" onSubmit={handleSubmit}>
+            <div>
+              <label className="block text-2xs font-medium text-gray-500 uppercase tracking-wider mb-2">
+                Environment scope <span className="text-red-500">*</span>
+              </label>
+              {selectedIds.size === 0 && (
+                <p className="text-red-500 text-xs mb-2">Select at least one environment</p>
+              )}
+              <div
+                className="flex items-center justify-between py-2 cursor-pointer"
+                onClick={toggleAll}
+              >
+                <span className="text-2xs text-neutral-500">All environments</span>
+                <ToggleSwitch size="sm" value={allSelected} onToggle={toggleAll} />
+              </div>
+              <div className="flex flex-wrap gap-1.5">
+                {appEnvironments.map((env) => {
+                  const isSelected = selectedIds.has(env.id)
+                  return (
+                    <div
+                      key={env.id}
+                      className={clsx(
+                        'flex items-center gap-1.5 py-1 px-2 cursor-pointer rounded-full border transition',
+                        isSelected
+                          ? 'border-emerald-500/40 bg-emerald-500/10'
+                          : 'border-zinc-500/20 hover:border-zinc-500/40'
+                      )}
+                      onClick={() => toggleEnv(env.id)}
+                    >
+                      <span className="text-2xs text-zinc-900 dark:text-zinc-100">{env.name}</span>
+                      <ToggleSwitch
+                        size="sm"
+                        value={isSelected}
+                        onToggle={() => toggleEnv(env.id)}
+                      />
+                    </div>
+                  )
+                })}
+              </div>
+            </div>
+            <div className="flex items-center gap-4 justify-between">
+              <Button variant="secondary" type="button" onClick={handleCancel}>
+                Cancel
+              </Button>
+              <Button
+                variant="primary"
+                type="submit"
+                isLoading={loading}
+                disabled={selectedIds.size === 0 || !scopeUpdated}
+              >
+                Save
+              </Button>
+            </div>
+          </form>
+        </GenericDialog>
+      </div>
+    </div>
+  )
+}
diff --git a/frontend/app/[team]/apps/[app]/access/teams/_components/RemoveTeamFromAppDialog.tsx b/frontend/app/[team]/apps/[app]/access/teams/_components/RemoveTeamFromAppDialog.tsx
new file mode 100644
index 000000000..1fc5b5897
--- /dev/null
+++ b/frontend/app/[team]/apps/[app]/access/teams/_components/RemoveTeamFromAppDialog.tsx
@@ -0,0 +1,70 @@
+'use client'
+
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { GetApps } from '@/graphql/queries/getApps.gql'
+import { RemoveTeamAppOp } from '@/graphql/mutations/teams/removeTeamApp.gql'
+import { useMutation } from '@apollo/client'
+import { useContext, useRef } from 'react'
+import { FaTrashAlt } from 'react-icons/fa'
+import { toast } from 'react-toastify'
+
+export const RemoveTeamFromAppDialog = ({
+  teamId,
+  teamName,
+  appId,
+}: {
+  teamId: string
+  teamName: string
+  appId: string
+}) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+  const [removeApp, { loading }] = useMutation(RemoveTeamAppOp)
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const handleRemove = async () => {
+    try {
+      await removeApp({
+        variables: { teamId, appId },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id },
+          },
+          {
+            query: GetApps,
+            variables: { organisationId: organisation!.id, appId },
+          },
+        ],
+      })
+      toast.success(`Removed ${teamName} from app`)
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  return (
+    <GenericDialog
+      title={`Remove ${teamName}?`}
+      buttonContent={<><FaTrashAlt /> Remove from app</>}
+      buttonVariant="danger"
+      ref={dialogRef}
+    >
+      <div className="space-y-4 pt-4">
+        <p className="text-sm text-neutral-500">
+          This will remove team <strong className="text-zinc-900 dark:text-zinc-100">{teamName}</strong> from
+          this app. Team members will lose access to environments granted through this team unless
+          they have individual access, or access through any other teams.
+        </p>
+        <div className="flex justify-end gap-2">
+          <Button variant="danger" onClick={handleRemove} isLoading={loading}>
+            Remove Team
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/apps/[app]/access/teams/page.tsx b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
new file mode 100644
index 000000000..8423f2a53
--- /dev/null
+++ b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
@@ -0,0 +1,270 @@
+'use client'
+
+import { AppType, EnvironmentType, TeamAppEnvironmentType, TeamType } from '@/apollo/graphql'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { GetApps } from '@/graphql/queries/getApps.gql'
+import { useQuery } from '@apollo/client'
+import { useContext } from 'react'
+import { FaBan, FaExclamationTriangle, FaUsers } from 'react-icons/fa'
+import { userHasPermission } from '@/utils/access/permissions'
+import { EmptyState } from '@/components/common/EmptyState'
+import Spinner from '@/components/common/Spinner'
+import { Avatar } from '@/components/common/Avatar'
+import { RoleLabel } from '@/components/users/RoleLabel'
+import { AddTeamToAppDialog } from './_components/AddTeamToAppDialog'
+import { RemoveTeamFromAppDialog } from './_components/RemoveTeamFromAppDialog'
+import { ManageTeamEnvsDialog } from './_components/ManageTeamEnvsDialog'
+import Link from 'next/link'
+import clsx from 'clsx'
+
+export default function AppTeams({ params }: { params: { team: string; app: string } }) {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const userCanReadTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
+    : false
+
+  const userCanUpdateTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'update')
+    : false
+
+  const { data: teamsData, loading: teamsLoading } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadTeams,
+    pollInterval: 10000,
+  })
+
+  const { data: appsData, loading: appsLoading } = useQuery(GetApps, {
+    variables: { organisationId: organisation?.id, appId: params.app },
+    skip: !organisation,
+  })
+
+  const app: AppType | null = appsData?.apps?.[0] || null
+  const loading = teamsLoading || appsLoading
+
+  // Teams that have access to this app
+  const teamsWithAccess: TeamType[] =
+    teamsData?.teams?.filter((team: TeamType) =>
+      team.apps?.some((a) => a!.id === params.app)
+    ) || []
+
+  if (!organisation || loading)
+    return (
+      <div className="h-full max-h-screen overflow-y-auto w-full flex items-center justify-center">
+        <Spinner size="md" />
+      </div>
+    )
+
+  if (!userCanReadTeams)
+    return (
+      <EmptyState
+        title="Access restricted"
+        subtitle="You don't have the permissions required to view Teams."
+        graphic={
+          <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+            <FaBan />
+          </div>
+        }
+      >
+        <></>
+      </EmptyState>
+    )
+
+  const appEnvironments: EnvironmentType[] =
+    app?.environments?.filter(Boolean).map((e) => e as EnvironmentType) || []
+
+  return (
+    <div className="w-full space-y-6 text-black dark:text-white">
+      <div className="px-4">
+        <h2 className="text-lg font-bold">Teams</h2>
+        <div className="text-neutral-500">Manage team-based access to this App</div>
+      </div>
+
+      {!app?.sseEnabled && (
+        <div className="mx-4 flex items-start gap-2 rounded-lg border border-amber-500/30 bg-amber-500/10 p-3 text-sm text-amber-600 dark:text-amber-400">
+          <FaExclamationTriangle className="mt-0.5 shrink-0" />
+          <div>
+            <div className="font-medium">Server-side encryption required</div>
+            <p className="text-xs mt-0.5 opacity-80">
+              Team-based access requires SSE to be enabled on this app. Enable SSE in app settings
+              to use team access.
+            </p>
+          </div>
+        </div>
+      )}
+
+      <div className="space-y-4">
+        {userCanUpdateTeams && app?.sseEnabled && (
+          <div className="flex justify-end px-4">
+            <AddTeamToAppDialog appId={params.app} appEnvironments={appEnvironments} />
+          </div>
+        )}
+
+        {teamsWithAccess.length > 0 ? (
+          <table className="table-auto min-w-full divide-y divide-zinc-500/40">
+            <thead>
+              <tr>
+                <th className="px-6 py-2 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                  Team
+                </th>
+                <th className="px-6 py-2 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                  Environment Access
+                </th>
+                {userCanUpdateTeams && <th className="px-6 py-2"></th>}
+              </tr>
+            </thead>
+            <tbody className="divide-y divide-neutral-500/20">
+              {teamsWithAccess.map((team: TeamType) => {
+                const teamEnvs =
+                  team.appEnvironments?.filter(
+                    (tae: TeamAppEnvironmentType | null) => tae?.app?.id === params.app
+                  ) || []
+
+                const orgMembers = team.members?.filter((m) => m.orgMember) || []
+                const sas = team.members?.filter((m) => m.serviceAccount) || []
+                const surplusMemberCount = orgMembers.length > 5 ? orgMembers.length - 5 : 0
+                const surplusSaCount = sas.length > 3 ? sas.length - 3 : 0
+
+                return (
+                  <tr key={team.id} className="group">
+                    <td className="px-6 py-2">
+                      <Link
+                        href={`/${params.team}/access/teams/${team.id}`}
+                        className="hover:underline"
+                      >
+                        <div className="space-y-2">
+                          <div>
+                            <div className="text-sm font-medium">{team.name}</div>
+                            {team.description && (
+                              <div className="text-2xs text-neutral-500 truncate max-w-xs">
+                                {team.description}
+                              </div>
+                            )}
+                          </div>
+                          <div className="space-y-1.5">
+                            {orgMembers.length > 0 && (
+                              <div className="flex items-center justify-between gap-3">
+                                <div className="flex items-center gap-1.5">
+                                  <div className="flex items-center">
+                                    {orgMembers.slice(0, 5).map((m, i) => (
+                                      <div
+                                        key={m.id}
+                                        className={clsx('rounded-full', i !== 0 && '-ml-2')}
+                                        style={{ zIndex: i }}
+                                      >
+                                        <Avatar
+                                          user={{
+                                            name: m.fullName,
+                                            email: m.email,
+                                            image: m.avatarUrl,
+                                          }}
+                                          size="xs"
+                                          showTitle={false}
+                                        />
+                                      </div>
+                                    ))}
+                                    {surplusMemberCount > 0 && (
+                                      <span className="text-neutral-500 text-xs ml-1">
+                                        +{surplusMemberCount}
+                                      </span>
+                                    )}
+                                  </div>
+                                  <span className="text-2xs text-neutral-500">
+                                    {orgMembers.length} member
+                                    {orgMembers.length !== 1 ? 's' : ''}
+                                  </span>
+                                </div>
+                                {team.memberRole && (
+                                  <RoleLabel role={team.memberRole} size="xs" />
+                                )}
+                              </div>
+                            )}
+                            {sas.length > 0 && (
+                              <div className="flex items-center justify-between gap-3">
+                                <div className="flex items-center gap-1.5">
+                                  <div className="flex items-center">
+                                    {sas.slice(0, 3).map((m, i) => (
+                                      <div
+                                        key={m.id}
+                                        className={clsx('rounded-full', i !== 0 && '-ml-2')}
+                                        style={{ zIndex: i }}
+                                      >
+                                        <Avatar
+                                          serviceAccount={m.serviceAccount!}
+                                          size="xs"
+                                          showTitle={false}
+                                        />
+                                      </div>
+                                    ))}
+                                    {surplusSaCount > 0 && (
+                                      <span className="text-neutral-500 text-xs ml-1">
+                                        +{surplusSaCount}
+                                      </span>
+                                    )}
+                                  </div>
+                                  <span className="text-2xs text-neutral-500">
+                                    {sas.length} Service Account
+                                    {sas.length !== 1 ? 's' : ''}
+                                  </span>
+                                </div>
+                                {team.serviceAccountRole && (
+                                  <RoleLabel role={team.serviceAccountRole} size="xs" />
+                                )}
+                              </div>
+                            )}
+                            {orgMembers.length === 0 && sas.length === 0 && (
+                              <span className="text-2xs text-neutral-500">No members</span>
+                            )}
+                          </div>
+                        </div>
+                      </Link>
+                    </td>
+                    <td className="px-6 py-2">
+                      <ManageTeamEnvsDialog
+                        teamId={team.id}
+                        teamName={team.name}
+                        appId={params.app}
+                        appEnvironments={appEnvironments}
+                        teamEnvs={teamEnvs as TeamAppEnvironmentType[]}
+                      />
+                    </td>
+                    {userCanUpdateTeams && (
+                      <td className="px-6 py-2">
+                        <div className="flex items-center justify-end opacity-0 pointer-events-none group-hover:opacity-100 group-hover:pointer-events-auto transition ease">
+                          <RemoveTeamFromAppDialog
+                            teamId={team.id}
+                            teamName={team.name}
+                            appId={params.app}
+                          />
+                        </div>
+                      </td>
+                    )}
+                  </tr>
+                )
+              })}
+            </tbody>
+          </table>
+        ) : (
+          <EmptyState
+            title="No teams"
+            subtitle={
+              app?.sseEnabled
+                ? 'Add a team to grant its members access to this app.'
+                : 'Enable SSE to use team-based access for this app.'
+            }
+            graphic={
+              <div className="text-neutral-300 dark:text-neutral-700 text-5xl text-center">
+                <FaUsers />
+              </div>
+            }
+          >
+            {userCanUpdateTeams && app?.sseEnabled && (
+              <AddTeamToAppDialog appId={params.app} appEnvironments={appEnvironments} />
+            )}
+          </EmptyState>
+        )}
+      </div>
+    </div>
+  )
+}

From a7862633c973bd4c320d89a2403c7dd25d2351fe Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:47 +0530
Subject: [PATCH 009/118] feat: add Teams tab to org and app access layouts

---
 frontend/app/[team]/access/layout.tsx            | 4 ++++
 frontend/app/[team]/apps/[app]/access/layout.tsx | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/frontend/app/[team]/access/layout.tsx b/frontend/app/[team]/access/layout.tsx
index 8d52ca9a6..3a3d077fb 100644
--- a/frontend/app/[team]/access/layout.tsx
+++ b/frontend/app/[team]/access/layout.tsx
@@ -27,6 +27,10 @@ export default function AccessLayout({
         name: 'Service Accounts',
         link: 'service-accounts',
       },
+      {
+        name: 'Teams',
+        link: 'teams',
+      },
       {
         name: 'Roles',
         link: 'roles',
diff --git a/frontend/app/[team]/apps/[app]/access/layout.tsx b/frontend/app/[team]/apps/[app]/access/layout.tsx
index 48a496b49..ec4732c9f 100644
--- a/frontend/app/[team]/apps/[app]/access/layout.tsx
+++ b/frontend/app/[team]/apps/[app]/access/layout.tsx
@@ -27,6 +27,10 @@ export default function AccessLayout({
         name: 'Service Accounts',
         link: 'service-accounts',
       },
+      {
+        name: 'Teams',
+        link: 'teams',
+      },
       {
         name: 'Service Tokens',
         link: 'tokens',

From 80ad661c1dc4cc6f123c56c54a5182660ea956fa Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:53 +0530
Subject: [PATCH 010/118] feat: show team labels, team alerts on dialogs, and
 team sections on member/SA detail pages

---
 .../[team]/access/members/[memberId]/page.tsx | 79 ++++++++++++++++++-
 .../service-accounts/[account]/page.tsx       | 79 ++++++++++++++++++-
 .../_components/ManageUserAccessDialog.tsx    | 17 ++++
 .../_components/RemoveMemberDialog.tsx        | 18 +++++
 .../[team]/apps/[app]/access/members/page.tsx | 50 ++++++++++--
 .../_components/ManageAccountAccessDialog.tsx | 17 ++++
 .../_components/RemoveAccountDialog.tsx       | 19 ++++-
 .../[app]/access/service-accounts/page.tsx    | 50 ++++++++++--
 8 files changed, 314 insertions(+), 15 deletions(-)

diff --git a/frontend/app/[team]/access/members/[memberId]/page.tsx b/frontend/app/[team]/access/members/[memberId]/page.tsx
index e6c0aa7ac..b17adcfb9 100644
--- a/frontend/app/[team]/access/members/[memberId]/page.tsx
+++ b/frontend/app/[team]/access/members/[memberId]/page.tsx
@@ -3,14 +3,16 @@
 import Spinner from '@/components/common/Spinner'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetOrganisationMemberDetail } from '@/graphql/queries/users/getOrganisationMemberDetail.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { userHasPermission } from '@/utils/access/permissions'
 import { useQuery } from '@apollo/client'
 import Link from 'next/link'
-import { useContext } from 'react'
+import { useContext, useMemo } from 'react'
 import { FaBan, FaChevronLeft, FaClock, FaCog, FaKey, FaNetworkWired } from 'react-icons/fa'
 import { Avatar } from '@/components/common/Avatar'
 import { EmptyState } from '@/components/common/EmptyState'
-import { OrganisationMemberType, UserTokenType, AppMembershipType } from '@/apollo/graphql'
+import { OrganisationMemberType, UserTokenType, AppMembershipType, TeamType } from '@/apollo/graphql'
+import { RoleLabel } from '@/components/users/RoleLabel'
 import { DeleteMemberConfirmDialog } from '../_components/DeleteMemberConfirmDialog'
 import { RoleSelector } from '../_components/RoleSelector'
 import { relativeTimeFromDates } from '@/utils/time'
@@ -59,6 +61,10 @@ export default function MemberDetail({ params }: { params: { team: string; membe
     ? userHasPermission(organisation.role!.permissions, 'MemberPersonalAccessTokens', 'delete')
     : false
 
+  const userCanReadTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
+    : false
+
   const { data, loading, error } = useQuery(GetOrganisationMemberDetail, {
     variables: {
       organisationId: organisation?.id,
@@ -68,8 +74,20 @@ export default function MemberDetail({ params }: { params: { team: string; membe
     fetchPolicy: 'cache-and-network',
   })
 
+  const { data: teamsData } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadTeams,
+  })
+
   const member: OrganisationMemberType | undefined = data?.organisationMembers[0]
 
+  const memberTeams = useMemo(() => {
+    if (!teamsData?.teams || !member) return []
+    return (teamsData.teams as TeamType[]).filter((team) =>
+      team.members?.some((m) => m.orgMember?.id === member.id)
+    )
+  }, [teamsData, member])
+
   if (loading || !organisation) {
     return (
       <div className="flex justify-center items-center h-full w-full">
@@ -201,6 +219,63 @@ export default function MemberDetail({ params }: { params: { team: string; membe
           </div>
         </div>
 
+        {userCanReadTeams && (
+          <div className="pt-4 space-y-3 border-t border-neutral-500/40">
+            <div>
+              <div className="text-base font-medium">Teams</div>
+              <div className="text-neutral-500 text-sm">
+                Teams this member belongs to
+              </div>
+            </div>
+
+            <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
+              {memberTeams.length > 0 ? (
+                memberTeams.map((team) => (
+                  <div
+                    key={team.id}
+                    className="flex items-center justify-between py-1.5 px-2 group"
+                  >
+                    <div className="space-y-0.5">
+                      <div className="flex items-center gap-2">
+                        <Link
+                          href={`/${params.team}/access/teams/${team.id}`}
+                          className="font-medium text-sm text-zinc-900 dark:text-zinc-100 hover:underline"
+                        >
+                          {team.name}
+                        </Link>
+                        {team.memberRole && <RoleLabel role={team.memberRole} size="xs" />}
+                      </div>
+                      {team.description && (
+                        <div className="text-2xs text-neutral-500 truncate max-w-md">
+                          {team.description}
+                        </div>
+                      )}
+                      <div className="text-2xs text-neutral-500">
+                        {team.apps?.length || 0} app{team.apps?.length !== 1 ? 's' : ''}
+                        {team.apps && team.apps.length > 0 && (
+                          <> ({team.apps.map((a) => a!.name).join(', ')})</>
+                        )}
+                      </div>
+                    </div>
+                    <Link
+                      className="opacity-0 group-hover:opacity-100 transition ease"
+                      href={`/${params.team}/access/teams/${team.id}`}
+                    >
+                      <Button variant="secondary" icon={FaCog}>
+                        Manage
+                      </Button>
+                    </Link>
+                  </div>
+                ))
+              ) : (
+                <div className="py-8 text-center text-neutral-500">
+                  This member is not part of any teams.
+                </div>
+              )}
+            </div>
+          </div>
+        )}
+
         {userCanReadAppMemberships && (
           <div className="pt-4 space-y-3 border-t border-neutral-500/40">
             <div className="flex items-center justify-between">
diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index b04ebc980..1e3c857b7 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -4,18 +4,20 @@ import Spinner from '@/components/common/Spinner'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetServiceAccountDetail } from '@/graphql/queries/service-accounts/getServiceAccountDetail.gql'
 import { UpdateServiceAccountOp } from '@/graphql/mutations/service-accounts/updateServiceAccount.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { userHasPermission } from '@/utils/access/permissions'
 import { useMutation, useQuery } from '@apollo/client'
 import Link from 'next/link'
-import { useContext, useEffect, useState } from 'react'
+import { useContext, useEffect, useMemo, useState } from 'react'
 import { FaBan, FaBoxOpen, FaChevronLeft, FaCog, FaEdit, FaNetworkWired } from 'react-icons/fa'
 import { FaServer, FaArrowDownUpLock } from 'react-icons/fa6'
 import { DeleteServiceAccountDialog } from '../_components/DeleteServiceAccountDialog'
 import { AddAppButton } from './_components/AddAppsToServiceAccountsButton'
-import { ServiceAccountType } from '@/apollo/graphql'
+import { ServiceAccountType, TeamType } from '@/apollo/graphql'
 import { Avatar } from '@/components/common/Avatar'
 import { EmptyState } from '@/components/common/EmptyState'
 import { ServiceAccountRoleSelector } from '../_components/RoleSelector'
+import { RoleLabel } from '@/components/users/RoleLabel'
 import { Button } from '@/components/common/Button'
 import { toast } from 'react-toastify'
 import CopyButton from '@/components/common/CopyButton'
@@ -51,16 +53,32 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
     ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'delete')
     : false
 
+  const userCanReadTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
+    : false
+
   const { data, loading } = useQuery(GetServiceAccountDetail, {
     variables: { orgId: organisation?.id, id: params.account },
     skip: !organisation || !userCanReadSA,
     fetchPolicy: 'cache-and-network',
   })
 
+  const { data: teamsData } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadTeams,
+  })
+
   const [updateAccount] = useMutation(UpdateServiceAccountOp)
 
   const account: ServiceAccountType = data?.serviceAccounts[0]
 
+  const accountTeams = useMemo(() => {
+    if (!teamsData?.teams || !account) return []
+    return (teamsData.teams as TeamType[]).filter((team) =>
+      team.members?.some((m) => m.serviceAccount?.id === account.id)
+    )
+  }, [teamsData, account])
+
   const nameUpdated = account ? account.name !== name : false
 
   const updateName = async () => {
@@ -215,6 +233,63 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           </div>
         </div>
 
+        {userCanReadTeams && (
+          <div className="py-4 space-y-3">
+            <div>
+              <div className="text-base font-medium">Teams</div>
+              <div className="text-neutral-500 text-sm">
+                Teams this account belongs to
+              </div>
+            </div>
+
+            <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
+              {accountTeams.length > 0 ? (
+                accountTeams.map((team) => (
+                  <div
+                    key={team.id}
+                    className="flex items-center justify-between py-1.5 px-2 group"
+                  >
+                    <div className="space-y-0.5">
+                      <div className="flex items-center gap-2">
+                        <Link
+                          href={`/${params.team}/access/teams/${team.id}`}
+                          className="font-medium text-sm text-zinc-900 dark:text-zinc-100 hover:underline"
+                        >
+                          {team.name}
+                        </Link>
+                        {team.serviceAccountRole && <RoleLabel role={team.serviceAccountRole} size="xs" />}
+                      </div>
+                      {team.description && (
+                        <div className="text-2xs text-neutral-500 truncate max-w-md">
+                          {team.description}
+                        </div>
+                      )}
+                      <div className="text-2xs text-neutral-500">
+                        {team.apps?.length || 0} app{team.apps?.length !== 1 ? 's' : ''}
+                        {team.apps && team.apps.length > 0 && (
+                          <> ({team.apps.map((a) => a!.name).join(', ')})</>
+                        )}
+                      </div>
+                    </div>
+                    <Link
+                      className="opacity-0 group-hover:opacity-100 transition ease"
+                      href={`/${params.team}/access/teams/${team.id}`}
+                    >
+                      <Button variant="secondary" icon={FaCog}>
+                        Manage
+                      </Button>
+                    </Link>
+                  </div>
+                ))
+              ) : (
+                <div className="py-8 text-center text-neutral-500">
+                  This account is not part of any teams.
+                </div>
+              )}
+            </div>
+          </div>
+        )}
+
         <div className="py-4">
           <div className="flex items-center justify-between">
             <div>
diff --git a/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx b/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
index f86fd57d2..8b09868ca 100644
--- a/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
@@ -23,9 +23,11 @@ import { useSearchParams } from 'next/navigation'
 export const ManageUserAccessDialog = ({
   member,
   appId,
+  teams,
 }: {
   member: OrganisationMemberType
   appId: string
+  teams?: { id: string; name: string }[]
 }) => {
   const { keyring } = useContext(KeyringContext)
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -207,6 +209,21 @@ export const ManageUserAccessDialog = ({
                 </p>
               </Alert>
             )}
+            {teams && teams.length > 0 && (
+              <Alert variant="info" icon={true} size="sm">
+                <p>
+                  This user also has access to this app via the{' '}
+                  {teams.map((t) => (
+                    <strong key={t.id}>{t.name}</strong>
+                  )).reduce<React.ReactNode[]>((acc, el, i) => {
+                    if (i === 0) return [el]
+                    if (i === teams.length - 1) return [...acc, ' and ', el]
+                    return [...acc, ', ', el]
+                  }, [])}{' '}
+                  {teams.length === 1 ? 'team' : 'teams'}.
+                </p>
+              </Alert>
+            )}
             <div className="w-full relative">
               {scope.length === 0 && showEnvHint && (
                 <span className="absolute right-2 inset-y-0 text-red-500 text-xs">
diff --git a/frontend/app/[team]/apps/[app]/access/members/_components/RemoveMemberDialog.tsx b/frontend/app/[team]/apps/[app]/access/members/_components/RemoveMemberDialog.tsx
index 810508699..81eed818a 100644
--- a/frontend/app/[team]/apps/[app]/access/members/_components/RemoveMemberDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/_components/RemoveMemberDialog.tsx
@@ -11,13 +11,16 @@ import { toast } from 'react-toastify'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Avatar } from '@/components/common/Avatar'
 import { userHasGlobalAccess } from '@/utils/access/permissions'
+import { Alert } from '@/components/common/Alert'
 
 export const RemoveMemberConfirmDialog = ({
   appId,
   member,
+  teams,
 }: {
   appId: string
   member: OrganisationMemberType
+  teams?: { id: string; name: string }[]
 }) => {
   const [removeMember] = useMutation(RemoveMemberFromApp)
 
@@ -66,6 +69,21 @@ export const RemoveMemberConfirmDialog = ({
             </div>{' '}
             from this App?
           </p>
+          {teams && teams.length > 0 && (
+            <Alert variant="info" icon={true} size="sm">
+              <p>
+                This user will retain access to this app via the{' '}
+                {teams.map((t) => (
+                  <strong key={t.id}>{t.name}</strong>
+                )).reduce<React.ReactNode[]>((acc, el, i) => {
+                  if (i === 0) return [el]
+                  if (i === teams.length - 1) return [...acc, ' and ', el]
+                  return [...acc, ', ', el]
+                }, [])}{' '}
+                {teams.length === 1 ? 'team' : 'teams'}.
+              </p>
+            </Alert>
+          )}
           <div className="flex items-center justify-between gap-4">
             <Button variant="secondary" type="button" onClick={closeModal}>
               Cancel
diff --git a/frontend/app/[team]/apps/[app]/access/members/page.tsx b/frontend/app/[team]/apps/[app]/access/members/page.tsx
index 9f4491491..de1f8d5c9 100644
--- a/frontend/app/[team]/apps/[app]/access/members/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/page.tsx
@@ -1,15 +1,17 @@
 'use client'
 
 import GetAppMembers from '@/graphql/queries/apps/getAppMembers.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { useQuery } from '@apollo/client'
-import { useContext, useState } from 'react'
-import { OrganisationMemberType } from '@/apollo/graphql'
+import { useContext, useMemo, useState } from 'react'
+import { OrganisationMemberType, TeamType } from '@/apollo/graphql'
 import { organisationContext } from '@/contexts/organisationContext'
 import { FaBan, FaSearch, FaTimesCircle } from 'react-icons/fa'
 import { useSession } from '@/contexts/userContext'
 import { Avatar } from '@/components/common/Avatar'
 import { userHasPermission } from '@/utils/access/permissions'
 import { RoleLabel } from '@/components/users/RoleLabel'
+import { TeamLabel } from '@/components/teams/TeamLabel'
 import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
 import { AddMemberDialog } from './_components/AddMemberDialog'
@@ -37,13 +39,39 @@ export default function Members({ params }: { params: { team: string; app: strin
     ? userHasPermission(organisation?.role?.permissions, 'Members', 'delete', true)
     : false
 
+  const userCanReadTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
+    : false
+
   const { data, loading } = useQuery(GetAppMembers, {
     variables: { appId: params.app },
     skip: !userCanReadAppMembers,
   })
 
+  const { data: teamsData } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadTeams,
+  })
+
   const { data: session } = useSession()
 
+  // Map member ID → teams that grant access to this app
+  const memberTeamsMap = useMemo(() => {
+    const map = new Map<string, { id: string; name: string }[]>()
+    if (!teamsData?.teams) return map
+    for (const team of teamsData.teams as TeamType[]) {
+      const hasApp = team.apps?.some((a) => a!.id === params.app)
+      if (!hasApp) continue
+      for (const m of team.members || []) {
+        if (!m.orgMember) continue
+        const list = map.get(m.orgMember.id) || []
+        list.push({ id: team.id, name: team.name })
+        map.set(m.orgMember.id, list)
+      }
+    }
+    return map
+  }, [teamsData, params.app])
+
   const filteredMembers = data?.appUsers
     ? searchQuery !== ''
       ? data?.appUsers.filter(
@@ -115,7 +143,7 @@ export default function Members({ params }: { params: { team: string; app: strin
                 <tr className="group" key={member.id}>
                   <td className="px-6 py-2 whitespace-nowrap flex items-center gap-2">
                     <Avatar member={member} size="md" />
-                    <div className="flex flex-col">
+                    <div className="flex flex-col gap-1">
                       <div className="flex items-center gap-2">
                         <span className="font-medium text-sm">
                           {member.fullName || member.email}
@@ -125,11 +153,23 @@ export default function Members({ params }: { params: { team: string; app: strin
                       {member.fullName && (
                         <span className="text-neutral-500 text-2xs">{member.email}</span>
                       )}
+                      {memberTeamsMap.get(member.id) && (
+                        <div className="flex items-center gap-1 flex-wrap">
+                          {memberTeamsMap.get(member.id)!.map((t) => (
+                            <TeamLabel
+                              key={t.id}
+                              teamId={t.id}
+                              teamName={t.name}
+                              orgSlug={params.team}
+                            />
+                          ))}
+                        </div>
+                      )}
                     </div>
                   </td>
 
                   <td className="px-6 py-2">
-                    <ManageUserAccessDialog appId={params.app} member={member} />
+                    <ManageUserAccessDialog appId={params.app} member={member} teams={memberTeamsMap.get(member.id)} />
                   </td>
 
                   {userCanRemoveAppMembers && (
@@ -137,7 +177,7 @@ export default function Members({ params }: { params: { team: string; app: strin
                       {member.email !== session?.user?.email &&
                         member.role!.name!.toLowerCase() !== 'owner' && (
                           <div className="flex items-center justify-end gap-2 opacity-0 pointer-events-none group-hover:opacity-100 group-hover:pointer-events-auto transition ease">
-                            <RemoveMemberConfirmDialog appId={params.app} member={member} />
+                            <RemoveMemberConfirmDialog appId={params.app} member={member} teams={memberTeamsMap.get(member.id)} />
                           </div>
                         )}
                     </td>
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx
index 22985c394..be6b7c2a9 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx
@@ -24,9 +24,11 @@ import { useSearchParams } from 'next/navigation'
 export const ManageAccountAccessDialog = ({
   account,
   appId,
+  teams,
 }: {
   account: ServiceAccountType
   appId: string
+  teams?: { id: string; name: string }[]
 }) => {
   const { keyring } = useContext(KeyringContext)
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -218,6 +220,21 @@ export const ManageAccountAccessDialog = ({
                   </p>
                 </Alert>
               )}
+              {teams && teams.length > 0 && (
+                <Alert variant="info" icon={true} size="sm">
+                  <p>
+                    This account also has access to this app via the{' '}
+                    {teams.map((t) => (
+                      <strong key={t.id}>{t.name}</strong>
+                    )).reduce<React.ReactNode[]>((acc, el, i) => {
+                      if (i === 0) return [el]
+                      if (i === teams.length - 1) return [...acc, ' and ', el]
+                      return [...acc, ', ', el]
+                    }, [])}{' '}
+                    {teams.length === 1 ? 'team' : 'teams'}.
+                  </p>
+                </Alert>
+              )}
 
               <div className="divide-y divide-neutral-500/20">
                 <div className="w-full relative pb-4">
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/RemoveAccountDialog.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/RemoveAccountDialog.tsx
index a01520f4d..e17d4830d 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/RemoveAccountDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/RemoveAccountDialog.tsx
@@ -11,13 +11,16 @@ import { FaRobot, FaTrash } from 'react-icons/fa'
 import { toast } from 'react-toastify'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Avatar } from '@/components/common/Avatar'
+import { Alert } from '@/components/common/Alert'
 
 export const RemoveAccountConfirmDialog = ({
   account,
   appId,
+  teams,
 }: {
   account: ServiceAccountType
   appId: string
+  teams?: { id: string; name: string }[]
 }) => {
   const [removeMember] = useMutation(RemoveMemberFromApp)
 
@@ -63,7 +66,21 @@ export const RemoveAccountConfirmDialog = ({
             </div>{' '}
             from this App?
           </p>
-
+          {teams && teams.length > 0 && (
+            <Alert variant="info" icon={true} size="sm">
+              <p>
+                This account will retain access to this app via the{' '}
+                {teams.map((t) => (
+                  <strong key={t.id}>{t.name}</strong>
+                )).reduce<React.ReactNode[]>((acc, el, i) => {
+                  if (i === 0) return [el]
+                  if (i === teams.length - 1) return [...acc, ' and ', el]
+                  return [...acc, ', ', el]
+                }, [])}{' '}
+                {teams.length === 1 ? 'team' : 'teams'}.
+              </p>
+            </Alert>
+          )}
           <div className="flex items-center justify-between gap-4">
             <Button variant="secondary" type="button" onClick={closeModal}>
               Cancel
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/page.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/page.tsx
index 3cefc2e2d..b8d6827f9 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/page.tsx
@@ -1,13 +1,15 @@
 'use client'
 
 import { GetAppServiceAccounts } from '@/graphql/queries/apps/getAppServiceAccounts.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { useQuery } from '@apollo/client'
-import { useContext, useState } from 'react'
-import { ServiceAccountType } from '@/apollo/graphql'
+import { useContext, useMemo, useState } from 'react'
+import { ServiceAccountType, TeamType } from '@/apollo/graphql'
 import { organisationContext } from '@/contexts/organisationContext'
 import { FaBan, FaRobot, FaSearch, FaTimesCircle } from 'react-icons/fa'
 import { userHasPermission } from '@/utils/access/permissions'
 import { RoleLabel } from '@/components/users/RoleLabel'
+import { TeamLabel } from '@/components/teams/TeamLabel'
 import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
 import { AddAccountDialog } from './_components/AddAccountDialog'
@@ -36,11 +38,37 @@ export default function ServiceAccounts({ params }: { params: { team: string; ap
     ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'delete', true)
     : false
 
+  const userCanReadTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
+    : false
+
   const { data, loading } = useQuery(GetAppServiceAccounts, {
     variables: { appId: params.app },
     skip: !userCanReadAppSA,
   })
 
+  const { data: teamsData } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadTeams,
+  })
+
+  // Map SA ID → teams that grant access to this app
+  const saTeamsMap = useMemo(() => {
+    const map = new Map<string, { id: string; name: string }[]>()
+    if (!teamsData?.teams) return map
+    for (const team of teamsData.teams as TeamType[]) {
+      const hasApp = team.apps?.some((a) => a!.id === params.app)
+      if (!hasApp) continue
+      for (const m of team.members || []) {
+        if (!m.serviceAccount) continue
+        const list = map.get(m.serviceAccount.id) || []
+        list.push({ id: team.id, name: team.name })
+        map.set(m.serviceAccount.id, list)
+      }
+    }
+    return map
+  }, [teamsData, params.app])
+
   const filteredAccounts = data?.appServiceAccounts
     ? searchQuery !== ''
       ? data?.appServiceAccounts.filter((account: ServiceAccountType) =>
@@ -125,25 +153,37 @@ export default function ServiceAccounts({ params }: { params: { team: string; ap
                   <tr className="group" key={account.id}>
                     <td className="px-6 py-2 whitespace-nowrap flex items-center gap-2">
                       <Avatar serviceAccount={account} size="md" />
-                      <div className="flex flex-col">
+                      <div className="flex flex-col gap-1">
                         <div className="flex items-center gap-2">
                           <span className="font-medium text-sm">{account.name}</span>
                           <RoleLabel role={account.role!} />
                         </div>
                         <span className="text-neutral-500 text-2xs font-mono">{account.id}</span>
+                        {saTeamsMap.get(account.id) && (
+                          <div className="flex items-center gap-1 flex-wrap">
+                            {saTeamsMap.get(account.id)!.map((t) => (
+                              <TeamLabel
+                                key={t.id}
+                                teamId={t.id}
+                                teamName={t.name}
+                                orgSlug={params.team}
+                              />
+                            ))}
+                          </div>
+                        )}
                       </div>
                     </td>
 
                     <td className="px-6 py-2">
                       <div className="flex items-center gap-2 ">
-                        <ManageAccountAccessDialog appId={params.app} account={account} />
+                        <ManageAccountAccessDialog appId={params.app} account={account} teams={saTeamsMap.get(account.id)} />
                       </div>
                     </td>
 
                     {userCanRemoveAppSA && (
                       <td className="px-6 py-2">
                         <div className="flex items-center justify-end gap-2 opacity-0 pointer-events-none group-hover:opacity-100 group-hover:pointer-events-auto transition ease">
-                          <RemoveAccountConfirmDialog appId={params.app} account={account} />
+                          <RemoveAccountConfirmDialog appId={params.app} account={account} teams={saTeamsMap.get(account.id)} />
                         </div>
                       </td>
                     )}

From 082ac9aba162c568c5ac29020b1387faeb91d3c5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 15:26:57 +0530
Subject: [PATCH 011/118] feat: add TeamLabel pill component, RoleLabel xs
 size, and ToggleSwitch updates

---
 frontend/components/common/ToggleSwitch.tsx | 21 ++++++++++++++-------
 frontend/components/teams/TeamLabel.tsx     | 20 ++++++++++++++++++++
 frontend/components/users/RoleLabel.tsx     |  3 ++-
 3 files changed, 36 insertions(+), 8 deletions(-)
 create mode 100644 frontend/components/teams/TeamLabel.tsx

diff --git a/frontend/components/common/ToggleSwitch.tsx b/frontend/components/common/ToggleSwitch.tsx
index d3af53f21..786d1029e 100644
--- a/frontend/components/common/ToggleSwitch.tsx
+++ b/frontend/components/common/ToggleSwitch.tsx
@@ -6,8 +6,9 @@ export const ToggleSwitch = (props: {
   disabled?: boolean
   asBoolean?: boolean
   theme?: 'emerald' | 'red'
+  size?: 'sm' | 'md'
 }) => {
-  const { value, onToggle, disabled, asBoolean = true, theme = 'emerald' } = props
+  const { value, onToggle, disabled, asBoolean = true, theme = 'emerald', size = 'md' } = props
 
   const getThemeColors = (isActive: boolean) => {
     if (theme === 'red') {
@@ -33,26 +34,32 @@ export const ToggleSwitch = (props: {
           ? 'bg-neutral-500/40 ring-neutral-500/30'
           : 'bg-emerald-400/20 dark:bg-emerald-400/10 ring-emerald-400/20',
       toggle: isActive
-        ? 'translate-x-6 bg-emerald-500 dark:bg-emerald-400'
+        ? `${size === 'sm' ? 'translate-x-4' : 'translate-x-6'} bg-emerald-500 dark:bg-emerald-400`
         : asBoolean
-          ? 'translate-x-1 bg-black'
-          : 'translate-x-1 bg-emerald-500 dark:bg-emerald-400',
+          ? `${size === 'sm' ? 'translate-x-0.5' : 'translate-x-1'} bg-black`
+          : `${size === 'sm' ? 'translate-x-0.5' : 'translate-x-1'} bg-emerald-500 dark:bg-emerald-400`,
     }
   }
 
   const themeColors = getThemeColors(value)
 
+  const sizeClasses =
+    size === 'sm' ? 'h-4 w-8' : 'h-6 w-11'
+
+  const toggleSizeClasses =
+    size === 'sm' ? 'h-3 w-3' : 'h-4 w-4'
+
   return (
     <Switch
-      id="toggle-sync"
       checked={value}
       onChange={onToggle}
       disabled={disabled}
-      className={`${themeColors.background} ${disabled ? 'opacity-50 cursor-not-allowed' : ''} relative inline-flex h-6 w-11 items-center rounded-full ring-1 ring-inset`}
+      onClick={(e: React.MouseEvent) => e.stopPropagation()}
+      className={`${themeColors.background} ${disabled ? 'opacity-50 cursor-not-allowed' : ''} relative inline-flex ${sizeClasses} items-center rounded-full ring-1 ring-inset`}
     >
       <span className="sr-only">Active</span>
       <span
-        className={`${themeColors.toggle} flex items-center justify-center h-4 w-4 transform rounded-full transition`}
+        className={`${themeColors.toggle} flex items-center justify-center ${toggleSizeClasses} transform rounded-full transition`}
       ></span>
     </Switch>
   )
diff --git a/frontend/components/teams/TeamLabel.tsx b/frontend/components/teams/TeamLabel.tsx
new file mode 100644
index 000000000..455e928d8
--- /dev/null
+++ b/frontend/components/teams/TeamLabel.tsx
@@ -0,0 +1,20 @@
+import Link from 'next/link'
+import { FaUsers } from 'react-icons/fa'
+
+export const TeamLabel = ({
+  teamId,
+  teamName,
+  orgSlug,
+}: {
+  teamId: string
+  teamName: string
+  orgSlug: string
+}) => (
+  <Link
+    href={`/${orgSlug}/access/teams/${teamId}`}
+    className="inline-flex items-center gap-1 text-[10px] font-semibold px-1.5 py-0.5 rounded-full bg-zinc-300/70 dark:bg-zinc-800 text-zinc-600 dark:text-zinc-400 hover:bg-zinc-300 dark:hover:bg-zinc-700 transition"
+  >
+    <FaUsers className="text-[9px] shrink-0" />
+    {teamName}
+  </Link>
+)
diff --git a/frontend/components/users/RoleLabel.tsx b/frontend/components/users/RoleLabel.tsx
index b841a23eb..3e9419782 100644
--- a/frontend/components/users/RoleLabel.tsx
+++ b/frontend/components/users/RoleLabel.tsx
@@ -3,8 +3,9 @@ import { userHasGlobalAccess } from '@/utils/access/permissions'
 import { getContrastingTextColor, stringToHexColor } from '@/utils/copy'
 import clsx from 'clsx'
 
-export const RoleLabel = ({ role, size }: { role: RoleType; size?: 'sm' | 'md' | 'lg' }) => {
+export const RoleLabel = ({ role, size }: { role: RoleType; size?: 'xs' | 'sm' | 'md' | 'lg' }) => {
   const sizeStyles = {
+    xs: 'text-[0.625rem] leading-tight px-1 py-px',
     sm: 'text-2xs px-1',
     md: 'text-sm px-2 py-0.5',
     lg: 'text-base px-2 py-0.5',

From f10b609343fb08cc09b8d17ab14659e0435bee79 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 18:43:45 +0530
Subject: [PATCH 012/118] fix: regenerate GraphQL codegen to fix build type
 mismatch

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/apollo/gql.ts     | 10 ++++----
 frontend/apollo/graphql.ts | 47 ++++++++++++++++++++++++++++----------
 2 files changed, 40 insertions(+), 17 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index b7b507e51..8799c7719 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -63,9 +63,9 @@ type Documents = {
     "mutation UpdateDynamicSecret($dynamicSecretId: ID!, $organisationId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  updateAwsDynamicSecret(\n    organisationId: $organisationId\n    dynamicSecretId: $dynamicSecretId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}": typeof types.UpdateDynamicSecretDocument,
     "mutation CreateSharedSecret($input: LockboxInput!) {\n  createLockbox(input: $input) {\n    lockbox {\n      id\n      allowedViews\n      expiresAt\n    }\n  }\n}": typeof types.CreateSharedSecretDocument,
     "mutation UpdateEnvOrder($appId: ID!, $environmentOrder: [ID]!) {\n  updateEnvironmentOrder(appId: $appId, environmentOrder: $environmentOrder) {\n    ok\n  }\n}": typeof types.UpdateEnvOrderDocument,
-    "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": typeof types.CreateExtIdentityDocument,
+    "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": typeof types.CreateExtIdentityDocument,
     "mutation DeleteExtIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}": typeof types.DeleteExtIdentityDocument,
-    "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": typeof types.UpdateExtIdentityDocument,
+    "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": typeof types.UpdateExtIdentityDocument,
     "mutation AcceptOrganisationInvite($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!, $inviteId: ID!) {\n  createOrganisationMember(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n    inviteId: $inviteId\n  ) {\n    orgMember {\n      id\n      email\n      createdAt\n      role {\n        name\n      }\n    }\n  }\n}": typeof types.AcceptOrganisationInviteDocument,
     "mutation BulkInviteMembers($orgId: ID!, $invites: [InviteInput!]!) {\n  bulkInviteOrganisationMembers(orgId: $orgId, invites: $invites) {\n    invites {\n      id\n      inviteeEmail\n      expiresAt\n    }\n  }\n}": typeof types.BulkInviteMembersDocument,
     "mutation DeleteOrgInvite($inviteId: ID!) {\n  deleteInvitation(inviteId: $inviteId) {\n    ok\n  }\n}": typeof types.DeleteOrgInviteDocument,
@@ -128,8 +128,8 @@ type Documents = {
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": typeof types.GetDashboardDocument,
     "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}": typeof types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": typeof types.GetAwsStsEndpointsDocument,
-    "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}": typeof types.GetIdentityProvidersDocument,
-    "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": typeof types.GetOrganisationIdentitiesDocument,
+    "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": typeof types.GetIdentityProvidersDocument,
+    "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": typeof types.GetOrganisationIdentitiesDocument,
     "query CheckOrganisationNameAvailability($name: String!) {\n  organisationNameAvailable(name: $name)\n}": typeof types.CheckOrganisationNameAvailabilityDocument,
     "query GetGlobalAccessUsers($organisationId: ID!) {\n  organisationGlobalAccessUsers(organisationId: $organisationId) {\n    id\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": typeof types.GetGlobalAccessUsersDocument,
     "query GetInvites($orgId: ID!) {\n  organisationInvites(orgId: $orgId) {\n    id\n    createdAt\n    expiresAt\n    invitedBy {\n      email\n      fullName\n      self\n    }\n    inviteeEmail\n    role {\n      id\n      name\n      description\n      color\n    }\n  }\n}": typeof types.GetInvitesDocument,
@@ -154,7 +154,7 @@ type Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": typeof types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": typeof types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": typeof types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": typeof types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": typeof types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index d94b25fa8..b008daf3e 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -302,6 +302,13 @@ export type AwsIamConfigType = {
   trustedPrincipals?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
 };
 
+export type AzureEntraConfigType = {
+  __typename?: 'AzureEntraConfigType';
+  allowedServicePrincipalIds?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
+  resource?: Maybe<Scalars['String']['output']>;
+  tenantId?: Maybe<Scalars['String']['output']>;
+};
+
 export type AzureKeyVaultSecretType = {
   __typename?: 'AzureKeyVaultSecretType';
   contentType?: Maybe<Scalars['String']['output']>;
@@ -865,7 +872,7 @@ export type GitLabProjectType = {
   webUrl?: Maybe<Scalars['String']['output']>;
 };
 
-export type IdentityConfigUnion = AwsIamConfigType;
+export type IdentityConfigUnion = AwsIamConfigType | AzureEntraConfigType;
 
 export type IdentityProviderType = {
   __typename?: 'IdentityProviderType';
@@ -873,7 +880,6 @@ export type IdentityProviderType = {
   iconId: Scalars['String']['output'];
   id: Scalars['String']['output'];
   name: Scalars['String']['output'];
-  supported: Scalars['Boolean']['output'];
 };
 
 export type IdentityType = {
@@ -1268,8 +1274,10 @@ export type MutationCreateIdentityArgs = {
   name: Scalars['String']['input'];
   organisationId: Scalars['ID']['input'];
   provider: Scalars['String']['input'];
+  resource?: InputMaybe<Scalars['String']['input']>;
   signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   stsEndpoint?: InputMaybe<Scalars['String']['input']>;
+  tenantId?: InputMaybe<Scalars['String']['input']>;
   tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
   trustedPrincipals: Scalars['String']['input'];
 };
@@ -1727,8 +1735,10 @@ export type MutationUpdateIdentityArgs = {
   id: Scalars['ID']['input'];
   maxTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   name?: InputMaybe<Scalars['String']['input']>;
+  resource?: InputMaybe<Scalars['String']['input']>;
   signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   stsEndpoint?: InputMaybe<Scalars['String']['input']>;
+  tenantId?: InputMaybe<Scalars['String']['input']>;
   tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
   trustedPrincipals?: InputMaybe<Scalars['String']['input']>;
 };
@@ -3292,13 +3302,18 @@ export type CreateExtIdentityMutationVariables = Exact<{
   trustedPrincipals: Scalars['String']['input'];
   signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   stsEndpoint?: InputMaybe<Scalars['String']['input']>;
+  tenantId?: InputMaybe<Scalars['String']['input']>;
+  resource?: InputMaybe<Scalars['String']['input']>;
   tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
   defaultTtlSeconds: Scalars['Int']['input'];
   maxTtlSeconds: Scalars['Int']['input'];
 }>;
 
 
-export type CreateExtIdentityMutation = { __typename?: 'Mutation', createIdentity?: { __typename?: 'CreateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
+export type CreateExtIdentityMutation = { __typename?: 'Mutation', createIdentity?: { __typename?: 'CreateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?:
+        | { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null }
+        | { __typename?: 'AzureEntraConfigType', tenantId?: string | null, resource?: string | null, allowedServicePrincipalIds?: Array<string | null> | null }
+       | null } | null } | null };
 
 export type DeleteExtIdentityMutationVariables = Exact<{
   id: Scalars['ID']['input'];
@@ -3314,13 +3329,18 @@ export type UpdateExtIdentityMutationVariables = Exact<{
   trustedPrincipals?: InputMaybe<Scalars['String']['input']>;
   signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   stsEndpoint?: InputMaybe<Scalars['String']['input']>;
+  tenantId?: InputMaybe<Scalars['String']['input']>;
+  resource?: InputMaybe<Scalars['String']['input']>;
   tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
   defaultTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
   maxTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
 }>;
 
 
-export type UpdateExtIdentityMutation = { __typename?: 'Mutation', updateIdentity?: { __typename?: 'UpdateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
+export type UpdateExtIdentityMutation = { __typename?: 'Mutation', updateIdentity?: { __typename?: 'UpdateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?:
+        | { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null }
+        | { __typename?: 'AzureEntraConfigType', tenantId?: string | null, resource?: string | null, allowedServicePrincipalIds?: Array<string | null> | null }
+       | null } | null } | null };
 
 export type AcceptOrganisationInviteMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -3882,14 +3902,17 @@ export type GetAwsStsEndpointsQuery = { __typename?: 'Query', awsStsEndpoints?:
 export type GetIdentityProvidersQueryVariables = Exact<{ [key: string]: never; }>;
 
 
-export type GetIdentityProvidersQuery = { __typename?: 'Query', identityProviders?: Array<{ __typename?: 'IdentityProviderType', id: string, name: string, description: string, iconId: string, supported: boolean } | null> | null };
+export type GetIdentityProvidersQuery = { __typename?: 'Query', identityProviders?: Array<{ __typename?: 'IdentityProviderType', id: string, name: string, description: string, iconId: string } | null> | null };
 
 export type GetOrganisationIdentitiesQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
 }>;
 
 
-export type GetOrganisationIdentitiesQuery = { __typename?: 'Query', identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, createdAt?: any | null, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null> | null };
+export type GetOrganisationIdentitiesQuery = { __typename?: 'Query', identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, createdAt?: any | null, config?:
+      | { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null }
+      | { __typename?: 'AzureEntraConfigType', tenantId?: string | null, resource?: string | null, allowedServicePrincipalIds?: Array<string | null> | null }
+     | null } | null> | null };
 
 export type CheckOrganisationNameAvailabilityQueryVariables = Exact<{
   name: Scalars['String']['input'];
@@ -4083,7 +4106,7 @@ export type GetServiceAccountDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string, description?: string | null }> | null } | null> | null };
+export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
 
 export type GetServiceAccountHandlersQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -4325,9 +4348,9 @@ export const RevokeDynamicSecretLeaseOpDocument = {"kind":"Document","definition
 export const UpdateDynamicSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateDynamicSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"dynamicSecretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtl"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtl"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"authenticationId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"config"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"keyMap"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"KeyMapInput"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateAwsDynamicSecret"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"dynamicSecretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"dynamicSecretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtl"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtl"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtl"}}},{"kind":"Argument","name":{"kind":"Name","value":"authenticationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"authenticationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"config"},"value":{"kind":"Variable","name":{"kind":"Name","value":"config"}}},{"kind":"Argument","name":{"kind":"Name","value":"keyMap"},"value":{"kind":"Variable","name":{"kind":"Name","value":"keyMap"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecret"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateDynamicSecretMutation, UpdateDynamicSecretMutationVariables>;
 export const CreateSharedSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSharedSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"input"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"LockboxInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createLockbox"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"input"},"value":{"kind":"Variable","name":{"kind":"Name","value":"input"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"lockbox"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"allowedViews"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSharedSecretMutation, CreateSharedSecretMutationVariables>;
 export const UpdateEnvOrderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateEnvOrder"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentOrder"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateEnvironmentOrder"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentOrder"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentOrder"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateEnvOrderMutation, UpdateEnvOrderMutationVariables>;
-export const CreateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"provider"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"provider"},"value":{"kind":"Variable","name":{"kind":"Name","value":"provider"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<CreateExtIdentityMutation, CreateExtIdentityMutationVariables>;
+export const CreateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"provider"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tenantId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"resource"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"provider"},"value":{"kind":"Variable","name":{"kind":"Name","value":"provider"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tenantId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tenantId"}}},{"kind":"Argument","name":{"kind":"Name","value":"resource"},"value":{"kind":"Variable","name":{"kind":"Name","value":"resource"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}},{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AzureEntraConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tenantId"}},{"kind":"Field","name":{"kind":"Name","value":"resource"}},{"kind":"Field","name":{"kind":"Name","value":"allowedServicePrincipalIds"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<CreateExtIdentityMutation, CreateExtIdentityMutationVariables>;
 export const DeleteExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteExtIdentityMutation, DeleteExtIdentityMutationVariables>;
-export const UpdateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateExtIdentityMutation, UpdateExtIdentityMutationVariables>;
+export const UpdateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tenantId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"resource"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tenantId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tenantId"}}},{"kind":"Argument","name":{"kind":"Name","value":"resource"},"value":{"kind":"Variable","name":{"kind":"Name","value":"resource"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}},{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AzureEntraConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tenantId"}},{"kind":"Field","name":{"kind":"Name","value":"resource"}},{"kind":"Field","name":{"kind":"Name","value":"allowedServicePrincipalIds"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateExtIdentityMutation, UpdateExtIdentityMutationVariables>;
 export const AcceptOrganisationInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"AcceptOrganisationInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createOrganisationMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}},{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<AcceptOrganisationInviteMutation, AcceptOrganisationInviteMutationVariables>;
 export const BulkInviteMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"BulkInviteMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"invites"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"InviteInput"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"bulkInviteOrganisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"invites"},"value":{"kind":"Variable","name":{"kind":"Name","value":"invites"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"invites"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<BulkInviteMembersMutation, BulkInviteMembersMutationVariables>;
 export const DeleteOrgInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteOrgInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteInvitation"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteOrgInviteMutation, DeleteOrgInviteMutationVariables>;
@@ -4390,8 +4413,8 @@ export const GetAppsDocument = {"kind":"Document","definitions":[{"kind":"Operat
 export const GetDashboardDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDashboard"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"role"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]} as unknown as DocumentNode<GetDashboardQuery, GetDashboardQueryVariables>;
 export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}},{"kind":"Field","name":{"kind":"Name","value":"pricingVersion"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
 export const GetAwsStsEndpointsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsStsEndpoints"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsStsEndpoints"}}]}}]} as unknown as DocumentNode<GetAwsStsEndpointsQuery, GetAwsStsEndpointsQueryVariables>;
-export const GetIdentityProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIdentityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"iconId"}},{"kind":"Field","name":{"kind":"Name","value":"supported"}}]}}]}}]} as unknown as DocumentNode<GetIdentityProvidersQuery, GetIdentityProvidersQueryVariables>;
-export const GetOrganisationIdentitiesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationIdentities"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identities"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationIdentitiesQuery, GetOrganisationIdentitiesQueryVariables>;
+export const GetIdentityProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIdentityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"iconId"}}]}}]}}]} as unknown as DocumentNode<GetIdentityProvidersQuery, GetIdentityProvidersQueryVariables>;
+export const GetOrganisationIdentitiesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationIdentities"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identities"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}},{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AzureEntraConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tenantId"}},{"kind":"Field","name":{"kind":"Name","value":"resource"}},{"kind":"Field","name":{"kind":"Name","value":"allowedServicePrincipalIds"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationIdentitiesQuery, GetOrganisationIdentitiesQueryVariables>;
 export const CheckOrganisationNameAvailabilityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"CheckOrganisationNameAvailability"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationNameAvailable"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}}]}]}}]} as unknown as DocumentNode<CheckOrganisationNameAvailabilityQuery, CheckOrganisationNameAvailabilityQueryVariables>;
 export const GetGlobalAccessUsersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetGlobalAccessUsers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationGlobalAccessUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetGlobalAccessUsersQuery, GetGlobalAccessUsersQueryVariables>;
 export const GetInvitesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetInvites"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"invitedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]}}]} as unknown as DocumentNode<GetInvitesQuery, GetInvitesQueryVariables>;
@@ -4416,7 +4439,7 @@ export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind"
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
 export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"type"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
-export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
+export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
 export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;

From 1907a94c3b9f4fc08b5549399ab37a52e81adb79 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 19:04:05 +0530
Subject: [PATCH 013/118] fix: restyle add team to app dialog

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../teams/_components/AddTeamToAppDialog.tsx  | 107 +++++++-----------
 1 file changed, 38 insertions(+), 69 deletions(-)

diff --git a/frontend/app/[team]/apps/[app]/access/teams/_components/AddTeamToAppDialog.tsx b/frontend/app/[team]/apps/[app]/access/teams/_components/AddTeamToAppDialog.tsx
index 2984d2f5a..71b9986b7 100644
--- a/frontend/app/[team]/apps/[app]/access/teams/_components/AddTeamToAppDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/teams/_components/AddTeamToAppDialog.tsx
@@ -3,16 +3,16 @@
 import { AppType, EnvironmentType, TeamType } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Button } from '@/components/common/Button'
+import { ToggleSwitch } from '@/components/common/ToggleSwitch'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { GetApps } from '@/graphql/queries/getApps.gql'
 import { AddTeamAppsOp } from '@/graphql/mutations/teams/addTeamApps.gql'
 import { useMutation, useQuery } from '@apollo/client'
 import { useContext, useRef, useState } from 'react'
-import { FaPlus, FaCheck, FaUsers, FaChevronDown } from 'react-icons/fa'
+import { FaPlus, FaCheck, FaUsers } from 'react-icons/fa'
 import clsx from 'clsx'
 import { toast } from 'react-toastify'
-import { Disclosure } from '@headlessui/react'
 
 export const AddTeamToAppDialog = ({
   appId,
@@ -41,6 +41,7 @@ export const AddTeamToAppDialog = ({
     ) || []
 
   const envIds = appEnvironments.map((e) => e.id)
+  const allSelected = envIds.length > 0 && envIds.every((id) => selectedEnvIds.has(id))
 
   const toggleEnv = (envId: string) => {
     setSelectedEnvIds((prev) => {
@@ -109,7 +110,7 @@ export const AddTeamToAppDialog = ({
       ref={dialogRef}
       onClose={reset}
     >
-      <div className="space-y-4 py-4">
+      <div className="space-y-4 pt-4">
         {availableTeams.length === 0 ? (
           <p className="text-sm text-neutral-500 text-center py-4">
             No available teams. All teams already have access to this app, or no teams exist.
@@ -138,7 +139,7 @@ export const AddTeamToAppDialog = ({
                     <div className="flex items-center gap-2">
                       <FaUsers className="text-neutral-500 text-sm" />
                       <div>
-                        <div className="text-sm font-medium">{team.name}</div>
+                        <div className="text-sm font-medium text-zinc-900 dark:text-zinc-100">{team.name}</div>
                         <div className="text-xs text-neutral-500">
                           {team.memberCount} member{team.memberCount !== 1 ? 's' : ''}
                         </div>
@@ -161,74 +162,42 @@ export const AddTeamToAppDialog = ({
 
             {/* Environment Selection */}
             {selectedTeam && (
-              <Disclosure defaultOpen>
-                {({ open }) => (
-                  <div className="border border-zinc-500/20 rounded-lg overflow-hidden">
-                    <Disclosure.Button className="w-full flex items-center justify-between p-3 hover:bg-zinc-100 dark:hover:bg-zinc-800">
-                      <span className="text-sm font-medium">
-                        Environment access
-                        {selectedEnvIds.size > 0 && (
-                          <span className="text-2xs ml-2 px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
-                            {selectedEnvIds.size} selected
-                          </span>
-                        )}
-                      </span>
-                      <FaChevronDown
+              <div>
+                <label className="block text-2xs font-medium text-gray-500 uppercase tracking-wider mb-2">
+                  Environment access
+                </label>
+                <div
+                  className="flex items-center justify-between py-2 cursor-pointer"
+                  onClick={toggleAllEnvs}
+                >
+                  <span className="text-2xs text-neutral-500">All environments</span>
+                  <ToggleSwitch size="sm" value={allSelected} onToggle={toggleAllEnvs} />
+                </div>
+                <div className="flex flex-wrap gap-1.5">
+                  {appEnvironments.map((env) => {
+                    const isSelected = selectedEnvIds.has(env.id)
+                    return (
+                      <div
+                        key={env.id}
                         className={clsx(
-                          'text-neutral-500 transition-transform',
-                          open && 'rotate-180'
+                          'flex items-center gap-1.5 py-1 px-2 cursor-pointer rounded-full border transition',
+                          isSelected
+                            ? 'border-emerald-500/40 bg-emerald-500/10'
+                            : 'border-zinc-500/20 hover:border-zinc-500/40'
                         )}
-                      />
-                    </Disclosure.Button>
-                    <Disclosure.Panel className="p-3 border-t border-zinc-500/20">
-                      <div className="space-y-1">
-                        <div
-                          className="flex items-center gap-2 p-1.5 cursor-pointer text-sm text-neutral-500 hover:text-zinc-900 dark:hover:text-zinc-100"
-                          onClick={toggleAllEnvs}
-                        >
-                          <div
-                            className={clsx(
-                              'w-4 h-4 rounded border flex items-center justify-center transition',
-                              envIds.every((id) => selectedEnvIds.has(id))
-                                ? 'bg-emerald-500 border-emerald-500 text-white'
-                                : 'border-neutral-500/40'
-                            )}
-                          >
-                            {envIds.every((id) => selectedEnvIds.has(id)) && (
-                              <FaCheck className="text-2xs" />
-                            )}
-                          </div>
-                          Select all environments
-                        </div>
-                        {appEnvironments.map((env) => (
-                          <div
-                            key={env.id}
-                            className="flex items-center gap-2 p-1.5 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 rounded"
-                            onClick={() => toggleEnv(env.id)}
-                          >
-                            <div
-                              className={clsx(
-                                'w-4 h-4 rounded border flex items-center justify-center transition',
-                                selectedEnvIds.has(env.id)
-                                  ? 'bg-emerald-500 border-emerald-500 text-white'
-                                  : 'border-neutral-500/40'
-                              )}
-                            >
-                              {selectedEnvIds.has(env.id) && (
-                                <FaCheck className="text-2xs" />
-                              )}
-                            </div>
-                            <span className="text-sm">{env.name}</span>
-                            <span className="text-2xs text-neutral-500 uppercase">
-                              {env.envType}
-                            </span>
-                          </div>
-                        ))}
+                        onClick={() => toggleEnv(env.id)}
+                      >
+                        <span className="text-2xs text-zinc-900 dark:text-zinc-100">{env.name}</span>
+                        <ToggleSwitch
+                          size="sm"
+                          value={isSelected}
+                          onToggle={() => toggleEnv(env.id)}
+                        />
                       </div>
-                    </Disclosure.Panel>
-                  </div>
-                )}
-              </Disclosure>
+                    )
+                  })}
+                </div>
+              </div>
             )}
           </>
         )}

From be55f3ea85a41606b1d537865d3b4db0f9d1b53e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 19:04:20 +0530
Subject: [PATCH 014/118] fix: update app-level teams page layout

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../[team]/apps/[app]/access/teams/page.tsx   | 186 +++++++++---------
 1 file changed, 93 insertions(+), 93 deletions(-)

diff --git a/frontend/app/[team]/apps/[app]/access/teams/page.tsx b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
index 8423f2a53..06dfb4e65 100644
--- a/frontend/app/[team]/apps/[app]/access/teams/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
@@ -108,10 +108,12 @@ export default function AppTeams({ params }: { params: { team: string; app: stri
                 <th className="px-6 py-2 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
                   Team
                 </th>
+                <th className="hidden md:table-cell px-6 py-2 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                  Members
+                </th>
                 <th className="px-6 py-2 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
                   Environment Access
                 </th>
-                {userCanUpdateTeams && <th className="px-6 py-2"></th>}
               </tr>
             </thead>
             <tbody className="divide-y divide-neutral-500/20">
@@ -133,113 +135,111 @@ export default function AppTeams({ params }: { params: { team: string; app: stri
                         href={`/${params.team}/access/teams/${team.id}`}
                         className="hover:underline"
                       >
-                        <div className="space-y-2">
-                          <div>
-                            <div className="text-sm font-medium">{team.name}</div>
-                            {team.description && (
-                              <div className="text-2xs text-neutral-500 truncate max-w-xs">
-                                {team.description}
-                              </div>
-                            )}
+                        <div className="text-sm font-medium">{team.name}</div>
+                        {team.description && (
+                          <div className="text-2xs text-neutral-500 truncate max-w-xs">
+                            {team.description}
                           </div>
-                          <div className="space-y-1.5">
-                            {orgMembers.length > 0 && (
-                              <div className="flex items-center justify-between gap-3">
-                                <div className="flex items-center gap-1.5">
-                                  <div className="flex items-center">
-                                    {orgMembers.slice(0, 5).map((m, i) => (
-                                      <div
-                                        key={m.id}
-                                        className={clsx('rounded-full', i !== 0 && '-ml-2')}
-                                        style={{ zIndex: i }}
-                                      >
-                                        <Avatar
-                                          user={{
-                                            name: m.fullName,
-                                            email: m.email,
-                                            image: m.avatarUrl,
-                                          }}
-                                          size="xs"
-                                          showTitle={false}
-                                        />
-                                      </div>
-                                    ))}
-                                    {surplusMemberCount > 0 && (
-                                      <span className="text-neutral-500 text-xs ml-1">
-                                        +{surplusMemberCount}
-                                      </span>
-                                    )}
+                        )}
+                      </Link>
+                    </td>
+                    <td className="hidden md:table-cell px-6 py-2">
+                      <div className="space-y-1.5">
+                        {orgMembers.length > 0 && (
+                          <div className="flex items-center justify-between gap-3">
+                            <div className="flex items-center gap-1.5">
+                              <div className="flex items-center">
+                                {orgMembers.slice(0, 5).map((m, i) => (
+                                  <div
+                                    key={m.id}
+                                    className={clsx('rounded-full', i !== 0 && '-ml-2')}
+                                    style={{ zIndex: i }}
+                                  >
+                                    <Avatar
+                                      user={{
+                                        name: m.fullName,
+                                        email: m.email,
+                                        image: m.avatarUrl,
+                                      }}
+                                      size="xs"
+                                      showTitle={false}
+                                    />
                                   </div>
-                                  <span className="text-2xs text-neutral-500">
-                                    {orgMembers.length} member
-                                    {orgMembers.length !== 1 ? 's' : ''}
+                                ))}
+                                {surplusMemberCount > 0 && (
+                                  <span className="text-neutral-500 text-xs ml-1">
+                                    +{surplusMemberCount}
                                   </span>
-                                </div>
-                                {team.memberRole && (
-                                  <RoleLabel role={team.memberRole} size="xs" />
                                 )}
                               </div>
+                              <span className="text-2xs text-neutral-500">
+                                {orgMembers.length} member
+                                {orgMembers.length !== 1 ? 's' : ''}
+                              </span>
+                            </div>
+                            {team.memberRole && (
+                              <RoleLabel role={team.memberRole} size="xs" />
                             )}
-                            {sas.length > 0 && (
-                              <div className="flex items-center justify-between gap-3">
-                                <div className="flex items-center gap-1.5">
-                                  <div className="flex items-center">
-                                    {sas.slice(0, 3).map((m, i) => (
-                                      <div
-                                        key={m.id}
-                                        className={clsx('rounded-full', i !== 0 && '-ml-2')}
-                                        style={{ zIndex: i }}
-                                      >
-                                        <Avatar
-                                          serviceAccount={m.serviceAccount!}
-                                          size="xs"
-                                          showTitle={false}
-                                        />
-                                      </div>
-                                    ))}
-                                    {surplusSaCount > 0 && (
-                                      <span className="text-neutral-500 text-xs ml-1">
-                                        +{surplusSaCount}
-                                      </span>
-                                    )}
+                          </div>
+                        )}
+                        {sas.length > 0 && (
+                          <div className="flex items-center justify-between gap-3">
+                            <div className="flex items-center gap-1.5">
+                              <div className="flex items-center">
+                                {sas.slice(0, 3).map((m, i) => (
+                                  <div
+                                    key={m.id}
+                                    className={clsx('rounded-full', i !== 0 && '-ml-2')}
+                                    style={{ zIndex: i }}
+                                  >
+                                    <Avatar
+                                      serviceAccount={m.serviceAccount!}
+                                      size="xs"
+                                      showTitle={false}
+                                    />
                                   </div>
-                                  <span className="text-2xs text-neutral-500">
-                                    {sas.length} Service Account
-                                    {sas.length !== 1 ? 's' : ''}
+                                ))}
+                                {surplusSaCount > 0 && (
+                                  <span className="text-neutral-500 text-xs ml-1">
+                                    +{surplusSaCount}
                                   </span>
-                                </div>
-                                {team.serviceAccountRole && (
-                                  <RoleLabel role={team.serviceAccountRole} size="xs" />
                                 )}
                               </div>
-                            )}
-                            {orgMembers.length === 0 && sas.length === 0 && (
-                              <span className="text-2xs text-neutral-500">No members</span>
+                              <span className="text-2xs text-neutral-500">
+                                {sas.length} Service Account
+                                {sas.length !== 1 ? 's' : ''}
+                              </span>
+                            </div>
+                            {team.serviceAccountRole && (
+                              <RoleLabel role={team.serviceAccountRole} size="xs" />
                             )}
                           </div>
-                        </div>
-                      </Link>
+                        )}
+                        {orgMembers.length === 0 && sas.length === 0 && (
+                          <span className="text-2xs text-neutral-500">No members</span>
+                        )}
+                      </div>
                     </td>
                     <td className="px-6 py-2">
-                      <ManageTeamEnvsDialog
-                        teamId={team.id}
-                        teamName={team.name}
-                        appId={params.app}
-                        appEnvironments={appEnvironments}
-                        teamEnvs={teamEnvs as TeamAppEnvironmentType[]}
-                      />
+                      <div className="flex items-center gap-2">
+                        <ManageTeamEnvsDialog
+                          teamId={team.id}
+                          teamName={team.name}
+                          appId={params.app}
+                          appEnvironments={appEnvironments}
+                          teamEnvs={teamEnvs as TeamAppEnvironmentType[]}
+                        />
+                        {userCanUpdateTeams && (
+                          <div className="opacity-0 pointer-events-none group-hover:opacity-100 group-hover:pointer-events-auto transition ease">
+                            <RemoveTeamFromAppDialog
+                              teamId={team.id}
+                              teamName={team.name}
+                              appId={params.app}
+                            />
+                          </div>
+                        )}
+                      </div>
                     </td>
-                    {userCanUpdateTeams && (
-                      <td className="px-6 py-2">
-                        <div className="flex items-center justify-end opacity-0 pointer-events-none group-hover:opacity-100 group-hover:pointer-events-auto transition ease">
-                          <RemoveTeamFromAppDialog
-                            teamId={team.id}
-                            teamName={team.name}
-                            appId={params.app}
-                          />
-                        </div>
-                      </td>
-                    )}
                   </tr>
                 )
               })}

From f1ece39336a6f1a70dbd45830b63dccc92f0ac3a Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 19:18:02 +0530
Subject: [PATCH 015/118] feat: add profile card for org members and service
 accounts

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/ProfileCard.tsx | 93 ++++++++++++++++++++++
 1 file changed, 93 insertions(+)
 create mode 100644 frontend/components/common/ProfileCard.tsx

diff --git a/frontend/components/common/ProfileCard.tsx b/frontend/components/common/ProfileCard.tsx
new file mode 100644
index 000000000..84f98304c
--- /dev/null
+++ b/frontend/components/common/ProfileCard.tsx
@@ -0,0 +1,93 @@
+'use client'
+
+import { OrganisationMemberType, ServiceAccountType } from '@/apollo/graphql'
+import { Avatar } from './Avatar'
+
+type ProfileCardSize = 'sm' | 'md' | 'lg'
+
+const avatarSizeMap: Record<ProfileCardSize, 'sm' | 'md' | 'lg'> = {
+  sm: 'sm',
+  md: 'md',
+  lg: 'lg',
+}
+
+const textSizeMap: Record<ProfileCardSize, { name: string; subtitle: string }> = {
+  sm: { name: 'text-2xs', subtitle: 'text-[10px]' },
+  md: { name: 'text-xs', subtitle: 'text-2xs' },
+  lg: { name: 'text-sm', subtitle: 'text-xs' },
+}
+
+export const ProfileCard = ({
+  member,
+  serviceAccount,
+  user,
+  size = 'md',
+  subtitle,
+}: {
+  member?: OrganisationMemberType | null
+  serviceAccount?: ServiceAccountType | null
+  user?: { name?: string | null; email?: string | null; image?: string | null } | null
+  size?: ProfileCardSize
+  subtitle?: string
+}) => {
+  const textStyles = textSizeMap[size]
+
+  if (serviceAccount) {
+    return (
+      <div className="flex items-center gap-2">
+        <Avatar serviceAccount={serviceAccount} size={avatarSizeMap[size]} />
+        <div>
+          <div className={`${textStyles.name} font-medium text-zinc-900 dark:text-zinc-100`}>
+            {serviceAccount.name}
+          </div>
+          <div className={`${textStyles.subtitle} text-neutral-500 font-mono`}>
+            {subtitle || serviceAccount.id}
+          </div>
+        </div>
+      </div>
+    )
+  }
+
+  if (member) {
+    const displayName = member.fullName || member.email
+    return (
+      <div className="flex items-center gap-2">
+        <Avatar member={member} size={avatarSizeMap[size]} />
+        <div>
+          <div className={`${textStyles.name} font-medium text-zinc-900 dark:text-zinc-100`}>
+            {displayName}
+          </div>
+          {member.fullName && (
+            <div className={`${textStyles.subtitle} text-neutral-500`}>{member.email}</div>
+          )}
+        </div>
+      </div>
+    )
+  }
+
+  if (user) {
+    const displayName = user.name || user.email
+    return (
+      <div className="flex items-center gap-2">
+        <Avatar
+          user={{
+            name: user.name,
+            email: user.email,
+            image: user.image,
+          }}
+          size={avatarSizeMap[size]}
+        />
+        <div>
+          <div className={`${textStyles.name} font-medium text-zinc-900 dark:text-zinc-100`}>
+            {displayName}
+          </div>
+          {user.name && user.email && (
+            <div className={`${textStyles.subtitle} text-neutral-500`}>{user.email}</div>
+          )}
+        </div>
+      </div>
+    )
+  }
+
+  return null
+}

From d61084d3f71337a49ed8316eddaea55d436ea036 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 19:18:30 +0530
Subject: [PATCH 016/118] feat: restyle teams list table

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/app/[team]/access/teams/page.tsx | 195 +++++++++++-----------
 1 file changed, 97 insertions(+), 98 deletions(-)

diff --git a/frontend/app/[team]/access/teams/page.tsx b/frontend/app/[team]/access/teams/page.tsx
index 074848fa1..67338da64 100644
--- a/frontend/app/[team]/access/teams/page.tsx
+++ b/frontend/app/[team]/access/teams/page.tsx
@@ -20,6 +20,7 @@ import {
   FaRobot,
 } from 'react-icons/fa'
 import { Avatar } from '@/components/common/Avatar'
+import { ProfileCard } from '@/components/common/ProfileCard'
 import { MdSearchOff } from 'react-icons/md'
 import clsx from 'clsx'
 import { CreateTeamDialog } from './_components/CreateTeamDialog'
@@ -124,9 +125,6 @@ export default function Teams({ params }: { params: { team: string } }) {
                     <th className="py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
                       Team
                     </th>
-                    <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
-                      Role overrides
-                    </th>
                     <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
                       Members
                     </th>
@@ -153,113 +151,99 @@ export default function Teams({ params }: { params: { team: string } }) {
                     return (
                       <tr key={team.id} className="group">
                         <td className="py-2">
-                          <div className="flex items-center gap-3">
-                            <div className="text-2xl text-neutral-500">
-                              <FaUsers />
-                            </div>
-                            <div>
-                              <div className="font-medium flex items-center gap-2">
-                                {team.name}
-                                {team.isScimManaged && (
-                                  <span className="text-2xs px-1 rounded ring-1 ring-inset ring-purple-500/40 bg-purple-500/20 text-purple-400 uppercase font-medium">
-                                    <FaRobot className="inline mr-0.5" />
-                                    SCIM
-                                  </span>
-                                )}
-                              </div>
-                              {team.description && (
-                                <div className="text-sm text-neutral-500 truncate max-w-xs">
-                                  {team.description}
-                                </div>
+                          <div>
+                            <div className="font-medium flex items-center gap-2">
+                              {team.name}
+                              {team.isScimManaged && (
+                                <span className="text-2xs px-1 rounded ring-1 ring-inset ring-purple-500/40 bg-purple-500/20 text-purple-400 uppercase font-medium">
+                                  <FaRobot className="inline mr-0.5" />
+                                  SCIM
+                                </span>
                               )}
                             </div>
-                          </div>
-                        </td>
-                        <td className="px-6 py-2">
-                          <div className="flex flex-col gap-1">
-                            {team.memberRole ? (
-                              <div className="flex items-center gap-1.5 text-2xs text-neutral-500">
-                                <FaUsers className="text-2xs shrink-0" />
-                                <RoleLabel role={team.memberRole} />
-                              </div>
-                            ) : null}
-                            {team.serviceAccountRole ? (
-                              <div className="flex items-center gap-1.5 text-2xs text-neutral-500">
-                                <FaRobot className="text-2xs shrink-0" />
-                                <RoleLabel role={team.serviceAccountRole} />
+                            {team.description && (
+                              <div className="text-sm text-neutral-500 truncate max-w-xs">
+                                {team.description}
                               </div>
-                            ) : null}
-                            {!team.memberRole && !team.serviceAccountRole && (
-                              <span className="text-neutral-500 text-xs">Org role</span>
                             )}
                           </div>
                         </td>
                         <td className="px-6 py-2">
                           <div className="space-y-1.5">
                             {orgMembers.length > 0 && (
-                              <div className="flex items-center gap-1.5">
-                                <div className="flex items-center">
-                                  {orgMembers.slice(0, 5).map((m, i) => (
-                                    <div
-                                      key={m.id}
-                                      className={clsx(
-                                        'rounded-full',
-                                        i !== 0 && '-ml-2'
-                                      )}
-                                      style={{ zIndex: i }}
-                                    >
-                                      <Avatar
-                                        user={{
-                                          name: m.fullName,
-                                          email: m.email,
-                                          image: m.avatarUrl,
-                                        }}
-                                        size="xs"
-                                        showTitle={false}
-                                      />
-                                    </div>
-                                  ))}
-                                  {surplusMemberCount > 0 && (
-                                    <span className="text-neutral-500 text-xs ml-1">
-                                      +{surplusMemberCount}
-                                    </span>
-                                  )}
+                              <div className="flex items-center justify-between gap-3">
+                                <div className="flex items-center gap-1.5">
+                                  <div className="flex items-center">
+                                    {orgMembers.slice(0, 5).map((m, i) => (
+                                      <div
+                                        key={m.id}
+                                        className={clsx(
+                                          'rounded-full',
+                                          i !== 0 && '-ml-2'
+                                        )}
+                                        style={{ zIndex: i }}
+                                      >
+                                        <Avatar
+                                          user={{
+                                            name: m.fullName,
+                                            email: m.email,
+                                            image: m.avatarUrl,
+                                          }}
+                                          size="xs"
+                                          showTitle={false}
+                                        />
+                                      </div>
+                                    ))}
+                                    {surplusMemberCount > 0 && (
+                                      <span className="text-neutral-500 text-xs ml-1">
+                                        +{surplusMemberCount}
+                                      </span>
+                                    )}
+                                  </div>
+                                  <span className="text-2xs text-neutral-500">
+                                    {orgMembers.length} member
+                                    {orgMembers.length !== 1 ? 's' : ''}
+                                  </span>
                                 </div>
-                                <span className="text-2xs text-neutral-500">
-                                  {orgMembers.length} member
-                                  {orgMembers.length !== 1 ? 's' : ''}
-                                </span>
+                                {team.memberRole && (
+                                  <RoleLabel role={team.memberRole} size="xs" />
+                                )}
                               </div>
                             )}
                             {serviceAccounts.length > 0 && (
-                              <div className="flex items-center gap-1.5">
-                                <div className="flex items-center">
-                                  {serviceAccounts.slice(0, 3).map((m, i) => (
-                                    <div
-                                      key={m.id}
-                                      className={clsx(
-                                        'rounded-full',
-                                        i !== 0 && '-ml-2'
-                                      )}
-                                      style={{ zIndex: i }}
-                                    >
-                                      <Avatar
-                                        serviceAccount={m.serviceAccount!}
-                                        size="xs"
-                                        showTitle={false}
-                                      />
-                                    </div>
-                                  ))}
-                                  {surplusSaCount > 0 && (
-                                    <span className="text-neutral-500 text-xs ml-1">
-                                      +{surplusSaCount}
-                                    </span>
-                                  )}
+                              <div className="flex items-center justify-between gap-3">
+                                <div className="flex items-center gap-1.5">
+                                  <div className="flex items-center">
+                                    {serviceAccounts.slice(0, 3).map((m, i) => (
+                                      <div
+                                        key={m.id}
+                                        className={clsx(
+                                          'rounded-full',
+                                          i !== 0 && '-ml-2'
+                                        )}
+                                        style={{ zIndex: i }}
+                                      >
+                                        <Avatar
+                                          serviceAccount={m.serviceAccount!}
+                                          size="xs"
+                                          showTitle={false}
+                                        />
+                                      </div>
+                                    ))}
+                                    {surplusSaCount > 0 && (
+                                      <span className="text-neutral-500 text-xs ml-1">
+                                        +{surplusSaCount}
+                                      </span>
+                                    )}
+                                  </div>
+                                  <span className="text-2xs text-neutral-500">
+                                    {serviceAccounts.length} Service Account
+                                    {serviceAccounts.length !== 1 ? 's' : ''}
+                                  </span>
                                 </div>
-                                <span className="text-2xs text-neutral-500">
-                                  {serviceAccounts.length} SA
-                                  {serviceAccounts.length !== 1 ? 's' : ''}
-                                </span>
+                                {team.serviceAccountRole && (
+                                  <RoleLabel role={team.serviceAccountRole} size="xs" />
+                                )}
                               </div>
                             )}
                             {orgMembers.length === 0 &&
@@ -273,8 +257,23 @@ export default function Teams({ params }: { params: { team: string } }) {
                         <td className="px-6 py-2 text-sm">
                           {team.apps?.length || 0}
                         </td>
-                        <td className="px-6 py-2 text-sm">
-                          {relativeTimeFromDates(new Date(team.createdAt))}
+                        <td className="px-6 py-2">
+                          <div className="space-y-1">
+                            <div className="text-2xs text-neutral-500">
+                              {relativeTimeFromDates(new Date(team.createdAt))}
+                              {team.createdBy && ' by'}
+                            </div>
+                            {team.createdBy && (
+                              <ProfileCard
+                                user={{
+                                  name: team.createdBy.fullName,
+                                  email: team.createdBy.email,
+                                  image: team.createdBy.avatarUrl,
+                                }}
+                                size="sm"
+                              />
+                            )}
+                          </div>
                         </td>
                         <td className="px-6 py-2 whitespace-nowrap text-right">
                           <Link href={`/${params.team}/access/teams/${team.id}`}>

From 0aeef5533e3aa474ab3c28d44429a01756f0c186 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 31 Mar 2026 19:18:51 +0530
Subject: [PATCH 017/118] feat: use profile card

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/AddTeamMembersDialog.tsx      | 22 ++--------
 .../app/[team]/access/teams/[teamId]/page.tsx | 40 ++++++++-----------
 2 files changed, 19 insertions(+), 43 deletions(-)

diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
index 620d4fa96..ae578e6f5 100644
--- a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
@@ -7,8 +7,8 @@ import {
 } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Button } from '@/components/common/Button'
-import { Avatar } from '@/components/common/Avatar'
 import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { ProfileCard } from '@/components/common/ProfileCard'
 import { organisationContext } from '@/contexts/organisationContext'
 import GetOrganisationMembers from '@/graphql/queries/organisation/getOrganisationMembers.gql'
 import { GetServiceAccounts } from '@/graphql/queries/service-accounts/getServiceAccounts.gql'
@@ -255,17 +255,7 @@ export const AddTeamMembersDialog = ({
                     className="flex items-center justify-between py-1 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 px-2 rounded"
                     onClick={() => toggleMember(member.id)}
                   >
-                    <div className="flex items-center gap-2">
-                      <Avatar member={member} size="md" />
-                      <div>
-                        <div className="text-xs font-medium">
-                          {member.fullName || member.email}
-                        </div>
-                        {member.fullName && (
-                          <div className="text-2xs text-neutral-500">{member.email}</div>
-                        )}
-                      </div>
-                    </div>
+                    <ProfileCard member={member} size="md" />
                     <ToggleSwitch
                       size="sm"
                       value={selectedMembers.has(member.id)}
@@ -289,13 +279,7 @@ export const AddTeamMembersDialog = ({
                     className="flex items-center justify-between py-1 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 px-2 rounded"
                     onClick={() => toggleSA(sa.id)}
                   >
-                    <div className="flex items-center gap-2">
-                      <Avatar serviceAccount={sa} size="md" />
-                      <div>
-                        <div className="text-xs font-medium">{sa.name}</div>
-                        <div className="text-2xs text-neutral-500 font-mono">{sa.id}</div>
-                      </div>
-                    </div>
+                    <ProfileCard serviceAccount={sa} size="md" />
                     <ToggleSwitch
                       size="sm"
                       value={selectedSAs.has(sa.id)}
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index eca59a97a..184724202 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -4,7 +4,7 @@ import { AppType, TeamAppEnvironmentType, TeamMembershipType, TeamType } from '@
 import { Button } from '@/components/common/Button'
 import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
-import { Avatar } from '@/components/common/Avatar'
+import { ProfileCard } from '@/components/common/ProfileCard'
 import { RoleLabel } from '@/components/users/RoleLabel'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
@@ -204,29 +204,21 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                     key={membership.id}
                     className="grid grid-cols-1 md:grid-cols-4 gap-4 items-center py-1.5 px-2 group"
                   >
-                    <div className="flex items-center gap-2">
-                      {isUser ? (
-                        <Avatar
-                          user={{
-                            name: membership.fullName,
-                            email: membership.email,
-                            image: membership.avatarUrl,
-                          }}
-                          size="md"
-                        />
-                      ) : (
-                        <Avatar serviceAccount={membership.serviceAccount!} size="md" />
-                      )}
-                      <div>
-                        <div className="text-sm font-medium">{displayName}</div>
-                        {isUser && membership.fullName && (
-                          <div className="text-xs text-neutral-500">{membership.email}</div>
-                        )}
-                        {!isUser && (
-                          <div className="text-2xs text-neutral-500 font-mono">{memberId}</div>
-                        )}
-                      </div>
-                    </div>
+                    {isUser ? (
+                      <ProfileCard
+                        user={{
+                          name: membership.fullName,
+                          email: membership.email,
+                          image: membership.avatarUrl,
+                        }}
+                        size="md"
+                      />
+                    ) : (
+                      <ProfileCard
+                        serviceAccount={membership.serviceAccount!}
+                        size="md"
+                      />
+                    )}
 
                     <div>
                       {isUser && membership.orgMember?.role && (

From 9844ed7f249e8a0e3bef740102e260c7929d4b78 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 13 Apr 2026 17:47:08 +0530
Subject: [PATCH 018/118] feat: add team FK to ServiceAccount model

---
 .../migrations/0122_serviceaccount_team.py    | 23 +++++++++++++++++++
 backend/api/models.py                         |  7 ++++++
 2 files changed, 30 insertions(+)
 create mode 100644 backend/api/migrations/0122_serviceaccount_team.py

diff --git a/backend/api/migrations/0122_serviceaccount_team.py b/backend/api/migrations/0122_serviceaccount_team.py
new file mode 100644
index 000000000..fe8422006
--- /dev/null
+++ b/backend/api/migrations/0122_serviceaccount_team.py
@@ -0,0 +1,23 @@
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("api", "0121_backfill_environment_key_grants"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="serviceaccount",
+            name="team",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="owned_service_accounts",
+                to="api.team",
+            ),
+        ),
+    ]
diff --git a/backend/api/models.py b/backend/api/models.py
index e6877bea1..fb4a7a4a8 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -332,6 +332,13 @@ class ServiceAccount(models.Model):
         null=True,
         blank=True,
     )
+    team = models.ForeignKey(
+        "Team",
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="owned_service_accounts",
+    )
     apps = models.ManyToManyField(App, related_name="service_accounts")
     identity_key = models.CharField(max_length=256, null=True, blank=True)
     server_wrapped_keyring = models.TextField(null=True)

From a95bdf96ecfa2b332952a4dab962379f8c4c08ca Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 13 Apr 2026 17:47:12 +0530
Subject: [PATCH 019/118] feat: add team-owned SA backend logic

---
 backend/backend/graphene/mutations/access.py  |  24 +++-
 .../graphene/mutations/service_accounts.py    | 115 ++++++++++++++++++
 backend/backend/graphene/mutations/teams.py   |  16 +++
 .../graphene/queries/service_accounts.py      |  18 ++-
 backend/backend/graphene/types.py             |   2 +
 backend/backend/schema.py                     |   2 +
 6 files changed, 174 insertions(+), 3 deletions(-)

diff --git a/backend/backend/graphene/mutations/access.py b/backend/backend/graphene/mutations/access.py
index cbb59dc3d..bb55e22ab 100644
--- a/backend/backend/graphene/mutations/access.py
+++ b/backend/backend/graphene/mutations/access.py
@@ -4,8 +4,9 @@
     OrganisationMember,
     Role,
     ServiceAccount,
+    TeamMembership,
 )
-from api.utils.access.permissions import user_has_permission
+from api.utils.access.permissions import user_has_permission, role_has_global_access
 from backend.graphene.types import NetworkAccessPolicyType, RoleType, IdentityType
 from api.models import Identity
 from django.utils import timezone
@@ -502,6 +503,12 @@ def mutate(cls, root, info, account_inputs, organisation_id):
                 "You don't have the permissions required to delete Network Access Policies in this organisation"
             )
 
+        org_member = OrganisationMember.objects.get(
+            user=info.context.user,
+            organisation_id=organisation_id,
+            deleted_at=None,
+        )
+
         for account_input in account_inputs:
             account_filter = {
                 "organisation_id": organisation_id,
@@ -514,6 +521,21 @@ def mutate(cls, root, info, account_inputs, organisation_id):
                 else ServiceAccount.objects.get(**account_filter)
             )
 
+            # For team-owned SAs, verify team membership
+            if (
+                account_input.account_type != AccountTypeEnum.USER
+                and account.team is not None
+                and not role_has_global_access(org_member.role)
+                and not TeamMembership.objects.filter(
+                    team=account.team,
+                    org_member=org_member,
+                    team__deleted_at__isnull=True,
+                ).exists()
+            ):
+                raise GraphQLError(
+                    "You don't have access to this Service Account"
+                )
+
             account.network_policies.set(
                 NetworkAccessPolicy.objects.filter(id__in=account_input.policy_ids)
             )
diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index cc91d8ba3..02c1cfff9 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -8,6 +8,8 @@
     ServiceAccount,
     ServiceAccountHandler,
     ServiceAccountToken,
+    Team,
+    TeamMembership,
     Identity,
 )
 from api.utils.access.permissions import (
@@ -20,6 +22,26 @@
 from django.conf import settings
 
 
+def _check_team_sa_access(user, service_account):
+    """For team-owned SAs, verify the user is a team member or has global access.
+    Org-level SAs (team=null) pass through — existing permission checks are sufficient."""
+    if service_account.team is None:
+        return
+
+    org_member = OrganisationMember.objects.get(
+        user=user, organisation=service_account.organisation, deleted_at=None
+    )
+    if role_has_global_access(org_member.role):
+        return
+
+    if not TeamMembership.objects.filter(
+        team=service_account.team,
+        org_member=org_member,
+        team__deleted_at__isnull=True,
+    ).exists():
+        raise GraphQLError("You don't have access to this Service Account")
+
+
 class ServiceAccountHandlerInput(graphene.InputObjectType):
     service_account_id = graphene.ID(required=False)
     member_id = graphene.ID(required=False)
@@ -36,6 +58,7 @@ class Arguments:
         identity_key = graphene.String()
         server_wrapped_keyring = graphene.String(required=False)
         server_wrapped_recovery = graphene.String(required=False)
+        team_id = graphene.ID(required=False)
 
     service_account = graphene.Field(ServiceAccountType)
 
@@ -51,6 +74,7 @@ def mutate(
         identity_key,
         server_wrapped_keyring=None,
         server_wrapped_recovery=None,
+        team_id=None,
     ):
         user = info.context.user
         org = Organisation.objects.get(id=organisation_id)
@@ -70,6 +94,22 @@ def mutate(
                 f"Service Accounts cannot be assigned the '{role.name}' role."
             )
 
+        # Validate team ownership if creating a team-owned SA
+        team = None
+        if team_id:
+            team = Team.objects.get(id=team_id, organisation=org, deleted_at__isnull=True)
+            org_member = OrganisationMember.objects.get(
+                user=user, organisation=org, deleted_at=None
+            )
+            # User must be a member of the team (or have global access)
+            if not role_has_global_access(org_member.role):
+                if not TeamMembership.objects.filter(
+                    team=team, org_member=org_member
+                ).exists():
+                    raise GraphQLError(
+                        "You must be a member of the team to create a team-owned Service Account"
+                    )
+
         with transaction.atomic():
             service_account = ServiceAccount.objects.create(
                 name=name,
@@ -78,6 +118,7 @@ def mutate(
                 identity_key=identity_key,
                 server_wrapped_keyring=server_wrapped_keyring,
                 server_wrapped_recovery=server_wrapped_recovery,
+                team=team,
             )
 
             for handler in handlers:
@@ -88,6 +129,12 @@ def mutate(
                     wrapped_recovery=handler.wrapped_recovery,
                 )
 
+            # Auto-add team-owned SA as a member of the team
+            if team:
+                TeamMembership.objects.get_or_create(
+                    team=team, service_account=service_account
+                )
+
         if settings.APP_HOST == "cloud":
             from ee.billing.stripe import update_stripe_subscription_seats
 
@@ -123,6 +170,8 @@ def mutate(
                 "You don't have the permissions required to update Service Accounts in this organisation"
             )
 
+        _check_team_sa_access(user, service_account)
+
         service_account.server_wrapped_keyring = server_wrapped_keyring
         service_account.server_wrapped_recovery = server_wrapped_recovery
         service_account.save()
@@ -150,6 +199,8 @@ def mutate(cls, root, info, service_account_id):
                 "You don't have the permissions required to update Service Accounts in this organisation"
             )
 
+        _check_team_sa_access(user, service_account)
+
         # Delete server-wrapped keys to disable server-side key management
         service_account.server_wrapped_keyring = None
         service_account.server_wrapped_recovery = None
@@ -181,6 +232,8 @@ def mutate(cls, root, info, service_account_id, name, role_id, identity_ids=None
                 "You don't have the permissions required to update Service Accounts in this organisation"
             )
 
+        _check_team_sa_access(user, service_account)
+
         role = Role.objects.get(id=role_id, organisation=service_account.organisation)
 
         if role_has_global_access(role):
@@ -254,6 +307,8 @@ def mutate(cls, root, info, service_account_id):
                 "You don't have the permissions required to delete Service Accounts in this organisation"
             )
 
+        _check_team_sa_access(user, service_account)
+
         service_account.delete()
 
         if settings.APP_HOST == "cloud":
@@ -300,6 +355,8 @@ def mutate(
                 "You don't have the permissions required to create Service Tokens in this organisation"
             )
 
+        _check_team_sa_access(user, service_account)
+
         if expiry is not None:
             expires_at = datetime.fromtimestamp(expiry / 1000)
         else:
@@ -336,6 +393,64 @@ def mutate(cls, root, info, token_id):
                 "You don't have the permissions required to delete Service Tokens in this organisation"
             )
 
+        _check_team_sa_access(user, token.service_account)
+
         token.delete()
 
         return DeleteServiceAccountTokenMutation(ok=True)
+
+
+class UpdateServiceAccountOwnershipMutation(graphene.Mutation):
+    """Transfer a service account between org-level and team ownership.
+
+    - team_id=null: Promote team-owned SA to org-level (clears team FK).
+    - team_id=<id>: Assign SA to a team (narrows visibility to team members).
+
+    Requires global_access (Owner/Admin only).
+    """
+
+    class Arguments:
+        service_account_id = graphene.ID(required=True)
+        team_id = graphene.ID(required=False)
+
+    service_account = graphene.Field(ServiceAccountType)
+
+    @classmethod
+    def mutate(cls, root, info, service_account_id, team_id=None):
+        user = info.context.user
+        service_account = ServiceAccount.objects.get(
+            id=service_account_id, deleted_at__isnull=True
+        )
+        org = service_account.organisation
+
+        # Only Owner/Admin can transfer ownership
+        org_member = OrganisationMember.objects.get(
+            user=user, organisation=org, deleted_at=None
+        )
+        if not role_has_global_access(org_member.role):
+            raise GraphQLError(
+                "Only organisation owners and admins can transfer service account ownership"
+            )
+
+        old_team = service_account.team
+
+        if team_id is None:
+            # Promote to org-level
+            service_account.team = None
+            service_account.save()
+        else:
+            # Assign to team
+            new_team = Team.objects.get(
+                id=team_id, organisation=org, deleted_at__isnull=True
+            )
+            service_account.team = new_team
+            service_account.save()
+
+            # Ensure SA is a member of the new team
+            TeamMembership.objects.get_or_create(
+                team=new_team, service_account=service_account
+            )
+
+        return UpdateServiceAccountOwnershipMutation(
+            service_account=service_account
+        )
diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index 175ac3ca9..dafc4d6ff 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -8,6 +8,7 @@
     OrganisationMember,
     Role,
     ServiceAccount,
+    ServiceAccountToken,
     Team,
     TeamAppEnvironment,
     TeamMembership,
@@ -184,6 +185,15 @@ def mutate(cls, root, info, team_id):
         # Revoke all team environment key grants
         revoke_team_environment_keys(team)
 
+        # Soft-delete team-owned service accounts and their tokens
+        now = timezone.now()
+        for sa in ServiceAccount.objects.filter(team=team, deleted_at__isnull=True):
+            sa.deleted_at = now
+            sa.save()
+            ServiceAccountToken.objects.filter(
+                service_account=sa, deleted_at__isnull=True
+            ).update(deleted_at=now)
+
         team.deleted_at = timezone.now()
         team.save()
 
@@ -285,6 +295,12 @@ def mutate(cls, root, info, team_id, member_id, member_type=MemberType.USER):
             revoke_team_environment_keys(team, member=member)
         else:
             member = ServiceAccount.objects.get(id=member_id, deleted_at=None)
+            # Block removing a team-owned SA from its owning team
+            if member.team_id == team.id:
+                raise GraphQLError(
+                    "This service account is owned by this team and cannot be removed. "
+                    "Delete the service account instead, or transfer ownership first."
+                )
             membership = TeamMembership.objects.get(team=team, service_account=member)
             revoke_team_environment_keys(team, member=member)
 
diff --git a/backend/backend/graphene/queries/service_accounts.py b/backend/backend/graphene/queries/service_accounts.py
index b6f16bdf8..d8fd778a9 100644
--- a/backend/backend/graphene/queries/service_accounts.py
+++ b/backend/backend/graphene/queries/service_accounts.py
@@ -1,9 +1,10 @@
 from api.utils.access.permissions import (
+    role_has_global_access,
     user_can_access_app,
     user_has_permission,
     user_is_org_member,
 )
-from api.models import App, Organisation, OrganisationMember, Role, ServiceAccount
+from api.models import App, Organisation, OrganisationMember, Role, ServiceAccount, TeamMembership
 from .access import resolve_organisation_global_access_users
 from django.db.models import Q
 from graphql import GraphQLError
@@ -18,7 +19,20 @@ def resolve_service_accounts(root, info, org_id, service_account_id=None):
         if service_account_id is not None:
             filter["id"] = service_account_id
 
-        return ServiceAccount.objects.filter(**filter)
+        qs = ServiceAccount.objects.filter(**filter)
+
+        # Team-owned SAs: only visible to team members + global_access users
+        org_member = OrganisationMember.objects.get(
+            user=info.context.user, organisation=org, deleted_at=None
+        )
+        if not role_has_global_access(org_member.role):
+            user_team_ids = TeamMembership.objects.filter(
+                org_member=org_member,
+                team__deleted_at__isnull=True,
+            ).values_list("team_id", flat=True)
+            qs = qs.filter(Q(team__isnull=True) | Q(team_id__in=user_team_ids))
+
+        return qs
 
 
 def resolve_service_account_handlers(root, info, org_id):
diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index 8b4eee9b0..4cdfb144a 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -774,6 +774,7 @@ class ServiceAccountType(DjangoObjectType):
     app_memberships = graphene.List(graphene.NonNull(AppMembershipType))
     network_policies = graphene.List(graphene.NonNull(lambda: NetworkAccessPolicyType))
     identities = graphene.List(graphene.NonNull(lambda: IdentityType))
+    team = graphene.Field(lambda: TeamType)
 
     class Meta:
         model = ServiceAccount
@@ -785,6 +786,7 @@ class Meta:
             "created_at",
             "updated_at",
             "deleted_at",
+            "team",
         )
 
     def resolve_server_side_key_management_enabled(self, info):
diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index 3d4d3cf93..57ae954b4 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -34,6 +34,7 @@
     EnableServiceAccountServerSideKeyManagementMutation,
     UpdateServiceAccountHandlersMutation,
     UpdateServiceAccountMutation,
+    UpdateServiceAccountOwnershipMutation,
 )
 from api.utils.syncing.vercel.main import VercelTeamProjectsType
 from .graphene.queries.syncing import (
@@ -1174,6 +1175,7 @@ class Mutation(graphene.ObjectType):
     delete_service_account = DeleteServiceAccountMutation.Field()
     create_service_account_token = CreateServiceAccountTokenMutation.Field()
     delete_service_account_token = DeleteServiceAccountTokenMutation.Field()
+    update_service_account_ownership = UpdateServiceAccountOwnershipMutation.Field()
 
     init_env_sync = InitEnvSync.Field()
     delete_env_sync = DeleteSync.Field()

From ff461baf21128dca58ff984e3034a0c579ece375 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 13 Apr 2026 17:47:17 +0530
Subject: [PATCH 020/118] feat: update GraphQL schema and codegen for
 team-owned SAs

---
 frontend/apollo/gql.ts                        |  46 +++---
 frontend/apollo/graphql.ts                    |  54 ++++++-
 frontend/apollo/schema.graphql                | 137 ++++++++++--------
 .../service-accounts/createServiceAccount.gql |   2 +
 .../updateServiceAccountOwnership.gql         |  11 ++
 .../getServiceAccountDetail.gql               |   4 +
 .../service-accounts/getServiceAccounts.gql   |   4 +
 frontend/graphql/queries/teams/getTeams.gql   |   4 +
 8 files changed, 172 insertions(+), 90 deletions(-)
 create mode 100644 frontend/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 8799c7719..c41441b36 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -74,7 +74,7 @@ type Documents = {
     "mutation UpdateMemberRole($memberId: ID!, $roleId: ID!) {\n  updateOrganisationMemberRole(memberId: $memberId, roleId: $roleId) {\n    orgMember {\n      id\n      role {\n        name\n      }\n    }\n  }\n}": typeof types.UpdateMemberRoleDocument,
     "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.UpdateWrappedSecretsDocument,
     "mutation RotateAppKey($id: ID!, $appToken: String!, $wrappedKeyShare: String!) {\n  rotateAppKeys(id: $id, appToken: $appToken, wrappedKeyShare: $wrappedKeyShare) {\n    app {\n      id\n    }\n  }\n}": typeof types.RotateAppKeyDocument,
-    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": typeof types.CreateServiceAccountOpDocument,
+    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": typeof types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": typeof types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": typeof types.DeleteServiceAccountOpDocument,
     "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}": typeof types.DeleteServiceAccountTokenOpDocument,
@@ -82,6 +82,7 @@ type Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": typeof types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": typeof types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOpDocument,
+    "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOwnershipOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewCfPagesSyncDocument,
@@ -154,10 +155,10 @@ type Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": typeof types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": typeof types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": typeof types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": typeof types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": typeof types.GetServiceAccountTokensDocument,
-    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
+    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": typeof types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": typeof types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": typeof types.ValidateAwsAssumeRoleAuthDocument,
@@ -179,7 +180,7 @@ type Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": typeof types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": typeof types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": typeof types.GetVercelProjectsDocument,
-    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": typeof types.GetTeamsDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": typeof types.GetTeamsDocument,
     "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": typeof types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": typeof types.GetUserTokensDocument,
 };
@@ -233,9 +234,9 @@ const documents: Documents = {
     "mutation UpdateDynamicSecret($dynamicSecretId: ID!, $organisationId: ID!, $path: String, $name: String!, $description: String, $defaultTtl: Int, $maxTtl: Int, $authenticationId: ID, $config: AWSConfigInput!, $keyMap: [KeyMapInput]!) {\n  updateAwsDynamicSecret(\n    organisationId: $organisationId\n    dynamicSecretId: $dynamicSecretId\n    path: $path\n    name: $name\n    description: $description\n    defaultTtl: $defaultTtl\n    maxTtl: $maxTtl\n    authenticationId: $authenticationId\n    config: $config\n    keyMap: $keyMap\n  ) {\n    dynamicSecret {\n      id\n      name\n      description\n      provider\n      createdAt\n      updatedAt\n    }\n  }\n}": types.UpdateDynamicSecretDocument,
     "mutation CreateSharedSecret($input: LockboxInput!) {\n  createLockbox(input: $input) {\n    lockbox {\n      id\n      allowedViews\n      expiresAt\n    }\n  }\n}": types.CreateSharedSecretDocument,
     "mutation UpdateEnvOrder($appId: ID!, $environmentOrder: [ID]!) {\n  updateEnvironmentOrder(appId: $appId, environmentOrder: $environmentOrder) {\n    ok\n  }\n}": types.UpdateEnvOrderDocument,
-    "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.CreateExtIdentityDocument,
+    "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.CreateExtIdentityDocument,
     "mutation DeleteExtIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}": types.DeleteExtIdentityDocument,
-    "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.UpdateExtIdentityDocument,
+    "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.UpdateExtIdentityDocument,
     "mutation AcceptOrganisationInvite($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!, $inviteId: ID!) {\n  createOrganisationMember(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n    inviteId: $inviteId\n  ) {\n    orgMember {\n      id\n      email\n      createdAt\n      role {\n        name\n      }\n    }\n  }\n}": types.AcceptOrganisationInviteDocument,
     "mutation BulkInviteMembers($orgId: ID!, $invites: [InviteInput!]!) {\n  bulkInviteOrganisationMembers(orgId: $orgId, invites: $invites) {\n    invites {\n      id\n      inviteeEmail\n      expiresAt\n    }\n  }\n}": types.BulkInviteMembersDocument,
     "mutation DeleteOrgInvite($inviteId: ID!) {\n  deleteInvitation(inviteId: $inviteId) {\n    ok\n  }\n}": types.DeleteOrgInviteDocument,
@@ -244,7 +245,7 @@ const documents: Documents = {
     "mutation UpdateMemberRole($memberId: ID!, $roleId: ID!) {\n  updateOrganisationMemberRole(memberId: $memberId, roleId: $roleId) {\n    orgMember {\n      id\n      role {\n        name\n      }\n    }\n  }\n}": types.UpdateMemberRoleDocument,
     "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.UpdateWrappedSecretsDocument,
     "mutation RotateAppKey($id: ID!, $appToken: String!, $wrappedKeyShare: String!) {\n  rotateAppKeys(id: $id, appToken: $appToken, wrappedKeyShare: $wrappedKeyShare) {\n    app {\n      id\n    }\n  }\n}": types.RotateAppKeyDocument,
-    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": types.CreateServiceAccountOpDocument,
+    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountOpDocument,
     "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountTokenOpDocument,
@@ -252,6 +253,7 @@ const documents: Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
+    "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOwnershipOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewCfPagesSyncDocument,
@@ -298,8 +300,8 @@ const documents: Documents = {
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": types.GetDashboardDocument,
     "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}": types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": types.GetAwsStsEndpointsDocument,
-    "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}": types.GetIdentityProvidersDocument,
-    "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": types.GetOrganisationIdentitiesDocument,
+    "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": types.GetIdentityProvidersDocument,
+    "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": types.GetOrganisationIdentitiesDocument,
     "query CheckOrganisationNameAvailability($name: String!) {\n  organisationNameAvailable(name: $name)\n}": types.CheckOrganisationNameAvailabilityDocument,
     "query GetGlobalAccessUsers($organisationId: ID!) {\n  organisationGlobalAccessUsers(organisationId: $organisationId) {\n    id\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetGlobalAccessUsersDocument,
     "query GetInvites($orgId: ID!) {\n  organisationInvites(orgId: $orgId) {\n    id\n    createdAt\n    expiresAt\n    invitedBy {\n      email\n      fullName\n      self\n    }\n    inviteeEmail\n    role {\n      id\n      name\n      description\n      color\n    }\n  }\n}": types.GetInvitesDocument,
@@ -324,10 +326,10 @@ const documents: Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
-    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
+    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": types.ValidateAwsAssumeRoleAuthDocument,
@@ -349,7 +351,7 @@ const documents: Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": types.GetVercelProjectsDocument,
-    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": types.GetTeamsDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": types.GetTeamsDocument,
     "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": types.GetUserTokensDocument,
 };
@@ -567,7 +569,7 @@ export function graphql(source: "mutation UpdateEnvOrder($appId: ID!, $environme
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
+export function graphql(source: "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -575,7 +577,7 @@ export function graphql(source: "mutation DeleteExtIdentity($id: ID!) {\n  delet
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
+export function graphql(source: "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tenantId: String, $resource: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tenantId: $tenantId\n    resource: $resource\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n        ... on AzureEntraConfigType {\n          tenantId\n          resource\n          allowedServicePrincipalIds\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -611,7 +613,7 @@ export function graphql(source: "mutation RotateAppKey($id: ID!, $appToken: Stri
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"): (typeof documents)["mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"];
+export function graphql(source: "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"): (typeof documents)["mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -640,6 +642,10 @@ export function graphql(source: "mutation UpdateServiceAccountHandlerKeys($orgId
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -827,11 +833,11 @@ export function graphql(source: "query GetAwsStsEndpoints {\n  awsStsEndpoints\n
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}"): (typeof documents)["query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}"];
+export function graphql(source: "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}"): (typeof documents)["query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"): (typeof documents)["query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"): (typeof documents)["query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -931,7 +937,7 @@ export function graphql(source: "query GetServiceTokens($appId: ID!) {\n  servic
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}"];
+export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -943,7 +949,7 @@ export function graphql(source: "query GetServiceAccountTokens($orgId: ID!, $id:
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -1031,7 +1037,7 @@ export function graphql(source: "query GetVercelProjects($credentialId: ID!) {\n
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"): (typeof documents)["query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"];
+export function graphql(source: "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"): (typeof documents)["query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index b008daf3e..00f8644cc 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -1082,6 +1082,15 @@ export type Mutation = {
   updateProviderCredentials?: Maybe<UpdateProviderCredentials>;
   updateServiceAccount?: Maybe<UpdateServiceAccountMutation>;
   updateServiceAccountHandlers?: Maybe<UpdateServiceAccountHandlersMutation>;
+  /**
+   * Transfer a service account between org-level and team ownership.
+   *
+   * - team_id=null: Promote team-owned SA to org-level (clears team FK).
+   * - team_id=<id>: Assign SA to a team (narrows visibility to team members).
+   *
+   * Requires global_access (Owner/Admin only).
+   */
+  updateServiceAccountOwnership?: Maybe<UpdateServiceAccountOwnershipMutation>;
   updateSyncAuthentication?: Maybe<UpdateSyncAuthentication>;
   updateTeam?: Maybe<UpdateTeamMutation>;
   updateTeamAppEnvironments?: Maybe<UpdateTeamAppEnvironmentsMutation>;
@@ -1389,6 +1398,7 @@ export type MutationCreateServiceAccountArgs = {
   roleId?: InputMaybe<Scalars['ID']['input']>;
   serverWrappedKeyring?: InputMaybe<Scalars['String']['input']>;
   serverWrappedRecovery?: InputMaybe<Scalars['String']['input']>;
+  teamId?: InputMaybe<Scalars['ID']['input']>;
 };
 
 
@@ -1792,6 +1802,12 @@ export type MutationUpdateServiceAccountHandlersArgs = {
 };
 
 
+export type MutationUpdateServiceAccountOwnershipArgs = {
+  serviceAccountId: Scalars['ID']['input'];
+  teamId?: InputMaybe<Scalars['ID']['input']>;
+};
+
+
 export type MutationUpdateSyncAuthenticationArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
   syncId?: InputMaybe<Scalars['ID']['input']>;
@@ -2595,6 +2611,7 @@ export type ServiceAccountType = {
   networkPolicies?: Maybe<Array<NetworkAccessPolicyType>>;
   role?: Maybe<RoleType>;
   serverSideKeyManagementEnabled?: Maybe<Scalars['Boolean']['output']>;
+  team?: Maybe<TeamType>;
   tokens?: Maybe<Array<Maybe<ServiceAccountTokenType>>>;
   updatedAt: Scalars['DateTime']['output'];
 };
@@ -2792,6 +2809,19 @@ export type UpdateServiceAccountMutation = {
   serviceAccount?: Maybe<ServiceAccountType>;
 };
 
+/**
+ * Transfer a service account between org-level and team ownership.
+ *
+ * - team_id=null: Promote team-owned SA to org-level (clears team FK).
+ * - team_id=<id>: Assign SA to a team (narrows visibility to team members).
+ *
+ * Requires global_access (Owner/Admin only).
+ */
+export type UpdateServiceAccountOwnershipMutation = {
+  __typename?: 'UpdateServiceAccountOwnershipMutation';
+  serviceAccount?: Maybe<ServiceAccountType>;
+};
+
 export type UpdateSubscriptionResponse = {
   __typename?: 'UpdateSubscriptionResponse';
   cancelledAt?: Maybe<Scalars['String']['output']>;
@@ -3418,6 +3448,7 @@ export type CreateServiceAccountOpMutationVariables = Exact<{
   handlers?: InputMaybe<Array<InputMaybe<ServiceAccountHandlerInput>> | InputMaybe<ServiceAccountHandlerInput>>;
   serverWrappedKeyring?: InputMaybe<Scalars['String']['input']>;
   serverWrappedRecovery?: InputMaybe<Scalars['String']['input']>;
+  teamId?: InputMaybe<Scalars['ID']['input']>;
 }>;
 
 
@@ -3483,6 +3514,14 @@ export type UpdateServiceAccountOpMutationVariables = Exact<{
 
 export type UpdateServiceAccountOpMutation = { __typename?: 'Mutation', updateServiceAccount?: { __typename?: 'UpdateServiceAccountMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string }> | null } | null } | null };
 
+export type UpdateServiceAccountOwnershipOpMutationVariables = Exact<{
+  serviceAccountId: Scalars['ID']['input'];
+  teamId?: InputMaybe<Scalars['ID']['input']>;
+}>;
+
+
+export type UpdateServiceAccountOwnershipOpMutation = { __typename?: 'Mutation', updateServiceAccountOwnership?: { __typename?: 'UpdateServiceAccountOwnershipMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, team?: { __typename?: 'TeamType', id: string, name: string } | null } | null } | null };
+
 export type CreateNewAwsSecretsSyncMutationVariables = Exact<{
   envId: Scalars['ID']['input'];
   path: Scalars['String']['input'];
@@ -4106,7 +4145,7 @@ export type GetServiceAccountDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
+export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, team?: { __typename?: 'TeamType', id: string, name: string } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
 
 export type GetServiceAccountHandlersQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -4129,7 +4168,7 @@ export type GetServiceAccountsQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountsQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null } | null> | null };
+export type GetServiceAccountsQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null } | null, team?: { __typename?: 'TeamType', id: string, name: string } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null } | null> | null };
 
 export type GetOrganisationSyncsQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -4281,7 +4320,7 @@ export type GetTeamsQueryVariables = Exact<{
 }>;
 
 
-export type GetTeamsQuery = { __typename?: 'Query', teams?: Array<{ __typename?: 'TeamType', id: string, name: string, description?: string | null, isScimManaged: boolean, createdAt?: any | null, updatedAt: any, memberCount?: number | null, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, serviceAccountRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, members?: Array<{ __typename?: 'TeamMembershipType', id: string, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, orgMember?: { __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null }> | null, apps?: Array<{ __typename?: 'AppType', id: string, name: string, sseEnabled: boolean }> | null, appEnvironments?: Array<{ __typename?: 'TeamAppEnvironmentType', id: string, createdAt?: any | null, app: { __typename?: 'AppMembershipType', id: string, name: string }, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices } }> | null } | null> | null };
+export type GetTeamsQuery = { __typename?: 'Query', teams?: Array<{ __typename?: 'TeamType', id: string, name: string, description?: string | null, isScimManaged: boolean, createdAt?: any | null, updatedAt: any, memberCount?: number | null, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, serviceAccountRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, members?: Array<{ __typename?: 'TeamMembershipType', id: string, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, orgMember?: { __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, team?: { __typename?: 'TeamType', id: string, name: string } | null } | null }> | null, apps?: Array<{ __typename?: 'AppType', id: string, name: string, sseEnabled: boolean }> | null, appEnvironments?: Array<{ __typename?: 'TeamAppEnvironmentType', id: string, createdAt?: any | null, app: { __typename?: 'AppMembershipType', id: string, name: string }, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices } }> | null } | null> | null };
 
 export type GetOrganisationMemberDetailQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
@@ -4359,7 +4398,7 @@ export const TransferOrgOwnershipDocument = {"kind":"Document","definitions":[{"
 export const UpdateMemberRoleDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateMemberRole"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateOrganisationMemberRole"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateMemberRoleMutation, UpdateMemberRoleMutationVariables>;
 export const UpdateWrappedSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateWrappedSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberWrappedSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateWrappedSecretsMutation, UpdateWrappedSecretsMutationVariables>;
 export const RotateAppKeyDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RotateAppKey"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appToken"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"rotateAppKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"appToken"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appToken"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RotateAppKeyMutation, RotateAppKeyMutationVariables>;
-export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateServiceAccountOpMutation, CreateServiceAccountOpMutationVariables>;
+export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateServiceAccountOpMutation, CreateServiceAccountOpMutationVariables>;
 export const CreateSaTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSAToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSaTokenMutation, CreateSaTokenMutationVariables>;
 export const DeleteServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountOpMutation, DeleteServiceAccountOpMutationVariables>;
 export const DeleteServiceAccountTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountTokenOpMutation, DeleteServiceAccountTokenOpMutationVariables>;
@@ -4367,6 +4406,7 @@ export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitio
 export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
 export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}},"type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
+export const UpdateServiceAccountOwnershipOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOwnershipOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOwnershipOpMutation, UpdateServiceAccountOwnershipOpMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
 export const CreateNewAzureKeyVaultSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAzureKeyVaultSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAzureKeyVaultSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"vaultUri"},"value":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}}},{"kind":"Argument","name":{"kind":"Name","value":"syncMode"},"value":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAzureKeyVaultSyncMutation, CreateNewAzureKeyVaultSyncMutationVariables>;
 export const CreateNewCfPagesSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewCfPagesSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createCloudflarePagesSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}}},{"kind":"Argument","name":{"kind":"Name","value":"deploymentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectEnv"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewCfPagesSyncMutation, CreateNewCfPagesSyncMutationVariables>;
@@ -4439,10 +4479,10 @@ export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind"
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
 export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"type"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
-export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
+export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
-export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
+export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
 export const GetOrganisationSyncsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationSyncs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"completedAt"}},{"kind":"Field","name":{"kind":"Name","value":"meta"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"expectedCredentials"}},{"kind":"Field","name":{"kind":"Name","value":"optionalCredentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationSyncsQuery, GetOrganisationSyncsQueryVariables>;
 export const GetAwsSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"arn"}}]}}]}}]} as unknown as DocumentNode<GetAwsSecretsQuery, GetAwsSecretsQueryVariables>;
 export const ValidateAwsAssumeRoleAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"ValidateAWSAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateAwsAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"valid"}},{"kind":"Field","name":{"kind":"Name","value":"message"}},{"kind":"Field","name":{"kind":"Name","value":"method"}},{"kind":"Field","name":{"kind":"Name","value":"error"}}]}}]}}]} as unknown as DocumentNode<ValidateAwsAssumeRoleAuthQuery, ValidateAwsAssumeRoleAuthQueryVariables>;
@@ -4464,6 +4504,6 @@ export const GetRailwayProjectsDocument = {"kind":"Document","definitions":[{"ki
 export const GetRenderResourcesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetRenderResources"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"renderServices"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}},{"kind":"Field","name":{"kind":"Name","value":"renderEnvgroups"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]} as unknown as DocumentNode<GetRenderResourcesQuery, GetRenderResourcesQueryVariables>;
 export const TestVaultAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"TestVaultAuth"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"testVaultCreds"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}]}]}}]} as unknown as DocumentNode<TestVaultAuthQuery, TestVaultAuthQueryVariables>;
 export const GetVercelProjectsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetVercelProjects"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"vercelProjects"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"teamName"}},{"kind":"Field","name":{"kind":"Name","value":"projects"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"slug"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetVercelProjectsQuery, GetVercelProjectsQueryVariables>;
-export const GetTeamsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetTeams"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"teams"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"memberCount"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<GetTeamsQuery, GetTeamsQueryVariables>;
+export const GetTeamsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetTeams"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"teams"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"memberCount"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<GetTeamsQuery, GetTeamsQueryVariables>;
 export const GetOrganisationMemberDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationMemberDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastLogin"}},{"kind":"Field","name":{"kind":"Name","value":"self"}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationMemberDetailQuery, GetOrganisationMemberDetailQueryVariables>;
 export const GetUserTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetUserTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyShare"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]} as unknown as DocumentNode<GetUserTokensQuery, GetUserTokensQueryVariables>;
\ No newline at end of file
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index a6f8aaf57..1eb40991a 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -304,6 +304,7 @@ type ServiceAccountType {
   id: String!
   name: String!
   role: RoleType
+  team: TeamType
   identityKey: String
   createdAt: DateTime
   updatedAt: DateTime!
@@ -316,6 +317,56 @@ type ServiceAccountType {
   identities: [IdentityType!]
 }
 
+type TeamType {
+  id: String!
+  name: String!
+  description: String
+  memberRole: RoleType
+  serviceAccountRole: RoleType
+  isScimManaged: Boolean!
+  createdBy: OrganisationMemberType
+  createdAt: DateTime
+  updatedAt: DateTime!
+  members: [TeamMembershipType!]
+  apps: [AppType!]
+  appEnvironments: [TeamAppEnvironmentType!]
+  memberCount: Int
+}
+
+type TeamMembershipType {
+  id: String!
+  orgMember: OrganisationMemberType
+  serviceAccount: ServiceAccountType
+  createdAt: DateTime
+  email: String
+  fullName: String
+  avatarUrl: String
+}
+
+type AppType {
+  id: String!
+  name: String!
+  description: String
+  identityKey: String!
+  appVersion: Int!
+  appToken: String!
+  appSeed: String!
+  wrappedKeyShare: String!
+  createdAt: DateTime
+  updatedAt: DateTime!
+  sseEnabled: Boolean!
+  serviceAccounts: [ServiceAccountType]!
+  environments: [EnvironmentType]!
+  members: [OrganisationMemberType]!
+}
+
+type TeamAppEnvironmentType {
+  id: String!
+  app: AppMembershipType!
+  environment: EnvironmentType!
+  createdAt: DateTime
+}
+
 type ServiceAccountHandlerType {
   id: String!
   serviceAccount: ServiceAccountType!
@@ -367,18 +418,6 @@ type AwsIamConfigType {
   stsEndpoint: String
 }
 
-"""An enumeration."""
-enum ApiSecretEventTypeChoices {
-  """Secret"""
-  SECRET
-
-  """Sealed"""
-  SEALED
-
-  """Config"""
-  CONFIG
-}
-
 """An enumeration."""
 enum ApiSecretEventEventTypeChoices {
   """Create"""
@@ -625,56 +664,6 @@ type UserTokenType {
   createdBy: OrganisationMemberType
 }
 
-type TeamType {
-  id: String!
-  name: String!
-  description: String
-  memberRole: RoleType
-  serviceAccountRole: RoleType
-  isScimManaged: Boolean!
-  createdBy: OrganisationMemberType
-  createdAt: DateTime
-  updatedAt: DateTime!
-  members: [TeamMembershipType!]
-  apps: [AppType!]
-  appEnvironments: [TeamAppEnvironmentType!]
-  memberCount: Int
-}
-
-type TeamMembershipType {
-  id: String!
-  orgMember: OrganisationMemberType
-  serviceAccount: ServiceAccountType
-  createdAt: DateTime
-  email: String
-  fullName: String
-  avatarUrl: String
-}
-
-type AppType {
-  id: String!
-  name: String!
-  description: String
-  identityKey: String!
-  appVersion: Int!
-  appToken: String!
-  appSeed: String!
-  wrappedKeyShare: String!
-  createdAt: DateTime
-  updatedAt: DateTime!
-  sseEnabled: Boolean!
-  serviceAccounts: [ServiceAccountType]!
-  environments: [EnvironmentType]!
-  members: [OrganisationMemberType]!
-}
-
-type TeamAppEnvironmentType {
-  id: String!
-  app: AppMembershipType!
-  environment: EnvironmentType!
-  createdAt: DateTime
-}
-
 type PhaseLicenseType {
   id: String
   customerName: String
@@ -1088,7 +1077,7 @@ type Mutation {
   addTeamApps(appEnvs: [AppEnvironmentInput!]!, teamId: ID!): AddTeamAppsMutation
   removeTeamApp(appId: ID!, teamId: ID!): RemoveTeamAppMutation
   updateTeamAppEnvironments(appId: ID!, envIds: [ID!]!, teamId: ID!): UpdateTeamAppEnvironmentsMutation
-  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
+  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String, teamId: ID): CreateServiceAccountMutation
   enableServiceAccountServerSideKeyManagement(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountServerSideKeyManagementMutation
   enableServiceAccountClientSideKeyManagement(serviceAccountId: ID): EnableServiceAccountClientSideKeyManagementMutation
   updateServiceAccountHandlers(handlers: [ServiceAccountHandlerInput], organisationId: ID): UpdateServiceAccountHandlersMutation
@@ -1096,6 +1085,16 @@ type Mutation {
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
   createServiceAccountToken(expiry: BigInt, identityKey: String!, name: String!, serviceAccountId: ID, token: String!, wrappedKeyShare: String!): CreateServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
+
+  """
+  Transfer a service account between org-level and team ownership.
+  
+  - team_id=null: Promote team-owned SA to org-level (clears team FK).
+  - team_id=<id>: Assign SA to a team (narrows visibility to team members).
+  
+  Requires global_access (Owner/Admin only).
+  """
+  updateServiceAccountOwnership(serviceAccountId: ID!, teamId: ID): UpdateServiceAccountOwnershipMutation
   initEnvSync(appId: ID, envKeys: [EnvironmentKeyInput]): InitEnvSync
   deleteEnvSync(syncId: ID): DeleteSync
   triggerSync(syncId: ID): TriggerSync
@@ -1409,6 +1408,18 @@ type DeleteServiceAccountTokenMutation {
   ok: Boolean
 }
 
+"""
+Transfer a service account between org-level and team ownership.
+
+- team_id=null: Promote team-owned SA to org-level (clears team FK).
+- team_id=<id>: Assign SA to a team (narrows visibility to team members).
+
+Requires global_access (Owner/Admin only).
+"""
+type UpdateServiceAccountOwnershipMutation {
+  serviceAccount: ServiceAccountType
+}
+
 type InitEnvSync {
   app: AppType
 }
diff --git a/frontend/graphql/mutations/service-accounts/createServiceAccount.gql b/frontend/graphql/mutations/service-accounts/createServiceAccount.gql
index de82a340e..4376e2e5c 100644
--- a/frontend/graphql/mutations/service-accounts/createServiceAccount.gql
+++ b/frontend/graphql/mutations/service-accounts/createServiceAccount.gql
@@ -6,6 +6,7 @@ mutation CreateServiceAccountOp(
   $handlers: [ServiceAccountHandlerInput]
   $serverWrappedKeyring: String
   $serverWrappedRecovery: String
+  $teamId: ID
 ) {
   createServiceAccount(
     name: $name
@@ -15,6 +16,7 @@ mutation CreateServiceAccountOp(
     handlers: $handlers
     serverWrappedKeyring: $serverWrappedKeyring
     serverWrappedRecovery: $serverWrappedRecovery
+    teamId: $teamId
   ) {
     serviceAccount {
       id
diff --git a/frontend/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql b/frontend/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql
new file mode 100644
index 000000000..f388a4fb8
--- /dev/null
+++ b/frontend/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql
@@ -0,0 +1,11 @@
+mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {
+  updateServiceAccountOwnership(serviceAccountId: $serviceAccountId, teamId: $teamId) {
+    serviceAccount {
+      id
+      team {
+        id
+        name
+      }
+    }
+  }
+}
diff --git a/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql b/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
index 532983b8f..b5a865cf9 100644
--- a/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
+++ b/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
@@ -35,6 +35,10 @@ query GetServiceAccountDetail($orgId: ID!, $id: ID) {
       allowedIps
       isGlobal
     }
+    team {
+      id
+      name
+    }
     identities { id provider name description }
   }
 }
diff --git a/frontend/graphql/queries/service-accounts/getServiceAccounts.gql b/frontend/graphql/queries/service-accounts/getServiceAccounts.gql
index 9856853f7..de27d7b3d 100644
--- a/frontend/graphql/queries/service-accounts/getServiceAccounts.gql
+++ b/frontend/graphql/queries/service-accounts/getServiceAccounts.gql
@@ -9,6 +9,10 @@ query GetServiceAccounts($orgId: ID!, $id: ID) {
       description
       color
     }
+    team {
+      id
+      name
+    }
     handlers {
       id
       wrappedKeyring
diff --git a/frontend/graphql/queries/teams/getTeams.gql b/frontend/graphql/queries/teams/getTeams.gql
index d8cd06e24..2cb00a7b6 100644
--- a/frontend/graphql/queries/teams/getTeams.gql
+++ b/frontend/graphql/queries/teams/getTeams.gql
@@ -50,6 +50,10 @@ query GetTeams($organisationId: ID!, $teamId: ID) {
           color
           permissions
         }
+        team {
+          id
+          name
+        }
       }
       email
       fullName

From 8a35df72385ea824c45b1b40094f16348e8c8e59 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 13 Apr 2026 17:47:21 +0530
Subject: [PATCH 021/118] feat: add team-owned service account UI

---
 .../service-accounts/[account]/page.tsx       | 340 ++++++++++++++++--
 .../CreateServiceAccountDialog.tsx            | 137 ++++---
 .../[team]/access/service-accounts/page.tsx   |  26 +-
 .../_components/AddTeamMembersDialog.tsx      | 269 ++++++++------
 .../app/[team]/access/teams/[teamId]/page.tsx | 224 ++++++++----
 5 files changed, 732 insertions(+), 264 deletions(-)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index 1e3c857b7..8a139bf2c 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -5,11 +5,11 @@ import { organisationContext } from '@/contexts/organisationContext'
 import { GetServiceAccountDetail } from '@/graphql/queries/service-accounts/getServiceAccountDetail.gql'
 import { UpdateServiceAccountOp } from '@/graphql/mutations/service-accounts/updateServiceAccount.gql'
 import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
-import { userHasPermission } from '@/utils/access/permissions'
+import { userHasPermission, userHasGlobalAccess } from '@/utils/access/permissions'
 import { useMutation, useQuery } from '@apollo/client'
 import Link from 'next/link'
-import { useContext, useEffect, useMemo, useState } from 'react'
-import { FaBan, FaBoxOpen, FaChevronLeft, FaCog, FaEdit, FaNetworkWired } from 'react-icons/fa'
+import { Fragment, useContext, useEffect, useMemo, useRef, useState } from 'react'
+import { FaBan, FaBoxOpen, FaBuilding, FaChevronDown, FaChevronLeft, FaCog, FaEdit, FaLink, FaNetworkWired, FaUsers } from 'react-icons/fa'
 import { FaServer, FaArrowDownUpLock } from 'react-icons/fa6'
 import { DeleteServiceAccountDialog } from '../_components/DeleteServiceAccountDialog'
 import { AddAppButton } from './_components/AddAppsToServiceAccountsButton'
@@ -27,11 +27,19 @@ import { UpdateAccountNetworkPolicies } from '@/components/access/UpdateAccountN
 import { ServiceAccountTokens } from './_components/ServiceAccountTokens'
 import { KeyManagementDialog } from '@/components/service-accounts/KeyManagementDialog'
 import { ServiceAccountIdentities } from './_components/ServiceAccountIdentities'
+import { UpdateServiceAccountOwnershipOp } from '@/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Alert } from '@/components/common/Alert'
+import { Listbox } from '@headlessui/react'
+import clsx from 'clsx'
 
 export default function ServiceAccount({ params }: { params: { team: string; account: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
   const [name, setName] = useState('')
+  const [selectedTeamId, setSelectedTeamId] = useState<string | null>(null)
+  const [savingOwnership, setSavingOwnership] = useState(false)
+  const ownershipDialogRef = useRef<{ closeModal: () => void }>(null)
 
   const userCanReadSA = organisation
     ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'read')
@@ -57,6 +65,10 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
     ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
     : false
 
+  const userIsGlobalAccess = organisation
+    ? userHasGlobalAccess(organisation.role!.permissions)
+    : false
+
   const { data, loading } = useQuery(GetServiceAccountDetail, {
     variables: { orgId: organisation?.id, id: params.account },
     skip: !organisation || !userCanReadSA,
@@ -69,8 +81,10 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
   })
 
   const [updateAccount] = useMutation(UpdateServiceAccountOp)
+  const [updateOwnership] = useMutation(UpdateServiceAccountOwnershipOp)
 
   const account: ServiceAccountType = data?.serviceAccounts[0]
+  const isTeamOwned = !!account?.team
 
   const accountTeams = useMemo(() => {
     if (!teamsData?.teams || !account) return []
@@ -79,6 +93,39 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
     )
   }, [teamsData, account])
 
+  const isMultiTeamOrg = !isTeamOwned && accountTeams.length > 1
+
+  // Ownership can be changed by global_access users, or the creator of the owning team
+  const ownerTeam = useMemo(() => {
+    if (!account?.team || !teamsData?.teams) return null
+    return (teamsData.teams as TeamType[]).find((t) => t.id === account.team?.id) || null
+  }, [teamsData, account])
+
+  const userCanManageOwnership = useMemo(() => {
+    if (userIsGlobalAccess) return true
+    if (ownerTeam?.createdBy?.id && organisation?.memberId) {
+      return ownerTeam.createdBy.id === organisation.memberId
+    }
+    return false
+  }, [userIsGlobalAccess, ownerTeam, organisation])
+
+  // Non global-access users only see teams they're a member of
+  const availableTeams = useMemo(() => {
+    if (!teamsData?.teams) return []
+    const allTeams = teamsData.teams as TeamType[]
+    if (userIsGlobalAccess) return allTeams
+    return allTeams.filter((t) =>
+      t.members?.some((m) => m.orgMember?.id === organisation?.memberId)
+    )
+  }, [teamsData, userIsGlobalAccess, organisation])
+
+  // For team-owned SAs, only team members + global_access can manage
+  const userCanManageTeamSA = useMemo(() => {
+    if (!isTeamOwned) return true // org-level SAs use existing permission checks
+    if (userIsGlobalAccess) return true
+    return ownerTeam?.members?.some((m) => m.orgMember?.id === organisation?.memberId) ?? false
+  }, [isTeamOwned, userIsGlobalAccess, ownerTeam, organisation])
+
   const nameUpdated = account ? account.name !== name : false
 
   const updateName = async () => {
@@ -104,6 +151,34 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
 
   const resetName = () => setName(account.name)
 
+  const handleOwnershipSave = async () => {
+    setSavingOwnership(true)
+    try {
+      await updateOwnership({
+        variables: {
+          serviceAccountId: account.id,
+          teamId: selectedTeamId,
+        },
+        refetchQueries: [
+          {
+            query: GetServiceAccountDetail,
+            variables: { orgId: organisation?.id, id: params.account },
+          },
+        ],
+      })
+      toast.success(
+        selectedTeamId
+          ? 'Service account assigned to team'
+          : 'Service account promoted to organisation level'
+      )
+      if (ownershipDialogRef.current) ownershipDialogRef.current.closeModal()
+    } catch (e: any) {
+      toast.error(e.message)
+    } finally {
+      setSavingOwnership(false)
+    }
+  }
+
   useEffect(() => {
     if (account) setName(account.name)
   }, [account])
@@ -187,13 +262,30 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                   </div>
                 )}
               </h3>
-              <CopyButton
-                value={account.id}
-                buttonVariant="ghost"
-                title="Copy Service Account ID to clipboard"
-              >
-                <span className="text-neutral-500 text-xs font-mono">{account.id}</span>
-              </CopyButton>
+              <div className="flex items-center gap-2">
+                <CopyButton
+                  value={account.id}
+                  buttonVariant="ghost"
+                  title="Copy Service Account ID to clipboard"
+                >
+                  <span className="text-neutral-500 text-xs font-mono">{account.id}</span>
+                </CopyButton>
+                {account.team ? (
+                  <Link
+                    href={`/${params.team}/access/teams/${account.team.id}`}
+                    className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-blue-500/15 text-blue-600 dark:text-blue-400 hover:bg-blue-500/25 transition ease"
+                    title={`Owned by team "${account.team.name}" — bound to the team lifecycle`}
+                  >
+                    <FaLink className="text-[0.55rem]" />
+                    {account.team.name}
+                  </Link>
+                ) : (
+                  <span className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-neutral-500/15 text-neutral-600 dark:text-neutral-400" title="Organisation-level account — visible org-wide">
+                    <FaBuilding className="text-[0.55rem]" />
+                    Organisation
+                  </span>
+                )}
+              </div>
             </div>
           </div>
           <div className="flex items-center gap-2 text-sm text-neutral-500 mt-1">
@@ -206,7 +298,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
             <span className="font-medium text-sm text-zinc-900 dark:text-zinc-100">
               {account.serverSideKeyManagementEnabled ? 'Server-side' : 'Client-side'} KMS
             </span>
-            {userCanUpdateSA && (
+            {userCanUpdateSA && userCanManageTeamSA && (
               <KeyManagementDialog serviceAccount={account} buttonVariant={'secondary'} />
             )}
           </div>
@@ -221,8 +313,11 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
 
           {/* Role Selector and Description */}
           <div className="space-y-2">
-            <div className="text-sm w-max">
-              <ServiceAccountRoleSelector account={account} displayOnly={!userCanUpdateSA} />
+            <div className="text-sm w-max flex items-center gap-2">
+              <ServiceAccountRoleSelector account={account} displayOnly={!userCanUpdateSA || isTeamOwned} />
+              {isTeamOwned && (
+                <span className="text-2xs text-neutral-500">(managed by team)</span>
+              )}
             </div>
 
             <div className="flex flex-col gap-1">
@@ -233,6 +328,144 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           </div>
         </div>
 
+        {userCanManageOwnership && userCanReadTeams && (
+          <div className="py-4 space-y-3">
+            <div className="flex items-center justify-between">
+              <div>
+                <div className="text-base font-medium">Ownership</div>
+                <div className="text-neutral-500 text-sm">
+                  {account.team
+                    ? 'This account is owned by a team and only visible to team members.'
+                    : 'This account is organisation-level and visible to all members with permission.'}
+                </div>
+              </div>
+              <GenericDialog
+                title="Manage Ownership"
+                buttonContent={<>Manage</>}
+                buttonVariant="secondary"
+                size="sm"
+                ref={ownershipDialogRef}
+                onOpen={() => {
+                  setSelectedTeamId(account.team?.id || null)
+                  setSavingOwnership(false)
+                }}
+              >
+                <div className="pt-4 space-y-4">
+                  <p className="text-sm text-neutral-500">
+                    Change who owns and manages this service account.
+                  </p>
+
+                  <Listbox
+                    value={selectedTeamId}
+                    onChange={setSelectedTeamId}
+                    disabled={isMultiTeamOrg}
+                  >
+                    {({ open }) => (
+                      <div className="relative">
+                        <Listbox.Button
+                          className={clsx(
+                            'w-full flex items-center justify-between gap-2 py-2 px-3 rounded-md bg-zinc-100 dark:bg-zinc-800 text-sm',
+                            isMultiTeamOrg ? 'opacity-60 cursor-not-allowed' : 'cursor-pointer'
+                          )}
+                        >
+                          <span className="flex items-center gap-1.5">
+                            {selectedTeamId ? (
+                              <>
+                                <FaUsers className="text-blue-500 text-xs" />
+                                {availableTeams.find((t) => t.id === selectedTeamId)?.name ||
+                                  account.team?.name}
+                              </>
+                            ) : (
+                              <>
+                                <FaBuilding className="text-neutral-500 text-xs" />
+                                Organisation (no team)
+                              </>
+                            )}
+                          </span>
+                          <FaChevronDown
+                            className={clsx(
+                              'transition-transform ease duration-300 text-neutral-500 text-xs',
+                              open ? 'rotate-180' : 'rotate-0'
+                            )}
+                          />
+                        </Listbox.Button>
+                        <Listbox.Options className="absolute z-10 mt-1 w-full bg-zinc-200 dark:bg-zinc-800 rounded-md shadow-2xl p-1 max-h-60 overflow-auto focus:outline-none">
+                          {userIsGlobalAccess && (
+                            <Listbox.Option value={null} as={Fragment}>
+                              {({ active, selected }) => (
+                                <div
+                                  className={clsx(
+                                    'px-3 py-2 cursor-pointer rounded text-sm flex items-center gap-1.5',
+                                    active && 'bg-zinc-300 dark:bg-zinc-700',
+                                    selected && 'font-medium'
+                                  )}
+                                >
+                                  <FaBuilding className="text-neutral-500 text-xs" />
+                                  Organisation (no team)
+                                </div>
+                              )}
+                            </Listbox.Option>
+                          )}
+                          {availableTeams.map((t) => (
+                            <Listbox.Option key={t.id} value={t.id} as={Fragment}>
+                              {({ active, selected }) => (
+                                <div
+                                  className={clsx(
+                                    'px-3 py-2 cursor-pointer rounded text-sm flex items-center gap-1.5',
+                                    active && 'bg-zinc-300 dark:bg-zinc-700',
+                                    selected && 'font-medium'
+                                  )}
+                                >
+                                  <FaUsers className="text-blue-500 text-xs" />
+                                  {t.name}
+                                </div>
+                              )}
+                            </Listbox.Option>
+                          ))}
+                        </Listbox.Options>
+                      </div>
+                    )}
+                  </Listbox>
+
+                  {isMultiTeamOrg && (
+                    <Alert variant="info" icon size="sm">
+                      <span className="text-xs">
+                        This account is a member of multiple teams and cannot be assigned to a
+                        specific team. Remove the account from all but one team before changing
+                        ownership.
+                      </span>
+                    </Alert>
+                  )}
+
+                  {isTeamOwned && selectedTeamId === null && (
+                    <Alert variant="warning" icon size="sm">
+                      <span className="text-xs">
+                        Promoting this account to organisation level will make it visible and
+                        manageable by all users with the relevant permissions. The existing team
+                        membership will be preserved.
+                      </span>
+                    </Alert>
+                  )}
+
+                  <div className="flex justify-end pt-2">
+                    <Button
+                      variant="primary"
+                      onClick={handleOwnershipSave}
+                      isLoading={savingOwnership}
+                      disabled={
+                        isMultiTeamOrg ||
+                        selectedTeamId === (account.team?.id || null)
+                      }
+                    >
+                      Save
+                    </Button>
+                  </div>
+                </div>
+              </GenericDialog>
+            </div>
+          </div>
+        )}
+
         {userCanReadTeams && (
           <div className="py-4 space-y-3">
             <div>
@@ -295,10 +528,23 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
             <div>
               <div className="text-base font-medium">App Access</div>
               <div className="text-neutral-500 text-sm">
-                Manage the Apps and Environments that this account has access to
+                {isTeamOwned ? (
+                  <>
+                    App access for this account is managed through the{' '}
+                    <Link
+                      href={`/${params.team}/access/teams/${account.team!.id}`}
+                      className="text-blue-600 dark:text-blue-400 hover:underline"
+                    >
+                      {account.team!.name}
+                    </Link>{' '}
+                    team.
+                  </>
+                ) : (
+                  'Manage the Apps and Environments that this account has access to'
+                )}
               </div>
             </div>
-            {userCanReadAppMemberships && account.appMemberships?.length! > 0 && (
+            {!isTeamOwned && userCanReadAppMemberships && account.appMemberships?.length! > 0 && (
               <AddAppButton
                 serviceAccountId={params.account}
                 appMemberships={account.appMemberships ?? []}
@@ -343,30 +589,36 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                     </div>
 
                     {/* Manage Button */}
-                    <div className="flex justify-end">
-                      <Link
-                        className="opacity-0 group-hover:opacity-100 transition ease"
-                        href={`/${params.team}/apps/${appMembership?.id}/access/service-accounts?manageAccount=${account.id}`}
-                      >
-                        <Button variant="secondary" icon={FaCog}>
-                          Manage
-                        </Button>
-                      </Link>
-                    </div>
+                    {!isTeamOwned && (
+                      <div className="flex justify-end">
+                        <Link
+                          className="opacity-0 group-hover:opacity-100 transition ease"
+                          href={`/${params.team}/apps/${appMembership?.id}/access/service-accounts?manageAccount=${account.id}`}
+                        >
+                          <Button variant="secondary" icon={FaCog}>
+                            Manage
+                          </Button>
+                        </Link>
+                      </div>
+                    )}
                   </div>
                 ))
               ) : (
                 <div className="py-8">
                   <EmptyState
                     title="No Apps"
-                    subtitle="This Service Account does not have access to any Apps. Grant this account access from the Access tab of an App."
+                    subtitle={
+                      isTeamOwned
+                        ? `This account will gain app access through the ${account.team!.name} team.`
+                        : 'This Service Account does not have access to any Apps. Grant this account access from the Access tab of an App.'
+                    }
                     graphic={
                       <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
                         <FaBoxOpen />
                       </div>
                     }
                   >
-                    {userCanReadAppMemberships && (
+                    {!isTeamOwned && userCanReadAppMemberships && (
                       <AddAppButton
                         serviceAccountId={params.account}
                         appMemberships={account.appMemberships ?? []}
@@ -405,12 +657,20 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                   Manage the network access policy for this Account
                 </div>
               </div>
-              {account.networkPolicies?.length! > 0 && (
+              {userCanManageTeamSA && account.networkPolicies?.length! > 0 && (
                 <UpdateAccountNetworkPolicies account={account} />
               )}
             </div>
 
-            {account.networkPolicies?.length! > 0 ? (
+            {!userCanManageTeamSA ? (
+              <div className="py-6 text-center text-neutral-500 text-sm">
+                You must be a member of the{' '}
+                <Link href={`/${params.team}/access/teams/${account.team!.id}`} className="text-blue-600 dark:text-blue-400 hover:underline">
+                  {account.team!.name}
+                </Link>{' '}
+                team to manage network policies for this account.
+              </div>
+            ) : account.networkPolicies?.length! > 0 ? (
               <div className="divide-y divide-neutral-500/20 py-4">
                 {account.networkPolicies?.map((policy) => (
                   <div key={policy.id} className="flex items-center justify-between gap-2 py-2">
@@ -451,9 +711,27 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           </div>
         )}
 
-        <ServiceAccountTokens account={account} />
+        {userCanManageTeamSA ? (
+          <ServiceAccountTokens account={account} />
+        ) : (
+          <div className="py-4 space-y-3">
+            <div>
+              <div className="text-base font-medium">Tokens</div>
+              <div className="text-neutral-500 text-sm">
+                Service account access tokens
+              </div>
+            </div>
+            <div className="py-6 text-center text-neutral-500 text-sm">
+              You must be a member of the{' '}
+              <Link href={`/${params.team}/access/teams/${account.team!.id}`} className="text-blue-600 dark:text-blue-400 hover:underline">
+                {account.team!.name}
+              </Link>{' '}
+              team to manage tokens for this account.
+            </div>
+          </div>
+        )}
 
-        {userCanDeleteSA && (
+        {userCanDeleteSA && userCanManageTeamSA && (
           <div className="space-y-2 py-4">
             <div>
               <div className="text-base font-medium">Danger Zone</div>
diff --git a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
index c9217a8e4..db1fa21f4 100644
--- a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
+++ b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
@@ -1,7 +1,8 @@
 import { ApiOrganisationPlanChoices, OrganisationMemberType, RoleType } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
+import { Alert } from '@/components/common/Alert'
 import { Fragment, useContext, useEffect, useRef, useState } from 'react'
-import { FaChevronDown, FaPlus } from 'react-icons/fa'
+import { FaChevronDown, FaLink, FaPlus } from 'react-icons/fa'
 import { GetServiceAccounts } from '@/graphql/queries/service-accounts/getServiceAccounts.gql'
 import { GetServiceAccountHandlers } from '@/graphql/queries/service-accounts/getServiceAccountHandlers.gql'
 import { GetRoles } from '@/graphql/queries/organisation/getRoles.gql'
@@ -28,7 +29,16 @@ import { UpsellDialog } from '@/components/settings/organisation/UpsellDialog'
 
 const bip39 = require('bip39')
 
-export const CreateServiceAccountDialog = () => {
+export const CreateServiceAccountDialog = ({
+  teamId,
+  teamName,
+  teamRole,
+}: {
+  teamId?: string
+  teamName?: string
+  teamRole?: RoleType | null
+} = {}) => {
+  const isTeamContext = !!teamId
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
   const { data: roleData, loading: roleDataPending } = useQuery(GetRoles, {
@@ -74,13 +84,15 @@ export const CreateServiceAccountDialog = () => {
     ) || []
 
   useEffect(() => {
-    if (roleData?.roles) {
+    if (isTeamContext && teamRole) {
+      setRole(teamRole)
+    } else if (roleData?.roles) {
       const defaultRole = roleData?.roles.find(
         (role: RoleType) => role.name?.toLowerCase() === 'service'
       )
       if (defaultRole) setRole(defaultRole)
     }
-  }, [roleData])
+  }, [roleData, isTeamContext, teamRole])
 
   const handleCreateServiceAccount = (e: { preventDefault: () => void }) => {
     return new Promise<boolean>((resolve) => {
@@ -132,6 +144,7 @@ export const CreateServiceAccountDialog = () => {
             serverWrappedKeyring: serverKeys?.serverEncryptedKeyring || null,
             serverWrappedRecovery: serverKeys?.serverEncryptedMnemonic || null,
             handlers: handlerKeys,
+            teamId: teamId || null,
           },
           refetchQueries: [
             {
@@ -153,12 +166,17 @@ export const CreateServiceAccountDialog = () => {
     })
   }
 
+  const buttonLabel = isTeamContext ? 'Create Team Service Account' : 'Create Service Account'
+  const dialogTitle = isTeamContext
+    ? 'Create a Team Service Account'
+    : 'Create a new Service Account'
+
   if (upsell)
     return (
       <UpsellDialog
         buttonLabel={
           <>
-            <FaPlus /> Create Service Account
+            <FaPlus /> {buttonLabel}
           </>
         }
       />
@@ -166,65 +184,82 @@ export const CreateServiceAccountDialog = () => {
 
   return (
     <GenericDialog
-      title="Create a new Service Account"
+      title={dialogTitle}
       buttonContent={
         <>
-          <FaPlus /> Create Service Account
+          {isTeamContext ? <FaLink /> : <FaPlus />} {buttonLabel}
         </>
       }
-      buttonVariant="primary"
-      size="lg"
+      buttonVariant={isTeamContext ? 'secondary' : 'primary'}
+      size="md"
       ref={dialogRef}
     >
-      <form onSubmit={handleCreateServiceAccount}>
-        <div className="grid grid-cols-2 gap-6">
-          <Input value={name} setValue={setName} label="Account name" required maxLength={32} />
-          <div className="space-y-1 w-full">
-            <label className="block text-neutral-500 text-sm mb-2" htmlFor="role">
-              Role
-            </label>
-            <Listbox value={role} onChange={setRole} name="role">
-              {({ open }) => (
-                <>
-                  <Listbox.Button as={Fragment} aria-required>
-                    <div
-                      className={clsx(
-                        'py-2 flex items-center gap-4 w-full rounded-md h-10 cursor-pointer'
-                      )}
-                    >
-                      {role ? <RoleLabel role={role} /> : <>Select a role</>}
-                      <FaChevronDown
-                        className={clsx(
-                          'transition-transform ease duration-300 text-neutral-500',
-                          open ? 'rotate-180' : 'rotate-0'
-                        )}
-                      />
-                    </div>
-                  </Listbox.Button>
-                  <Listbox.Options className="bg-zinc-200 dark:bg-zinc-800 p-2 rounded-md shadow-2xl absolute z-10 w-max focus:outline-none">
-                    {roleOptions.map((role: RoleType) => (
-                      <Listbox.Option key={role.name} value={role} as={Fragment}>
-                        {({ active, selected }) => (
-                          <div
+      <form onSubmit={handleCreateServiceAccount} className="pt-4">
+        <div className="space-y-6">
+          {isTeamContext && (
+            <Alert variant="info" icon size="sm">
+              <span className="text-xs">
+                This service account will be owned by <strong>{teamName}</strong> and only visible
+                to team members. It cannot be removed from the team — only deleted or transferred.
+              </span>
+            </Alert>
+          )}
+          <div className="grid grid-cols-2 gap-6">
+            <Input value={name} setValue={setName} label="Account name" required maxLength={32} />
+            <div className="space-y-1 w-full">
+              <label className="block text-neutral-500 text-sm mb-2" htmlFor="role">
+                Role
+              </label>
+              {isTeamContext && teamRole ? (
+                <div className="py-2 flex items-center gap-2 h-10">
+                  <RoleLabel role={teamRole} />
+                  <span className="text-2xs text-neutral-500">(set by team)</span>
+                </div>
+              ) : (
+                <Listbox value={role} onChange={setRole} name="role">
+                  {({ open }) => (
+                    <>
+                      <Listbox.Button as={Fragment} aria-required>
+                        <div
+                          className={clsx(
+                            'py-2 flex items-center gap-4 w-full rounded-md h-10 cursor-pointer'
+                          )}
+                        >
+                          {role ? <RoleLabel role={role} /> : <>Select a role</>}
+                          <FaChevronDown
                             className={clsx(
-                              'flex items-center gap-2 p-2 cursor-pointer rounded-full',
-                              active && 'bg-zinc-300 dark:bg-zinc-700'
+                              'transition-transform ease duration-300 text-neutral-500',
+                              open ? 'rotate-180' : 'rotate-0'
+                            )}
+                          />
+                        </div>
+                      </Listbox.Button>
+                      <Listbox.Options className="bg-zinc-200 dark:bg-zinc-800 p-2 rounded-md shadow-2xl absolute z-10 w-max focus:outline-none">
+                        {roleOptions.map((role: RoleType) => (
+                          <Listbox.Option key={role.name} value={role} as={Fragment}>
+                            {({ active, selected }) => (
+                              <div
+                                className={clsx(
+                                  'flex items-center gap-2 p-2 cursor-pointer rounded-full',
+                                  active && 'bg-zinc-300 dark:bg-zinc-700'
+                                )}
+                              >
+                                <RoleLabel role={role} />
+                              </div>
                             )}
-                          >
-                            <RoleLabel role={role} />
-                          </div>
-                        )}
-                      </Listbox.Option>
-                    ))}
-                  </Listbox.Options>
-                </>
+                          </Listbox.Option>
+                        ))}
+                      </Listbox.Options>
+                    </>
+                  )}
+                </Listbox>
               )}
-            </Listbox>
+            </div>
           </div>
         </div>
         <div className="flex justify-end items-center gap-2 pt-6">
           <Button type="submit" variant="primary" isLoading={createPending}>
-            Create Service Account
+            {buttonLabel}
           </Button>
         </div>
       </form>
diff --git a/frontend/app/[team]/access/service-accounts/page.tsx b/frontend/app/[team]/access/service-accounts/page.tsx
index d8073e905..bc62b8cf0 100644
--- a/frontend/app/[team]/access/service-accounts/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/page.tsx
@@ -7,7 +7,7 @@ import { GetServiceAccounts } from '@/graphql/queries/service-accounts/getServic
 import { userHasPermission } from '@/utils/access/permissions'
 import { useQuery } from '@apollo/client'
 import { useContext, useState } from 'react'
-import { FaBan, FaChevronRight, FaSearch, FaTimesCircle } from 'react-icons/fa'
+import { FaBan, FaBuilding, FaChevronRight, FaLink, FaSearch, FaTimesCircle } from 'react-icons/fa'
 import { CreateServiceAccountDialog } from './_components/CreateServiceAccountDialog'
 import { FaRobot } from 'react-icons/fa6'
 import { relativeTimeFromDates } from '@/utils/time'
@@ -110,6 +110,10 @@ export default function ServiceAccounts({ params }: { params: { team: string } }
                       Role
                     </th>
 
+                    <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                      Ownership
+                    </th>
+
                     <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
                       Created
                     </th>
@@ -122,7 +126,7 @@ export default function ServiceAccounts({ params }: { params: { team: string } }
                         <Avatar serviceAccount={account} />
                         <div>
                           <div className="font-medium">{account.name}</div>
-                          <div className="text-sm text-neutral-500 font-mono">{account.id}</div>
+                          <div className="text-2xs text-neutral-500 font-mono">{account.id}</div>
                         </div>
                       </td>
 
@@ -130,6 +134,24 @@ export default function ServiceAccounts({ params }: { params: { team: string } }
                         <ServiceAccountRoleSelector account={account} displayOnly={true} />
                       </td>
 
+                      <td className="px-6 py-2">
+                        {account.team ? (
+                          <Link
+                            href={`/${params.team}/access/teams/${account.team.id}`}
+                            className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-blue-500/15 text-blue-600 dark:text-blue-400 hover:bg-blue-500/25 transition ease"
+                            title={`Owned by team "${account.team.name}" — bound to the team lifecycle`}
+                          >
+                            <FaLink className="text-[0.55rem]" />
+                            {account.team.name}
+                          </Link>
+                        ) : (
+                          <span className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-neutral-500/15 text-neutral-600 dark:text-neutral-400" title="Organisation-level account — visible org-wide">
+                            <FaBuilding className="text-[0.55rem]" />
+                            Organisation
+                          </span>
+                        )}
+                      </td>
+
                       <td className="px-6 py-2 text-sm">
                         {relativeTimeFromDates(new Date(account.createdAt))}
                       </td>
diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
index ae578e6f5..0a0cdbc43 100644
--- a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
@@ -24,9 +24,11 @@ import { Tab } from '@headlessui/react'
 export const AddTeamMembersDialog = ({
   teamId,
   existingMembers,
+  mode = 'all',
 }: {
   teamId: string
   existingMembers: TeamMembershipType[]
+  mode?: 'all' | 'members' | 'service-accounts'
 }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
@@ -63,7 +65,7 @@ export const AddTeamMembersDialog = ({
 
   const availableSAs: ServiceAccountType[] =
     saData?.serviceAccounts?.filter(
-      (sa: ServiceAccountType) => !existingSaIds.has(sa.id)
+      (sa: ServiceAccountType) => !existingSaIds.has(sa.id) && !sa.team
     ) || []
 
   const filteredMembers =
@@ -100,7 +102,9 @@ export const AddTeamMembersDialog = ({
     })
   }
 
-  const totalSelected = selectedMembers.size + selectedSAs.size
+  const totalSelected =
+    (mode === 'service-accounts' ? 0 : selectedMembers.size) +
+    (mode === 'members' ? 0 : selectedSAs.size)
 
   const handleSubmit = async () => {
     if (totalSelected === 0) return
@@ -160,19 +164,107 @@ export const AddTeamMembersDialog = ({
 
   const selectedSummary = () => {
     const parts: string[] = []
-    if (selectedMembers.size > 0)
+    if (mode !== 'service-accounts' && selectedMembers.size > 0)
       parts.push(`${selectedMembers.size} member${selectedMembers.size !== 1 ? 's' : ''}`)
-    if (selectedSAs.size > 0)
+    if (mode !== 'members' && selectedSAs.size > 0)
       parts.push(`${selectedSAs.size} SA${selectedSAs.size !== 1 ? 's' : ''}`)
     return parts.length > 0 ? parts.join(', ') : '0 selected'
   }
 
+  const dialogTitle =
+    mode === 'members'
+      ? 'Add members to team'
+      : mode === 'service-accounts'
+        ? 'Add service accounts to team'
+        : 'Add members to team'
+
+  const buttonLabel =
+    mode === 'members'
+      ? 'Add Members'
+      : mode === 'service-accounts'
+        ? 'Add Service Accounts'
+        : 'Add Members'
+
+  const searchBar = (
+    <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2">
+      <FaSearch className="text-neutral-500 text-xs shrink-0" />
+      <input
+        placeholder={mode === 'service-accounts' ? 'Search service accounts' : mode === 'members' ? 'Search members' : 'Search accounts'}
+        className="custom bg-zinc-100 dark:bg-zinc-800 placeholder:text-neutral-500 w-full text-xs py-1.5"
+        value={searchQuery}
+        onChange={(e) => setSearchQuery(e.target.value)}
+      />
+      <FaTimesCircle
+        className={clsx(
+          'cursor-pointer text-neutral-500 transition-opacity ease absolute right-2 text-xs',
+          searchQuery ? 'opacity-100' : 'opacity-0'
+        )}
+        role="button"
+        onClick={() => setSearchQuery('')}
+      />
+    </div>
+  )
+
+  const membersList = (
+    <div className="max-h-80 overflow-y-auto divide-y divide-zinc-500/20">
+      {filteredMembers.length === 0 ? (
+        <p className="text-xs text-neutral-500 text-center py-4">
+          {availableMembers.length === 0
+            ? 'All organisation members are already in this team'
+            : 'No members match your search'}
+        </p>
+      ) : (
+        filteredMembers.map((member: OrganisationMemberType) => (
+          <div
+            key={member.id}
+            className="flex items-center justify-between py-1 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 px-2 rounded"
+            onClick={() => toggleMember(member.id)}
+          >
+            <ProfileCard member={member} size="md" />
+            <ToggleSwitch
+              size="sm"
+              value={selectedMembers.has(member.id)}
+              onToggle={() => toggleMember(member.id)}
+            />
+          </div>
+        ))
+      )}
+    </div>
+  )
+
+  const saList = (
+    <div className="max-h-80 overflow-y-auto divide-y divide-zinc-500/20">
+      {filteredSAs.length === 0 ? (
+        <p className="text-xs text-neutral-500 text-center py-4">
+          {availableSAs.length === 0
+            ? 'All service accounts are already in this team'
+            : 'No service accounts match your search'}
+        </p>
+      ) : (
+        filteredSAs.map((sa: ServiceAccountType) => (
+          <div
+            key={sa.id}
+            className="flex items-center justify-between py-1 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 px-2 rounded"
+            onClick={() => toggleSA(sa.id)}
+          >
+            <ProfileCard serviceAccount={sa} size="md" />
+            <ToggleSwitch
+              size="sm"
+              value={selectedSAs.has(sa.id)}
+              onToggle={() => toggleSA(sa.id)}
+            />
+          </div>
+        ))
+      )}
+    </div>
+  )
+
   return (
     <GenericDialog
-      title="Add members to team"
+      title={dialogTitle}
       buttonContent={
         <>
-          <FaPlus /> Add Members
+          <FaPlus /> {buttonLabel}
         </>
       }
       buttonVariant="primary"
@@ -180,117 +272,62 @@ export const AddTeamMembersDialog = ({
       onClose={reset}
     >
       <div className="space-y-3 pt-4">
-        <Tab.Group
-          onChange={() => {
-            setSearchQuery('')
-          }}
-        >
-          <Tab.List className="flex gap-2 w-full border-b border-neutral-500/20">
-            <Tab
-              className={({ selected }) =>
-                clsx(
-                  'p-2 text-xs font-medium border-b -mb-px focus:outline-none transition ease flex items-center gap-1.5',
-                  selected
-                    ? 'border-emerald-500 font-semibold text-zinc-900 dark:text-zinc-100'
-                    : 'border-transparent text-zinc-600 dark:text-zinc-400 hover:text-zinc-900 dark:hover:text-zinc-100'
-                )
-              }
-            >
-              <FaUsers className="text-xs" /> Members
-              {selectedMembers.size > 0 && (
-                <span className="text-2xs px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
-                  {selectedMembers.size}
-                </span>
-              )}
-            </Tab>
-            <Tab
-              className={({ selected }) =>
-                clsx(
-                  'p-2 text-xs font-medium border-b -mb-px focus:outline-none transition ease flex items-center gap-1.5',
-                  selected
-                    ? 'border-emerald-500 font-semibold text-zinc-900 dark:text-zinc-100'
-                    : 'border-transparent text-zinc-600 dark:text-zinc-400 hover:text-zinc-900 dark:hover:text-zinc-100'
-                )
-              }
-            >
-              <FaRobot className="text-xs" /> Service Accounts
-              {selectedSAs.size > 0 && (
-                <span className="text-2xs px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
-                  {selectedSAs.size}
-                </span>
-              )}
-            </Tab>
-          </Tab.List>
-
-          <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2">
-            <FaSearch className="text-neutral-500 text-xs shrink-0" />
-            <input
-              placeholder="Search accounts"
-              className="custom bg-zinc-100 dark:bg-zinc-800 placeholder:text-neutral-500 w-full text-xs py-1.5"
-              value={searchQuery}
-              onChange={(e) => setSearchQuery(e.target.value)}
-            />
-            <FaTimesCircle
-              className={clsx(
-                'cursor-pointer text-neutral-500 transition-opacity ease absolute right-2 text-xs',
-                searchQuery ? 'opacity-100' : 'opacity-0'
-              )}
-              role="button"
-              onClick={() => setSearchQuery('')}
-            />
-          </div>
+        {mode === 'all' ? (
+          <Tab.Group
+            onChange={() => {
+              setSearchQuery('')
+            }}
+          >
+            <Tab.List className="flex gap-2 w-full border-b border-neutral-500/20">
+              <Tab
+                className={({ selected }) =>
+                  clsx(
+                    'p-2 text-xs font-medium border-b -mb-px focus:outline-none transition ease flex items-center gap-1.5',
+                    selected
+                      ? 'border-emerald-500 font-semibold text-zinc-900 dark:text-zinc-100'
+                      : 'border-transparent text-zinc-600 dark:text-zinc-400 hover:text-zinc-900 dark:hover:text-zinc-100'
+                  )
+                }
+              >
+                <FaUsers className="text-xs" /> Members
+                {selectedMembers.size > 0 && (
+                  <span className="text-2xs px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
+                    {selectedMembers.size}
+                  </span>
+                )}
+              </Tab>
+              <Tab
+                className={({ selected }) =>
+                  clsx(
+                    'p-2 text-xs font-medium border-b -mb-px focus:outline-none transition ease flex items-center gap-1.5',
+                    selected
+                      ? 'border-emerald-500 font-semibold text-zinc-900 dark:text-zinc-100'
+                      : 'border-transparent text-zinc-600 dark:text-zinc-400 hover:text-zinc-900 dark:hover:text-zinc-100'
+                  )
+                }
+              >
+                <FaRobot className="text-xs" /> Service Accounts
+                {selectedSAs.size > 0 && (
+                  <span className="text-2xs px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
+                    {selectedSAs.size}
+                  </span>
+                )}
+              </Tab>
+            </Tab.List>
+
+            {searchBar}
 
-          <Tab.Panels>
-            <Tab.Panel className="max-h-80 overflow-y-auto divide-y divide-zinc-500/20">
-              {filteredMembers.length === 0 ? (
-                <p className="text-xs text-neutral-500 text-center py-4">
-                  {availableMembers.length === 0
-                    ? 'All organisation members are already in this team'
-                    : 'No members match your search'}
-                </p>
-              ) : (
-                filteredMembers.map((member: OrganisationMemberType) => (
-                  <div
-                    key={member.id}
-                    className="flex items-center justify-between py-1 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 px-2 rounded"
-                    onClick={() => toggleMember(member.id)}
-                  >
-                    <ProfileCard member={member} size="md" />
-                    <ToggleSwitch
-                      size="sm"
-                      value={selectedMembers.has(member.id)}
-                      onToggle={() => toggleMember(member.id)}
-                    />
-                  </div>
-                ))
-              )}
-            </Tab.Panel>
-            <Tab.Panel className="max-h-80 overflow-y-auto divide-y divide-zinc-500/20">
-              {filteredSAs.length === 0 ? (
-                <p className="text-xs text-neutral-500 text-center py-4">
-                  {availableSAs.length === 0
-                    ? 'All service accounts are already in this team'
-                    : 'No service accounts match your search'}
-                </p>
-              ) : (
-                filteredSAs.map((sa: ServiceAccountType) => (
-                  <div
-                    key={sa.id}
-                    className="flex items-center justify-between py-1 cursor-pointer hover:bg-zinc-100 dark:hover:bg-zinc-800 px-2 rounded"
-                    onClick={() => toggleSA(sa.id)}
-                  >
-                    <ProfileCard serviceAccount={sa} size="md" />
-                    <ToggleSwitch
-                      size="sm"
-                      value={selectedSAs.has(sa.id)}
-                      onToggle={() => toggleSA(sa.id)}
-                    />
-                  </div>
-                ))
-              )}
-            </Tab.Panel>
-          </Tab.Panels>
-        </Tab.Group>
+            <Tab.Panels>
+              <Tab.Panel>{membersList}</Tab.Panel>
+              <Tab.Panel>{saList}</Tab.Panel>
+            </Tab.Panels>
+          </Tab.Group>
+        ) : (
+          <>
+            {searchBar}
+            {mode === 'members' ? membersList : saList}
+          </>
+        )}
 
         <div className="flex justify-between items-center">
           <span className="text-2xs text-neutral-500">{selectedSummary()}</span>
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index 184724202..fa1c7ec22 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -16,10 +16,13 @@ import { useRouter } from 'next/navigation'
 import { useContext } from 'react'
 import {
   FaBan,
+  FaBuilding,
   FaChevronLeft,
   FaClock,
   FaCog,
+  FaCrown,
   FaExternalLinkAlt,
+  FaLink,
   FaRobot,
   FaUsers,
 } from 'react-icons/fa'
@@ -28,6 +31,8 @@ import { AddTeamAppsDialog } from './_components/AddTeamAppsDialog'
 import { RemoveTeamMemberDialog } from './_components/RemoveTeamMemberDialog'
 import { UpdateTeamDialog } from './_components/UpdateTeamDialog'
 import { DeleteTeamDialog } from '../_components/DeleteTeamDialog'
+import { CreateServiceAccountDialog } from '../../service-accounts/_components/CreateServiceAccountDialog'
+import { DeleteServiceAccountDialog } from '../../service-accounts/_components/DeleteServiceAccountDialog'
 
 export default function TeamDetail({ params }: { params: { team: string; teamId: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -45,6 +50,10 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
     ? userHasPermission(organisation.role!.permissions, 'Teams', 'delete')
     : false
 
+  const userCanCreateSA = organisation
+    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'create')
+    : false
+
   const { data, loading } = useQuery(GetTeams, {
     variables: { organisationId: organisation?.id, teamId: params.teamId },
     skip: !organisation || !userCanReadTeams,
@@ -176,35 +185,34 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
           )}
         </div>
 
-        {/* Members Section */}
+        {/* Members Section (human users only) */}
         <div className="pt-4 space-y-3 border-t border-neutral-500/40">
           <div className="flex items-center justify-between">
             <div>
               <div className="text-base font-medium">Members</div>
               <div className="text-neutral-500 text-sm">
-                Members and service accounts in this team
+                Organisation members in this team
               </div>
             </div>
             {userCanUpdateTeams && !team.isScimManaged && (
-              <AddTeamMembersDialog teamId={team.id} existingMembers={team.members || []} />
+              <AddTeamMembersDialog teamId={team.id} existingMembers={team.members || []} mode="members" />
             )}
           </div>
 
           <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
-            {team.members && team.members.length > 0 ? (
-              team.members.map((membership: TeamMembershipType) => {
-                const isUser = !!membership.orgMember
-                const memberId = isUser ? membership.orgMember!.id : membership.serviceAccount!.id
-                const displayName = isUser
-                  ? membership.fullName || membership.email || 'Unknown'
-                  : membership.serviceAccount!.name || 'Service Account'
-
-                return (
-                  <div
-                    key={membership.id}
-                    className="grid grid-cols-1 md:grid-cols-4 gap-4 items-center py-1.5 px-2 group"
-                  >
-                    {isUser ? (
+            {(() => {
+              const humanMembers = (team.members || []).filter((m) => m.orgMember)
+              return humanMembers.length > 0 ? (
+                humanMembers.map((membership: TeamMembershipType) => {
+                  const memberId = membership.orgMember!.id
+                  const displayName = membership.fullName || membership.email || 'Unknown'
+                  const isTeamCreator = team.createdBy?.id === membership.orgMember?.id
+
+                  return (
+                    <div
+                      key={membership.id}
+                      className="grid grid-cols-1 md:grid-cols-4 gap-4 items-center py-1.5 px-2 group"
+                    >
                       <ProfileCard
                         user={{
                           name: membership.fullName,
@@ -213,58 +221,146 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                         }}
                         size="md"
                       />
-                    ) : (
-                      <ProfileCard
-                        serviceAccount={membership.serviceAccount!}
-                        size="md"
-                      />
-                    )}
-
-                    <div>
-                      {isUser && membership.orgMember?.role && (
-                        <RoleLabel role={membership.orgMember.role} size="xs" />
-                      )}
-                      {!isUser && membership.serviceAccount?.role && (
-                        <RoleLabel role={membership.serviceAccount.role} size="xs" />
-                      )}
-                    </div>
 
-                    <div className="text-2xs text-neutral-500">
-                      Added {relativeTimeFromDates(new Date(membership.createdAt))}
+                      <div className="flex items-center gap-1.5">
+                        {membership.orgMember?.role && (
+                          <RoleLabel role={membership.orgMember.role} size="xs" />
+                        )}
+                        {isTeamCreator && (
+                          <FaCrown className="text-amber-500 text-xs shrink-0" title="Team owner" />
+                        )}
+                      </div>
+
+                      <div className="text-2xs text-neutral-500">
+                        Added {relativeTimeFromDates(new Date(membership.createdAt))}
+                      </div>
+
+                      <div className="flex justify-end gap-1 opacity-0 group-hover:opacity-100 transition ease">
+                        <Link
+                          href={`/${params.team}/access/members/${memberId}`}
+                          title={`View ${displayName}`}
+                        >
+                          <Button variant="secondary">
+                            <FaExternalLinkAlt /> Manage account
+                          </Button>
+                        </Link>
+                        {userCanUpdateTeams &&
+                          !team.isScimManaged &&
+                          !(team.createdBy?.id === membership.orgMember?.id) && (
+                            <RemoveTeamMemberDialog
+                              teamId={team.id}
+                              memberId={memberId}
+                              memberName={displayName}
+                              memberType="USER"
+                            />
+                          )}
+                      </div>
                     </div>
+                  )
+                })
+              ) : (
+                <div className="py-8 text-center text-neutral-500">
+                  This team does not have any members yet.
+                </div>
+              )
+            })()}
+          </div>
+        </div>
+
+        {/* Service Accounts Section (all SAs with ownership column) */}
+        <div className="pt-4 space-y-3 border-t border-neutral-500/40">
+          <div className="flex items-center justify-between">
+            <div>
+              <div className="text-base font-medium">Service Accounts</div>
+              <div className="text-neutral-500 text-sm">
+                Service accounts in this team
+              </div>
+            </div>
+            <div className="flex items-center gap-2">
+              {userCanCreateSA && (
+                <CreateServiceAccountDialog
+                  teamId={team.id}
+                  teamName={team.name}
+                  teamRole={team.serviceAccountRole}
+                />
+              )}
+              {userCanUpdateTeams && !team.isScimManaged && (
+                <AddTeamMembersDialog teamId={team.id} existingMembers={team.members || []} mode="service-accounts" />
+              )}
+            </div>
+          </div>
+
+          <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
+            {(() => {
+              const saMembers = (team.members || []).filter((m) => m.serviceAccount)
+              return saMembers.length > 0 ? (
+                saMembers.map((membership: TeamMembershipType) => {
+                  const sa = membership.serviceAccount!
+                  const isTeamOwned = sa.team?.id === team.id
+
+                  return (
+                    <div
+                      key={membership.id}
+                      className="grid grid-cols-1 md:grid-cols-5 gap-4 items-center py-1.5 px-2 group"
+                    >
+                      <ProfileCard serviceAccount={sa} size="md" />
+
+                      <div>
+                        {sa.role && <RoleLabel role={sa.role} size="xs" />}
+                      </div>
 
-                    <div className="flex justify-end gap-1 opacity-0 group-hover:opacity-100 transition ease">
-                      <Link
-                        href={
-                          isUser
-                            ? `/${params.team}/access/members/${memberId}`
-                            : `/${params.team}/access/service-accounts/${memberId}`
-                        }
-                        title={`View ${displayName}`}
-                      >
-                        <Button variant="secondary">
-                          <FaExternalLinkAlt /> Manage account
-                        </Button>
-                      </Link>
-                      {userCanUpdateTeams &&
-                        !team.isScimManaged &&
-                        !(isUser && team.createdBy?.id === membership.orgMember?.id) && (
-                          <RemoveTeamMemberDialog
-                            teamId={team.id}
-                            memberId={memberId}
-                            memberName={displayName}
-                            memberType={isUser ? 'USER' : 'SERVICE'}
-                          />
+                      <div>
+                        {isTeamOwned ? (
+                          <span className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-blue-500/15 text-blue-600 dark:text-blue-400" title="Owned by this team — bound to the team lifecycle">
+                            <FaLink className="text-[0.55rem]" />
+                            Team
+                          </span>
+                        ) : (
+                          <span className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-neutral-500/15 text-neutral-600 dark:text-neutral-400" title="Organisation-level account — visible org-wide">
+                            <FaBuilding className="text-[0.55rem]" />
+                            Organisation
+                          </span>
                         )}
+                      </div>
+
+                      <div className="text-2xs text-neutral-500">
+                        Added {relativeTimeFromDates(new Date(membership.createdAt))}
+                      </div>
+
+                      <div className="flex justify-end gap-1 opacity-0 group-hover:opacity-100 transition ease">
+                        <Link
+                          href={`/${params.team}/access/service-accounts/${sa.id}`}
+                          title={`View ${sa.name}`}
+                        >
+                          <Button variant="secondary">
+                            <FaExternalLinkAlt /> Manage
+                          </Button>
+                        </Link>
+                        {isTeamOwned ? (
+                          userCanUpdateTeams && (
+                            <DeleteServiceAccountDialog account={sa} />
+                          )
+                        ) : (
+                          userCanUpdateTeams && !team.isScimManaged && (
+                            <RemoveTeamMemberDialog
+                              teamId={team.id}
+                              memberId={sa.id}
+                              memberName={sa.name || 'Service Account'}
+                              memberType="SERVICE"
+                            />
+                          )
+                        )}
+                      </div>
                     </div>
-                  </div>
-                )
-              })
-            ) : (
-              <div className="py-8 text-center text-neutral-500">
-                This team does not have any members yet.
-              </div>
-            )}
+                  )
+                })
+              ) : (
+                <div className="py-8 text-center text-neutral-500">
+                  No service accounts in this team.
+                  {userCanCreateSA && ' Create a team-owned service account or add an existing one.'}
+                </div>
+              )
+            })()}
           </div>
         </div>
 

From 9a0d71c43da1e915fbccf9fa10734ad2303ea7c7 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 13 Apr 2026 20:24:11 +0530
Subject: [PATCH 022/118] fix: misc permission and access check enforcements

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/utils/access/permissions.py       | 20 +++++++++++
 .../graphene/mutations/service_accounts.py    | 13 ++------
 backend/backend/graphene/mutations/teams.py   | 21 ++++++++++++
 .../app/[team]/access/teams/[teamId]/page.tsx | 33 ++++++++++++++++++-
 frontend/app/[team]/access/teams/page.tsx     | 21 ++++++++----
 5 files changed, 90 insertions(+), 18 deletions(-)

diff --git a/backend/api/utils/access/permissions.py b/backend/api/utils/access/permissions.py
index add8d74ae..7cd1e000c 100644
--- a/backend/api/utils/access/permissions.py
+++ b/backend/api/utils/access/permissions.py
@@ -70,6 +70,26 @@ def service_account_can_access_environment(account_id, env_id):
     ).exists()
 
 
+def user_is_team_member(user_id, team_id):
+    """Check if a user is a member of a team, or has global access (Owner/Admin)."""
+    OrganisationMember = apps.get_model("api", "OrganisationMember")
+    Team = apps.get_model("api", "Team")
+    TeamMembership = apps.get_model("api", "TeamMembership")
+
+    team = Team.objects.get(id=team_id, deleted_at__isnull=True)
+    org_member = OrganisationMember.objects.get(
+        user_id=user_id, organisation=team.organisation, deleted_at=None
+    )
+
+    if role_has_global_access(org_member.role):
+        return True
+
+    return TeamMembership.objects.filter(
+        team=team,
+        org_member=org_member,
+    ).exists()
+
+
 def member_can_access_org(member_id, org_id):
     OrganisationMember = apps.get_model("api", "OrganisationMember")
     return OrganisationMember.objects.filter(
diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index 02c1cfff9..40b3f35a1 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -16,6 +16,7 @@
     role_has_global_access,
     user_has_permission,
     user_is_org_member,
+    user_is_team_member,
 )
 from backend.graphene.types import ServiceAccountTokenType, ServiceAccountType
 from datetime import datetime
@@ -28,17 +29,7 @@ def _check_team_sa_access(user, service_account):
     if service_account.team is None:
         return
 
-    org_member = OrganisationMember.objects.get(
-        user=user, organisation=service_account.organisation, deleted_at=None
-    )
-    if role_has_global_access(org_member.role):
-        return
-
-    if not TeamMembership.objects.filter(
-        team=service_account.team,
-        org_member=org_member,
-        team__deleted_at__isnull=True,
-    ).exists():
+    if not user_is_team_member(user.userId, service_account.team_id):
         raise GraphQLError("You don't have access to this Service Account")
 
 
diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index dafc4d6ff..69b821ce5 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -17,6 +17,7 @@
     user_can_access_app,
     user_has_permission,
     user_is_org_member,
+    user_is_team_member,
 )
 from api.utils.keys import (
     provision_team_environment_keys,
@@ -33,6 +34,12 @@ def _get_org_member(user, org):
     )
 
 
+def _check_team_membership(user, team):
+    """Verify the user is a member of the team or has global access (Owner/Admin)."""
+    if not user_is_team_member(user.userId, team.id):
+        raise GraphQLError("You don't have access to this team")
+
+
 class CreateTeamMutation(graphene.Mutation):
     class Arguments:
         organisation_id = graphene.ID(required=True)
@@ -129,6 +136,8 @@ def mutate(
         if not user_has_permission(user, "update", "Teams", org):
             raise GraphQLError("You don't have permission to update Teams")
 
+        _check_team_membership(user, team)
+
         if team.is_scim_managed:
             raise GraphQLError(
                 "This team is managed by SCIM and cannot be manually updated"
@@ -182,6 +191,8 @@ def mutate(cls, root, info, team_id):
         if not user_has_permission(user, "delete", "Teams", org):
             raise GraphQLError("You don't have permission to delete Teams")
 
+        _check_team_membership(user, team)
+
         # Revoke all team environment key grants
         revoke_team_environment_keys(team)
 
@@ -220,6 +231,8 @@ def mutate(cls, root, info, team_id, member_ids, member_type=MemberType.USER):
         if not user_has_permission(user, "update", "Teams", org):
             raise GraphQLError("You don't have permission to manage Teams")
 
+        _check_team_membership(user, team)
+
         if team.is_scim_managed:
             raise GraphQLError(
                 "This team is managed by SCIM. Members cannot be manually added."
@@ -284,6 +297,8 @@ def mutate(cls, root, info, team_id, member_id, member_type=MemberType.USER):
         if not user_has_permission(user, "update", "Teams", org):
             raise GraphQLError("You don't have permission to manage Teams")
 
+        _check_team_membership(user, team)
+
         if team.is_scim_managed:
             raise GraphQLError(
                 "This team is managed by SCIM. Members cannot be manually removed."
@@ -335,6 +350,8 @@ def mutate(cls, root, info, team_id, app_envs):
         if not user_has_permission(user, "update", "Teams", org):
             raise GraphQLError("You don't have permission to manage Teams")
 
+        _check_team_membership(user, team)
+
         for app_env in app_envs:
             app = App.objects.get(id=app_env.app_id, organisation=org)
 
@@ -382,6 +399,8 @@ def mutate(cls, root, info, team_id, app_id):
         if not user_has_permission(user, "update", "Teams", org):
             raise GraphQLError("You don't have permission to manage Teams")
 
+        _check_team_membership(user, team)
+
         app = App.objects.get(id=app_id, organisation=org)
 
         # Revoke grants before removing the app-env links
@@ -412,6 +431,8 @@ def mutate(cls, root, info, team_id, app_id, env_ids):
         if not user_has_permission(user, "update", "Teams", org):
             raise GraphQLError("You don't have permission to manage Teams")
 
+        _check_team_membership(user, team)
+
         app = App.objects.get(id=app_id, organisation=org)
 
         if not user_can_access_app(user.userId, app.id):
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index fa1c7ec22..4374dba3b 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -8,7 +8,7 @@ import { ProfileCard } from '@/components/common/ProfileCard'
 import { RoleLabel } from '@/components/users/RoleLabel'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
-import { userHasPermission } from '@/utils/access/permissions'
+import { userHasPermission, userHasGlobalAccess } from '@/utils/access/permissions'
 import { relativeTimeFromDates } from '@/utils/time'
 import { useQuery } from '@apollo/client'
 import Link from 'next/link'
@@ -54,6 +54,10 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
     ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'create')
     : false
 
+  const userIsGlobalAccess = organisation
+    ? userHasGlobalAccess(organisation.role!.permissions)
+    : false
+
   const { data, loading } = useQuery(GetTeams, {
     variables: { organisationId: organisation?.id, teamId: params.teamId },
     skip: !organisation || !userCanReadTeams,
@@ -105,6 +109,33 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
       </section>
     )
 
+  const userIsMember =
+    userIsGlobalAccess ||
+    team.members?.some((m) => m.orgMember?.id === organisation?.memberId) ||
+    false
+
+  if (!userIsMember)
+    return (
+      <section className="p-4">
+        <EmptyState
+          title="Access restricted"
+          subtitle="You are not a member of this team. Only team members and organisation admins can view this page."
+          graphic={
+            <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+              <FaBan />
+            </div>
+          }
+        >
+          <Link
+            href={`/${params.team}/access/teams`}
+            className="text-neutral-500 flex items-center gap-2 text-sm hover:text-zinc-800 dark:hover:text-zinc-200 transition ease"
+          >
+            <FaChevronLeft /> Back to teams
+          </Link>
+        </EmptyState>
+      </section>
+    )
+
   // Group environments by app
   const envsByApp: Record<string, { app: AppType; envs: TeamAppEnvironmentType[] }> = {}
   for (const tae of team.appEnvironments || []) {
diff --git a/frontend/app/[team]/access/teams/page.tsx b/frontend/app/[team]/access/teams/page.tsx
index 67338da64..3a639c425 100644
--- a/frontend/app/[team]/access/teams/page.tsx
+++ b/frontend/app/[team]/access/teams/page.tsx
@@ -6,7 +6,7 @@ import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
-import { userHasPermission } from '@/utils/access/permissions'
+import { userHasPermission, userHasGlobalAccess } from '@/utils/access/permissions'
 import { relativeTimeFromDates } from '@/utils/time'
 import { useQuery } from '@apollo/client'
 import Link from 'next/link'
@@ -39,6 +39,10 @@ export default function Teams({ params }: { params: { team: string } }) {
     ? userHasPermission(organisation.role!.permissions, 'Teams', 'create')
     : false
 
+  const userIsGlobalAccess = organisation
+    ? userHasGlobalAccess(organisation.role!.permissions)
+    : false
+
   const { data, loading } = useQuery(GetTeams, {
     variables: { organisationId: organisation?.id },
     skip: !organisation || !userCanReadTeams,
@@ -147,6 +151,9 @@ export default function Teams({ params }: { params: { team: string } }) {
                       orgMembers.length > 5 ? orgMembers.length - 5 : 0
                     const surplusSaCount =
                       serviceAccounts.length > 3 ? serviceAccounts.length - 3 : 0
+                    const isMember =
+                      userIsGlobalAccess ||
+                      orgMembers.some((m) => m.orgMember?.id === organisation?.memberId)
 
                     return (
                       <tr key={team.id} className="group">
@@ -276,11 +283,13 @@ export default function Teams({ params }: { params: { team: string } }) {
                           </div>
                         </td>
                         <td className="px-6 py-2 whitespace-nowrap text-right">
-                          <Link href={`/${params.team}/access/teams/${team.id}`}>
-                            <Button variant="secondary">
-                              Manage <FaChevronRight />
-                            </Button>
-                          </Link>
+                          {isMember && (
+                            <Link href={`/${params.team}/access/teams/${team.id}`}>
+                              <Button variant="secondary">
+                                Manage <FaChevronRight />
+                              </Button>
+                            </Link>
+                          )}
                         </td>
                       </tr>
                     )

From e38e53c444eb72caa534372a49fcdd905dbcd723 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 13 Apr 2026 20:35:26 +0530
Subject: [PATCH 023/118] feat: misc ui and copy tweaks for team service
 accounts

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../CreateServiceAccountDialog.tsx            |  4 +--
 .../_components/AddTeamMembersDialog.tsx      | 32 +++++++++++--------
 .../app/[team]/access/teams/[teamId]/page.tsx |  6 ++--
 3 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
index db1fa21f4..2800ea9a6 100644
--- a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
+++ b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
@@ -190,7 +190,7 @@ export const CreateServiceAccountDialog = ({
           {isTeamContext ? <FaLink /> : <FaPlus />} {buttonLabel}
         </>
       }
-      buttonVariant={isTeamContext ? 'secondary' : 'primary'}
+      buttonVariant="primary"
       size="md"
       ref={dialogRef}
     >
@@ -200,7 +200,7 @@ export const CreateServiceAccountDialog = ({
             <Alert variant="info" icon size="sm">
               <span className="text-xs">
                 This service account will be owned by <strong>{teamName}</strong> and only visible
-                to team members. It cannot be removed from the team — only deleted or transferred.
+                to team members.
               </span>
             </Alert>
           )}
diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
index 0a0cdbc43..55011f878 100644
--- a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
@@ -1,10 +1,6 @@
 'use client'
 
-import {
-  OrganisationMemberType,
-  ServiceAccountType,
-  TeamMembershipType,
-} from '@/apollo/graphql'
+import { OrganisationMemberType, ServiceAccountType, TeamMembershipType } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Button } from '@/components/common/Button'
 import { ToggleSwitch } from '@/components/common/ToggleSwitch'
@@ -20,15 +16,18 @@ import { FaPlus, FaSearch, FaTimesCircle, FaUsers, FaRobot } from 'react-icons/f
 import clsx from 'clsx'
 import { toast } from 'react-toastify'
 import { Tab } from '@headlessui/react'
+import { Alert } from '@/components/common/Alert'
 
 export const AddTeamMembersDialog = ({
   teamId,
   existingMembers,
   mode = 'all',
+  buttonVariant = 'primary',
 }: {
   teamId: string
   existingMembers: TeamMembershipType[]
   mode?: 'all' | 'members' | 'service-accounts'
+  buttonVariant?: 'primary' | 'secondary'
 }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
@@ -79,9 +78,7 @@ export const AddTeamMembersDialog = ({
 
   const filteredSAs =
     searchQuery !== ''
-      ? availableSAs.filter((sa) =>
-          sa.name?.toLowerCase().includes(searchQuery.toLowerCase())
-        )
+      ? availableSAs.filter((sa) => sa.name?.toLowerCase().includes(searchQuery.toLowerCase()))
       : availableSAs
 
   const toggleMember = (id: string) => {
@@ -145,9 +142,7 @@ export const AddTeamMembersDialog = ({
       if (selectedMembers.size > 0)
         parts.push(`${selectedMembers.size} member${selectedMembers.size !== 1 ? 's' : ''}`)
       if (selectedSAs.size > 0)
-        parts.push(
-          `${selectedSAs.size} service account${selectedSAs.size !== 1 ? 's' : ''}`
-        )
+        parts.push(`${selectedSAs.size} service account${selectedSAs.size !== 1 ? 's' : ''}`)
       toast.success(`Added ${parts.join(' and ')} to team`)
       reset()
       dialogRef.current?.closeModal()
@@ -189,7 +184,13 @@ export const AddTeamMembersDialog = ({
     <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2">
       <FaSearch className="text-neutral-500 text-xs shrink-0" />
       <input
-        placeholder={mode === 'service-accounts' ? 'Search service accounts' : mode === 'members' ? 'Search members' : 'Search accounts'}
+        placeholder={
+          mode === 'service-accounts'
+            ? 'Search service accounts'
+            : mode === 'members'
+              ? 'Search members'
+              : 'Search accounts'
+        }
         className="custom bg-zinc-100 dark:bg-zinc-800 placeholder:text-neutral-500 w-full text-xs py-1.5"
         value={searchQuery}
         onChange={(e) => setSearchQuery(e.target.value)}
@@ -267,7 +268,7 @@ export const AddTeamMembersDialog = ({
           <FaPlus /> {buttonLabel}
         </>
       }
-      buttonVariant="primary"
+      buttonVariant={buttonVariant}
       ref={dialogRef}
       onClose={reset}
     >
@@ -324,6 +325,11 @@ export const AddTeamMembersDialog = ({
           </Tab.Group>
         ) : (
           <>
+            {mode === 'service-accounts' && (
+              <Alert variant="warning" icon size="sm">
+                These accounts can be managed by other teams or users outside this team.
+              </Alert>
+            )}
             {searchBar}
             {mode === 'members' ? membersList : saList}
           </>
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index 4374dba3b..55fcf66dc 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -308,6 +308,9 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
               </div>
             </div>
             <div className="flex items-center gap-2">
+              {userCanUpdateTeams && !team.isScimManaged && (
+                <AddTeamMembersDialog teamId={team.id} existingMembers={team.members || []} mode="service-accounts" buttonVariant="secondary" />
+              )}
               {userCanCreateSA && (
                 <CreateServiceAccountDialog
                   teamId={team.id}
@@ -315,9 +318,6 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                   teamRole={team.serviceAccountRole}
                 />
               )}
-              {userCanUpdateTeams && !team.isScimManaged && (
-                <AddTeamMembersDialog teamId={team.id} existingMembers={team.members || []} mode="service-accounts" />
-              )}
             </div>
           </div>
 

From 9302d675d1680956231902dafdfe7476f024e8f7 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 14:14:03 +0530
Subject: [PATCH 024/118] feat: replace toggles with checkboxes, misc other ux
 updates

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../service-accounts/[account]/page.tsx       |  4 +-
 .../CreateServiceAccountDialog.tsx            |  4 +-
 .../[team]/access/service-accounts/page.tsx   |  4 +-
 .../_components/AddTeamAppsDialog.tsx         | 76 ++++++++++++-------
 .../_components/AddTeamMembersDialog.tsx      | 24 +++---
 .../app/[team]/access/teams/[teamId]/page.tsx | 21 ++---
 frontend/components/common/Checkbox.tsx       | 17 +++--
 7 files changed, 86 insertions(+), 64 deletions(-)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index 8a139bf2c..bb8bc0945 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -9,7 +9,7 @@ import { userHasPermission, userHasGlobalAccess } from '@/utils/access/permissio
 import { useMutation, useQuery } from '@apollo/client'
 import Link from 'next/link'
 import { Fragment, useContext, useEffect, useMemo, useRef, useState } from 'react'
-import { FaBan, FaBoxOpen, FaBuilding, FaChevronDown, FaChevronLeft, FaCog, FaEdit, FaLink, FaNetworkWired, FaUsers } from 'react-icons/fa'
+import { FaBan, FaBoxOpen, FaBuilding, FaChevronDown, FaChevronLeft, FaCog, FaEdit, FaNetworkWired, FaUsers, FaUsersCog } from 'react-icons/fa'
 import { FaServer, FaArrowDownUpLock } from 'react-icons/fa6'
 import { DeleteServiceAccountDialog } from '../_components/DeleteServiceAccountDialog'
 import { AddAppButton } from './_components/AddAppsToServiceAccountsButton'
@@ -276,7 +276,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                     className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-blue-500/15 text-blue-600 dark:text-blue-400 hover:bg-blue-500/25 transition ease"
                     title={`Owned by team "${account.team.name}" — bound to the team lifecycle`}
                   >
-                    <FaLink className="text-[0.55rem]" />
+                    <FaUsersCog className="text-[0.55rem]" />
                     {account.team.name}
                   </Link>
                 ) : (
diff --git a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
index 2800ea9a6..d6df64e6e 100644
--- a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
+++ b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
@@ -2,7 +2,7 @@ import { ApiOrganisationPlanChoices, OrganisationMemberType, RoleType } from '@/
 import GenericDialog from '@/components/common/GenericDialog'
 import { Alert } from '@/components/common/Alert'
 import { Fragment, useContext, useEffect, useRef, useState } from 'react'
-import { FaChevronDown, FaLink, FaPlus } from 'react-icons/fa'
+import { FaChevronDown, FaPlus, FaUsersCog } from 'react-icons/fa'
 import { GetServiceAccounts } from '@/graphql/queries/service-accounts/getServiceAccounts.gql'
 import { GetServiceAccountHandlers } from '@/graphql/queries/service-accounts/getServiceAccountHandlers.gql'
 import { GetRoles } from '@/graphql/queries/organisation/getRoles.gql'
@@ -187,7 +187,7 @@ export const CreateServiceAccountDialog = ({
       title={dialogTitle}
       buttonContent={
         <>
-          {isTeamContext ? <FaLink /> : <FaPlus />} {buttonLabel}
+          {isTeamContext ? <FaUsersCog /> : <FaPlus />} {buttonLabel}
         </>
       }
       buttonVariant="primary"
diff --git a/frontend/app/[team]/access/service-accounts/page.tsx b/frontend/app/[team]/access/service-accounts/page.tsx
index bc62b8cf0..c7d313042 100644
--- a/frontend/app/[team]/access/service-accounts/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/page.tsx
@@ -7,7 +7,7 @@ import { GetServiceAccounts } from '@/graphql/queries/service-accounts/getServic
 import { userHasPermission } from '@/utils/access/permissions'
 import { useQuery } from '@apollo/client'
 import { useContext, useState } from 'react'
-import { FaBan, FaBuilding, FaChevronRight, FaLink, FaSearch, FaTimesCircle } from 'react-icons/fa'
+import { FaBan, FaBuilding, FaChevronRight, FaSearch, FaTimesCircle, FaUsersCog } from 'react-icons/fa'
 import { CreateServiceAccountDialog } from './_components/CreateServiceAccountDialog'
 import { FaRobot } from 'react-icons/fa6'
 import { relativeTimeFromDates } from '@/utils/time'
@@ -141,7 +141,7 @@ export default function ServiceAccounts({ params }: { params: { team: string } }
                             className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-blue-500/15 text-blue-600 dark:text-blue-400 hover:bg-blue-500/25 transition ease"
                             title={`Owned by team "${account.team.name}" — bound to the team lifecycle`}
                           >
-                            <FaLink className="text-[0.55rem]" />
+                            <FaUsersCog className="text-[0.55rem]" />
                             {account.team.name}
                           </Link>
                         ) : (
diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx
index 9f7bc2dc1..553e125e5 100644
--- a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx
@@ -3,7 +3,7 @@
 import { AppType, TeamType } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Button } from '@/components/common/Button'
-import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { Checkbox } from '@/components/common/Checkbox'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetApps } from '@/graphql/queries/getApps.gql'
 import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
@@ -12,7 +12,7 @@ import { useMutation, useQuery } from '@apollo/client'
 import { useContext, useRef, useState } from 'react'
 import { useParams } from 'next/navigation'
 import Link from 'next/link'
-import { FaExclamationTriangle, FaSearch, FaTimesCircle, FaChevronDown } from 'react-icons/fa'
+import { FaChevronDown, FaExclamationTriangle, FaExternalLinkAlt, FaSearch, FaTimesCircle } from 'react-icons/fa'
 import clsx from 'clsx'
 import { toast } from 'react-toastify'
 import { Disclosure } from '@headlessui/react'
@@ -133,11 +133,11 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
           teams.
         </p>
 
-        <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2">
+        <div className="relative flex items-center bg-zinc-200 dark:bg-zinc-800 rounded-md px-2">
           <FaSearch className="text-neutral-500 text-xs shrink-0" />
           <input
             placeholder="Search apps"
-            className="custom bg-zinc-100 dark:bg-zinc-800 placeholder:text-neutral-500 w-full text-xs py-1.5"
+            className="custom bg-zinc-200 dark:bg-zinc-800 text-zinc-900 dark:text-zinc-100 placeholder:text-neutral-500 w-full text-xs py-1.5"
             value={searchQuery}
             onChange={(e) => setSearchQuery(e.target.value)}
           />
@@ -190,10 +190,10 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
                           onClick={() => toggleAllEnvs(app.id, envIds)}
                         >
                           <span className="text-2xs text-neutral-500">All environments</span>
-                          <ToggleSwitch
+                          <Checkbox
                             size="sm"
-                            value={!!allEnvsSelected}
-                            onToggle={() => toggleAllEnvs(app.id, envIds)}
+                            checked={!!allEnvsSelected}
+                            onChange={() => toggleAllEnvs(app.id, envIds)}
                           />
                         </div>
                         <div className="flex flex-wrap gap-1.5">
@@ -212,10 +212,10 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
                                 onClick={() => toggleEnv(app.id, env.id)}
                               >
                                 <span className="text-2xs text-zinc-900 dark:text-zinc-100">{env.name}</span>
-                                <ToggleSwitch
+                                <Checkbox
                                   size="sm"
-                                  value={isSelected}
-                                  onToggle={() => toggleEnv(app.id, env.id)}
+                                  checked={isSelected}
+                                  onChange={() => toggleEnv(app.id, env.id)}
                                 />
                               </div>
                             )
@@ -229,25 +229,43 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
             })}
 
             {filteredNonSseApps.length > 0 && (
-              <div className="pt-2">
-                <div className="flex items-center gap-1.5 text-2xs text-amber-500 mb-1">
-                  <FaExclamationTriangle className="shrink-0" />
-                  <span>These apps need SSE enabled in settings before they can be assigned:</span>
-                </div>
-                <p className="text-2xs text-neutral-500 px-0.5">
-                  {filteredNonSseApps.map((app: AppType, i: number) => (
-                    <span key={app.id}>
-                      <Link
-                        href={`/${params!.team}/apps/${app.id}/settings`}
-                        className="text-zinc-900 dark:text-zinc-100 hover:text-emerald-500 dark:hover:text-emerald-400 underline underline-offset-2 decoration-neutral-500/40 hover:decoration-emerald-500 transition"
-                      >
-                        {app.name}
-                      </Link>
-                      {i < filteredNonSseApps.length - 1 && ', '}
-                    </span>
-                  ))}
-                </p>
-              </div>
+              <>
+                <div className="border-t border-zinc-500/20" />
+                <Disclosure>
+                  {({ open }) => (
+                    <div>
+                      <Disclosure.Button className="w-full flex items-center justify-between py-2 px-3 text-2xs text-amber-500">
+                        <div className="flex items-center gap-1.5">
+                          <FaExclamationTriangle className="shrink-0" />
+                          <span>{filteredNonSseApps.length} hidden app{filteredNonSseApps.length !== 1 ? 's' : ''}</span>
+                        </div>
+                        <FaChevronDown
+                          className={clsx(
+                            'text-neutral-500 text-2xs transition-transform',
+                            open && 'rotate-180'
+                          )}
+                        />
+                      </Disclosure.Button>
+                      <Disclosure.Panel className="space-y-1">
+                        <p className="text-2xs text-neutral-500 mb-2">
+                          These apps need SSE enabled in settings before they can be assigned to teams.
+                        </p>
+                        {filteredNonSseApps.map((app: AppType) => (
+                          <div key={app.id} className="flex items-center justify-between py-1.5 px-2">
+                            <Link
+                              href={`/${params!.team}/apps/${app.id}/settings`}
+                              className="font-medium text-xs text-zinc-900 dark:text-zinc-100 hover:text-emerald-500 dark:hover:text-emerald-400 transition"
+                            >
+                              {app.name}
+                            </Link>
+                            <FaExternalLinkAlt className="text-neutral-500 text-2xs shrink-0" />
+                          </div>
+                        ))}
+                      </Disclosure.Panel>
+                    </div>
+                  )}
+                </Disclosure>
+              </>
             )}
           </div>
         )}
diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
index 55011f878..61e51333a 100644
--- a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamMembersDialog.tsx
@@ -3,7 +3,7 @@
 import { OrganisationMemberType, ServiceAccountType, TeamMembershipType } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Button } from '@/components/common/Button'
-import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { Checkbox } from '@/components/common/Checkbox'
 import { ProfileCard } from '@/components/common/ProfileCard'
 import { organisationContext } from '@/contexts/organisationContext'
 import GetOrganisationMembers from '@/graphql/queries/organisation/getOrganisationMembers.gql'
@@ -162,7 +162,7 @@ export const AddTeamMembersDialog = ({
     if (mode !== 'service-accounts' && selectedMembers.size > 0)
       parts.push(`${selectedMembers.size} member${selectedMembers.size !== 1 ? 's' : ''}`)
     if (mode !== 'members' && selectedSAs.size > 0)
-      parts.push(`${selectedSAs.size} SA${selectedSAs.size !== 1 ? 's' : ''}`)
+      parts.push(`${selectedSAs.size} service account${selectedSAs.size !== 1 ? 's' : ''}`)
     return parts.length > 0 ? parts.join(', ') : '0 selected'
   }
 
@@ -181,7 +181,7 @@ export const AddTeamMembersDialog = ({
         : 'Add Members'
 
   const searchBar = (
-    <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2">
+    <div className="relative flex items-center bg-zinc-200 dark:bg-zinc-800 rounded-md px-2">
       <FaSearch className="text-neutral-500 text-xs shrink-0" />
       <input
         placeholder={
@@ -191,7 +191,7 @@ export const AddTeamMembersDialog = ({
               ? 'Search members'
               : 'Search accounts'
         }
-        className="custom bg-zinc-100 dark:bg-zinc-800 placeholder:text-neutral-500 w-full text-xs py-1.5"
+        className="custom bg-zinc-200 dark:bg-zinc-800 text-zinc-900 dark:text-zinc-100 placeholder:text-neutral-500 w-full text-xs py-1.5"
         value={searchQuery}
         onChange={(e) => setSearchQuery(e.target.value)}
       />
@@ -207,7 +207,7 @@ export const AddTeamMembersDialog = ({
   )
 
   const membersList = (
-    <div className="max-h-80 overflow-y-auto divide-y divide-zinc-500/20">
+    <div className="max-h-[60vh] overflow-y-auto divide-y divide-zinc-500/20 pr-2">
       {filteredMembers.length === 0 ? (
         <p className="text-xs text-neutral-500 text-center py-4">
           {availableMembers.length === 0
@@ -222,10 +222,10 @@ export const AddTeamMembersDialog = ({
             onClick={() => toggleMember(member.id)}
           >
             <ProfileCard member={member} size="md" />
-            <ToggleSwitch
+            <Checkbox
               size="sm"
-              value={selectedMembers.has(member.id)}
-              onToggle={() => toggleMember(member.id)}
+              checked={selectedMembers.has(member.id)}
+              onChange={() => toggleMember(member.id)}
             />
           </div>
         ))
@@ -234,7 +234,7 @@ export const AddTeamMembersDialog = ({
   )
 
   const saList = (
-    <div className="max-h-80 overflow-y-auto divide-y divide-zinc-500/20">
+    <div className="max-h-[60vh] overflow-y-auto divide-y divide-zinc-500/20 pr-2">
       {filteredSAs.length === 0 ? (
         <p className="text-xs text-neutral-500 text-center py-4">
           {availableSAs.length === 0
@@ -249,10 +249,10 @@ export const AddTeamMembersDialog = ({
             onClick={() => toggleSA(sa.id)}
           >
             <ProfileCard serviceAccount={sa} size="md" />
-            <ToggleSwitch
+            <Checkbox
               size="sm"
-              value={selectedSAs.has(sa.id)}
-              onToggle={() => toggleSA(sa.id)}
+              checked={selectedSAs.has(sa.id)}
+              onChange={() => toggleSA(sa.id)}
             />
           </div>
         ))
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index 55fcf66dc..11adc547d 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -22,7 +22,7 @@ import {
   FaCog,
   FaCrown,
   FaExternalLinkAlt,
-  FaLink,
+  FaUsersCog,
   FaRobot,
   FaUsers,
 } from 'react-icons/fa'
@@ -343,7 +343,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                       <div>
                         {isTeamOwned ? (
                           <span className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-blue-500/15 text-blue-600 dark:text-blue-400" title="Owned by this team — bound to the team lifecycle">
-                            <FaLink className="text-[0.55rem]" />
+                            <FaUsersCog className="text-[0.55rem]" />
                             Team
                           </span>
                         ) : (
@@ -424,13 +424,16 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                     <div className="text-2xs uppercase tracking-widest text-neutral-500 mb-1">
                       Environments
                     </div>
-                    <div className="flex items-center gap-1 flex-wrap">
-                      {envs.map((tae) => (
-                        <span
-                          key={tae.id}
-                          className="text-2xs px-1.5 py-0.5 rounded bg-zinc-200 dark:bg-zinc-800 text-zinc-600 dark:text-zinc-400"
-                        >
-                          {tae.environment!.name}
+                    <div className="text-xs text-zinc-700 dark:text-zinc-300">
+                      {envs.map((tae, i) => (
+                        <span key={tae.id}>
+                          <Link
+                            href={`/${params.team}/apps/${appId}/environments/${tae.environment!.id}`}
+                            className="hover:text-emerald-500 dark:hover:text-emerald-400 transition"
+                          >
+                            {tae.environment!.name}
+                          </Link>
+                          {i < envs.length - 1 && ' + '}
                         </span>
                       ))}
                     </div>
diff --git a/frontend/components/common/Checkbox.tsx b/frontend/components/common/Checkbox.tsx
index df4be5496..f0b1faea0 100644
--- a/frontend/components/common/Checkbox.tsx
+++ b/frontend/components/common/Checkbox.tsx
@@ -23,24 +23,25 @@ export const Checkbox = (props: {
       role="checkbox"
       aria-checked={checked}
       disabled={disabled}
-      onClick={() => onChange(!checked)}
-      className={clsx('flex items-start gap-3 group', disabled && 'opacity-50 cursor-not-allowed')}
+      onClick={(e) => {
+        e.stopPropagation()
+        onChange(!checked)
+      }}
+      className={clsx('flex gap-3 group', label ? 'items-start' : 'items-center', disabled && 'opacity-50 cursor-not-allowed')}
     >
       <div
         className={clsx(
-          'flex items-center justify-center shrink-0 rounded ring-1 ring-inset transition ease',
+          'flex items-center justify-center shrink-0 rounded-full ring-1 ring-inset transition ease',
           styles.box,
-          styles.offset,
+          label && styles.offset,
           checked
-            ? 'bg-emerald-500 ring-emerald-500'
+            ? 'bg-emerald-500 dark:bg-emerald-600 ring-emerald-500'
             : 'bg-zinc-100 dark:bg-zinc-800 ring-neutral-500/40 group-hover:ring-neutral-500/60'
         )}
       >
         {checked && <FaCheck className={clsx('text-white', styles.icon)} />}
       </div>
-      {label && (
-        <span className="text-xs text-neutral-500 text-left select-none">{label}</span>
-      )}
+      {label && <span className="text-xs text-neutral-500 text-left select-none">{label}</span>}
     </button>
   )
 }

From 9f57789d9abe4982e092b3a173df63d5cdb545d1 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 15:22:50 +0530
Subject: [PATCH 025/118] feat: misc fixes to access and permission gating

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../[teamId]/_components/UpdateTeamDialog.tsx |  13 +-
 .../app/[team]/access/teams/[teamId]/page.tsx |  78 +++++-------
 frontend/app/[team]/access/teams/page.tsx     | 113 ++++--------------
 .../_components/ManageTeamEnvsDialog.tsx      |  16 +--
 .../[team]/apps/[app]/access/teams/page.tsx   | 109 +++++------------
 5 files changed, 108 insertions(+), 221 deletions(-)

diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx
index 21f30d8f2..07b77fc1b 100644
--- a/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx
@@ -10,7 +10,7 @@ import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { GetRoles } from '@/graphql/queries/organisation/getRoles.gql'
 import { UpdateTeamOp } from '@/graphql/mutations/teams/updateTeam.gql'
 import { useMutation, useQuery } from '@apollo/client'
-import { Fragment, useContext, useRef, useState } from 'react'
+import { Fragment, useContext, useEffect, useRef, useState } from 'react'
 import { FaCog, FaChevronDown, FaUserShield, FaRobot } from 'react-icons/fa'
 import { Listbox } from '@headlessui/react'
 import clsx from 'clsx'
@@ -116,7 +116,16 @@ export const UpdateTeamDialog = ({ team }: { team: TeamType }) => {
     (team.serviceAccountRole as RoleType) || null
   )
 
-  const roleOptions = roleData?.roles || []
+  // Sync state when team prop updates (e.g. after refetch)
+  useEffect(() => {
+    setName(team.name)
+    setDescription(team.description || '')
+    setMemberRole((team.memberRole as RoleType) || null)
+    setSaRole((team.serviceAccountRole as RoleType) || null)
+  }, [team.name, team.description, team.memberRole, team.serviceAccountRole])
+
+  const roleOptions: RoleType[] =
+    roleData?.roles?.filter((role: RoleType) => role.name?.toLowerCase() !== 'owner') || []
 
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault()
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index 11adc547d..3c4deb526 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -42,18 +42,6 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
     ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
     : false
 
-  const userCanUpdateTeams = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Teams', 'update')
-    : false
-
-  const userCanDeleteTeams = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Teams', 'delete')
-    : false
-
-  const userCanCreateSA = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'create')
-    : false
-
   const userIsGlobalAccess = organisation
     ? userHasGlobalAccess(organisation.role!.permissions)
     : false
@@ -114,6 +102,19 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
     team.members?.some((m) => m.orgMember?.id === organisation?.memberId) ||
     false
 
+  // Team owner (creator) retains full access; other members use effective permissions
+  const isTeamOwner = team.createdBy?.id === organisation?.memberId
+
+  // Effective permissions: team member role override takes precedence over org-level role
+  const effectivePermissions = team.memberRole?.permissions ?? organisation.role!.permissions
+
+  const canUpdateTeam =
+    userIsGlobalAccess || isTeamOwner || userHasPermission(effectivePermissions, 'Teams', 'update')
+  const canDeleteTeam =
+    userIsGlobalAccess || isTeamOwner || userHasPermission(effectivePermissions, 'Teams', 'delete')
+  const canCreateSA =
+    userIsGlobalAccess || isTeamOwner || userHasPermission(effectivePermissions, 'ServiceAccounts', 'create')
+
   if (!userIsMember)
     return (
       <section className="p-4">
@@ -184,7 +185,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
               </span>
             </div>
             <div className="flex flex-col items-end gap-2">
-              {userCanUpdateTeams && !team.isScimManaged && <UpdateTeamDialog team={team} />}
+              {canUpdateTeam && !team.isScimManaged && <UpdateTeamDialog team={team} />}
               <span
                 className="text-neutral-500 text-2xs flex items-center gap-1 cursor-help"
                 title={new Date(team.createdAt).toLocaleString()}
@@ -195,37 +196,21 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
             </div>
           </div>
 
-          {/* Role overrides */}
-          {(team.memberRole || team.serviceAccountRole) && (
-            <div className="flex items-center gap-4 mt-3">
-              {team.memberRole && (
-                <div className="flex items-center gap-1.5 text-xs text-neutral-500">
-                  <FaUsers className="text-xs" />
-                  <span>Member role:</span>
-                  <RoleLabel role={team.memberRole} />
-                </div>
-              )}
-              {team.serviceAccountRole && (
-                <div className="flex items-center gap-1.5 text-xs text-neutral-500">
-                  <FaRobot className="text-xs" />
-                  <span>SA role:</span>
-                  <RoleLabel role={team.serviceAccountRole} />
-                </div>
-              )}
-            </div>
-          )}
         </div>
 
         {/* Members Section (human users only) */}
         <div className="pt-4 space-y-3 border-t border-neutral-500/40">
           <div className="flex items-center justify-between">
             <div>
-              <div className="text-base font-medium">Members</div>
+              <div className="text-base font-medium flex items-center gap-2">
+                Members
+                {team.memberRole && <RoleLabel role={team.memberRole} size="xs" />}
+              </div>
               <div className="text-neutral-500 text-sm">
                 Organisation members in this team
               </div>
             </div>
-            {userCanUpdateTeams && !team.isScimManaged && (
+            {canUpdateTeam && !team.isScimManaged && (
               <AddTeamMembersDialog teamId={team.id} existingMembers={team.members || []} mode="members" />
             )}
           </div>
@@ -254,7 +239,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                       />
 
                       <div className="flex items-center gap-1.5">
-                        {membership.orgMember?.role && (
+                        {!team.memberRole && membership.orgMember?.role && (
                           <RoleLabel role={membership.orgMember.role} size="xs" />
                         )}
                         {isTeamCreator && (
@@ -275,7 +260,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                             <FaExternalLinkAlt /> Manage account
                           </Button>
                         </Link>
-                        {userCanUpdateTeams &&
+                        {canUpdateTeam &&
                           !team.isScimManaged &&
                           !(team.createdBy?.id === membership.orgMember?.id) && (
                             <RemoveTeamMemberDialog
@@ -302,16 +287,19 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
         <div className="pt-4 space-y-3 border-t border-neutral-500/40">
           <div className="flex items-center justify-between">
             <div>
-              <div className="text-base font-medium">Service Accounts</div>
+              <div className="text-base font-medium flex items-center gap-2">
+                Service Accounts
+                {team.serviceAccountRole && <RoleLabel role={team.serviceAccountRole} size="xs" />}
+              </div>
               <div className="text-neutral-500 text-sm">
                 Service accounts in this team
               </div>
             </div>
             <div className="flex items-center gap-2">
-              {userCanUpdateTeams && !team.isScimManaged && (
+              {canUpdateTeam && !team.isScimManaged && (
                 <AddTeamMembersDialog teamId={team.id} existingMembers={team.members || []} mode="service-accounts" buttonVariant="secondary" />
               )}
-              {userCanCreateSA && (
+              {canCreateSA && (
                 <CreateServiceAccountDialog
                   teamId={team.id}
                   teamName={team.name}
@@ -337,7 +325,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                       <ProfileCard serviceAccount={sa} size="md" />
 
                       <div>
-                        {sa.role && <RoleLabel role={sa.role} size="xs" />}
+                        {!team.serviceAccountRole && sa.role && <RoleLabel role={sa.role} size="xs" />}
                       </div>
 
                       <div>
@@ -368,11 +356,11 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                           </Button>
                         </Link>
                         {isTeamOwned ? (
-                          userCanUpdateTeams && (
+                          canUpdateTeam && (
                             <DeleteServiceAccountDialog account={sa} />
                           )
                         ) : (
-                          userCanUpdateTeams && !team.isScimManaged && (
+                          canUpdateTeam && !team.isScimManaged && (
                             <RemoveTeamMemberDialog
                               teamId={team.id}
                               memberId={sa.id}
@@ -388,7 +376,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
               ) : (
                 <div className="py-8 text-center text-neutral-500">
                   No service accounts in this team.
-                  {userCanCreateSA && ' Create a team-owned service account or add an existing one.'}
+                  {canCreateSA && ' Create a team-owned service account or add an existing one.'}
                 </div>
               )
             })()}
@@ -404,7 +392,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                 Apps and environments this team has access to
               </div>
             </div>
-            {userCanUpdateTeams && <AddTeamAppsDialog team={team} />}
+            {canUpdateTeam && <AddTeamAppsDialog team={team} />}
           </div>
 
           <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
@@ -462,7 +450,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
         </div>
 
         {/* Danger Zone */}
-        {userCanDeleteTeams && !team.isScimManaged && (
+        {canDeleteTeam && !team.isScimManaged && (userIsGlobalAccess || team.createdBy?.id === organisation?.memberId) && (
           <div className="pt-4 space-y-2 border-t border-neutral-500/40">
             <div>
               <div className="text-base font-medium">Danger Zone</div>
diff --git a/frontend/app/[team]/access/teams/page.tsx b/frontend/app/[team]/access/teams/page.tsx
index 3a639c425..b0850b255 100644
--- a/frontend/app/[team]/access/teams/page.tsx
+++ b/frontend/app/[team]/access/teams/page.tsx
@@ -19,7 +19,6 @@ import {
   FaUsers,
   FaRobot,
 } from 'react-icons/fa'
-import { Avatar } from '@/components/common/Avatar'
 import { ProfileCard } from '@/components/common/ProfileCard'
 import { MdSearchOff } from 'react-icons/md'
 import clsx from 'clsx'
@@ -143,17 +142,14 @@ export default function Teams({ params }: { params: { team: string } }) {
                 </thead>
                 <tbody className="divide-y divide-zinc-500/20">
                   {filteredTeams.map((team: TeamType) => {
-                    const orgMembers =
-                      team.members?.filter((m) => m.orgMember) || []
-                    const serviceAccounts =
-                      team.members?.filter((m) => m.serviceAccount) || []
-                    const surplusMemberCount =
-                      orgMembers.length > 5 ? orgMembers.length - 5 : 0
-                    const surplusSaCount =
-                      serviceAccounts.length > 3 ? serviceAccounts.length - 3 : 0
+                    const memberCount =
+                      team.members?.filter((m) => m.orgMember).length || 0
+                    const saCount =
+                      team.members?.filter((m) => m.serviceAccount).length || 0
                     const isMember =
                       userIsGlobalAccess ||
-                      orgMembers.some((m) => m.orgMember?.id === organisation?.memberId)
+                      team.members?.some((m) => m.orgMember?.id === organisation?.memberId) ||
+                      false
 
                     return (
                       <tr key={team.id} className="group">
@@ -176,89 +172,28 @@ export default function Teams({ params }: { params: { team: string } }) {
                           </div>
                         </td>
                         <td className="px-6 py-2">
-                          <div className="space-y-1.5">
-                            {orgMembers.length > 0 && (
-                              <div className="flex items-center justify-between gap-3">
-                                <div className="flex items-center gap-1.5">
-                                  <div className="flex items-center">
-                                    {orgMembers.slice(0, 5).map((m, i) => (
-                                      <div
-                                        key={m.id}
-                                        className={clsx(
-                                          'rounded-full',
-                                          i !== 0 && '-ml-2'
-                                        )}
-                                        style={{ zIndex: i }}
-                                      >
-                                        <Avatar
-                                          user={{
-                                            name: m.fullName,
-                                            email: m.email,
-                                            image: m.avatarUrl,
-                                          }}
-                                          size="xs"
-                                          showTitle={false}
-                                        />
-                                      </div>
-                                    ))}
-                                    {surplusMemberCount > 0 && (
-                                      <span className="text-neutral-500 text-xs ml-1">
-                                        +{surplusMemberCount}
-                                      </span>
-                                    )}
-                                  </div>
-                                  <span className="text-2xs text-neutral-500">
-                                    {orgMembers.length} member
-                                    {orgMembers.length !== 1 ? 's' : ''}
-                                  </span>
-                                </div>
-                                {team.memberRole && (
-                                  <RoleLabel role={team.memberRole} size="xs" />
-                                )}
+                          <div className="space-y-1">
+                            {memberCount > 0 && (
+                              <div className="flex items-center gap-1.5 text-2xs text-neutral-500">
+                                <FaUsers className="text-xs" />
+                                <span>
+                                  {memberCount} member{memberCount !== 1 ? 's' : ''}
+                                </span>
+                                {team.memberRole && <RoleLabel role={team.memberRole} size="xs" />}
                               </div>
                             )}
-                            {serviceAccounts.length > 0 && (
-                              <div className="flex items-center justify-between gap-3">
-                                <div className="flex items-center gap-1.5">
-                                  <div className="flex items-center">
-                                    {serviceAccounts.slice(0, 3).map((m, i) => (
-                                      <div
-                                        key={m.id}
-                                        className={clsx(
-                                          'rounded-full',
-                                          i !== 0 && '-ml-2'
-                                        )}
-                                        style={{ zIndex: i }}
-                                      >
-                                        <Avatar
-                                          serviceAccount={m.serviceAccount!}
-                                          size="xs"
-                                          showTitle={false}
-                                        />
-                                      </div>
-                                    ))}
-                                    {surplusSaCount > 0 && (
-                                      <span className="text-neutral-500 text-xs ml-1">
-                                        +{surplusSaCount}
-                                      </span>
-                                    )}
-                                  </div>
-                                  <span className="text-2xs text-neutral-500">
-                                    {serviceAccounts.length} Service Account
-                                    {serviceAccounts.length !== 1 ? 's' : ''}
-                                  </span>
-                                </div>
-                                {team.serviceAccountRole && (
-                                  <RoleLabel role={team.serviceAccountRole} size="xs" />
-                                )}
+                            {saCount > 0 && (
+                              <div className="flex items-center gap-1.5 text-2xs text-neutral-500">
+                                <FaRobot className="text-xs" />
+                                <span>
+                                  {saCount} service account{saCount !== 1 ? 's' : ''}
+                                </span>
+                                {team.serviceAccountRole && <RoleLabel role={team.serviceAccountRole} size="xs" />}
                               </div>
                             )}
-                            {orgMembers.length === 0 &&
-                              serviceAccounts.length === 0 && (
-                                <span className="text-2xs text-neutral-500">
-                                  No members
-                                </span>
-                              )}
+                            {memberCount === 0 && saCount === 0 && (
+                              <span className="text-2xs text-neutral-500">No members</span>
+                            )}
                           </div>
                         </td>
                         <td className="px-6 py-2 text-sm">
diff --git a/frontend/app/[team]/apps/[app]/access/teams/_components/ManageTeamEnvsDialog.tsx b/frontend/app/[team]/apps/[app]/access/teams/_components/ManageTeamEnvsDialog.tsx
index 0ba6ab696..e944ac8df 100644
--- a/frontend/app/[team]/apps/[app]/access/teams/_components/ManageTeamEnvsDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/teams/_components/ManageTeamEnvsDialog.tsx
@@ -3,7 +3,7 @@
 import { EnvironmentType, TeamAppEnvironmentType } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Button } from '@/components/common/Button'
-import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { Checkbox } from '@/components/common/Checkbox'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { GetApps } from '@/graphql/queries/getApps.gql'
@@ -20,12 +20,14 @@ export const ManageTeamEnvsDialog = ({
   appId,
   appEnvironments,
   teamEnvs,
+  canManage = true,
 }: {
   teamId: string
   teamName: string
   appId: string
   appEnvironments: EnvironmentType[]
   teamEnvs: TeamAppEnvironmentType[]
+  canManage?: boolean
 }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
   const [updateEnvs, { loading }] = useMutation(UpdateTeamAppEnvironmentsOp)
@@ -120,7 +122,7 @@ export const ManageTeamEnvsDialog = ({
       <span className="text-zinc-900 dark:text-zinc-100 text-2xs font-medium">
         {scopeLabel || 'None'}
       </span>
-      <div className="opacity-0 group-hover:opacity-100 transition ease flex items-center gap-2">
+      {canManage && <div className="opacity-0 group-hover:opacity-100 transition ease flex items-center gap-2">
         <GenericDialog
           ref={dialogRef}
           title={`Manage environment access for ${teamName}`}
@@ -145,7 +147,7 @@ export const ManageTeamEnvsDialog = ({
                 onClick={toggleAll}
               >
                 <span className="text-2xs text-neutral-500">All environments</span>
-                <ToggleSwitch size="sm" value={allSelected} onToggle={toggleAll} />
+                <Checkbox size="sm" checked={allSelected} onChange={toggleAll} />
               </div>
               <div className="flex flex-wrap gap-1.5">
                 {appEnvironments.map((env) => {
@@ -162,10 +164,10 @@ export const ManageTeamEnvsDialog = ({
                       onClick={() => toggleEnv(env.id)}
                     >
                       <span className="text-2xs text-zinc-900 dark:text-zinc-100">{env.name}</span>
-                      <ToggleSwitch
+                      <Checkbox
                         size="sm"
-                        value={isSelected}
-                        onToggle={() => toggleEnv(env.id)}
+                        checked={isSelected}
+                        onChange={() => toggleEnv(env.id)}
                       />
                     </div>
                   )
@@ -187,7 +189,7 @@ export const ManageTeamEnvsDialog = ({
             </div>
           </form>
         </GenericDialog>
-      </div>
+      </div>}
     </div>
   )
 }
diff --git a/frontend/app/[team]/apps/[app]/access/teams/page.tsx b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
index 06dfb4e65..6c0e6926f 100644
--- a/frontend/app/[team]/apps/[app]/access/teams/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
@@ -6,17 +6,16 @@ import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { GetApps } from '@/graphql/queries/getApps.gql'
 import { useQuery } from '@apollo/client'
 import { useContext } from 'react'
-import { FaBan, FaExclamationTriangle, FaUsers } from 'react-icons/fa'
-import { userHasPermission } from '@/utils/access/permissions'
+import { FaBan, FaExclamationTriangle, FaRobot, FaUsers } from 'react-icons/fa'
+import { RoleLabel } from '@/components/users/RoleLabel'
+import { userHasPermission, userHasGlobalAccess } from '@/utils/access/permissions'
 import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
-import { Avatar } from '@/components/common/Avatar'
-import { RoleLabel } from '@/components/users/RoleLabel'
 import { AddTeamToAppDialog } from './_components/AddTeamToAppDialog'
 import { RemoveTeamFromAppDialog } from './_components/RemoveTeamFromAppDialog'
 import { ManageTeamEnvsDialog } from './_components/ManageTeamEnvsDialog'
 import Link from 'next/link'
-import clsx from 'clsx'
+
 
 export default function AppTeams({ params }: { params: { team: string; app: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -29,6 +28,10 @@ export default function AppTeams({ params }: { params: { team: string; app: stri
     ? userHasPermission(organisation.role!.permissions, 'Teams', 'update')
     : false
 
+  const userIsGlobalAccess = organisation
+    ? userHasGlobalAccess(organisation.role!.permissions)
+    : false
+
   const { data: teamsData, loading: teamsLoading } = useQuery(GetTeams, {
     variables: { organisationId: organisation?.id },
     skip: !organisation || !userCanReadTeams,
@@ -123,10 +126,11 @@ export default function AppTeams({ params }: { params: { team: string; app: stri
                     (tae: TeamAppEnvironmentType | null) => tae?.app?.id === params.app
                   ) || []
 
-                const orgMembers = team.members?.filter((m) => m.orgMember) || []
-                const sas = team.members?.filter((m) => m.serviceAccount) || []
-                const surplusMemberCount = orgMembers.length > 5 ? orgMembers.length - 5 : 0
-                const surplusSaCount = sas.length > 3 ? sas.length - 3 : 0
+                const memberCount = team.members?.filter((m) => m.orgMember).length || 0
+                const saCount = team.members?.filter((m) => m.serviceAccount).length || 0
+                const isTeamOwner =
+                  userIsGlobalAccess ||
+                  team.createdBy?.id === organisation?.memberId
 
                 return (
                   <tr key={team.id} className="group">
@@ -144,78 +148,26 @@ export default function AppTeams({ params }: { params: { team: string; app: stri
                       </Link>
                     </td>
                     <td className="hidden md:table-cell px-6 py-2">
-                      <div className="space-y-1.5">
-                        {orgMembers.length > 0 && (
-                          <div className="flex items-center justify-between gap-3">
-                            <div className="flex items-center gap-1.5">
-                              <div className="flex items-center">
-                                {orgMembers.slice(0, 5).map((m, i) => (
-                                  <div
-                                    key={m.id}
-                                    className={clsx('rounded-full', i !== 0 && '-ml-2')}
-                                    style={{ zIndex: i }}
-                                  >
-                                    <Avatar
-                                      user={{
-                                        name: m.fullName,
-                                        email: m.email,
-                                        image: m.avatarUrl,
-                                      }}
-                                      size="xs"
-                                      showTitle={false}
-                                    />
-                                  </div>
-                                ))}
-                                {surplusMemberCount > 0 && (
-                                  <span className="text-neutral-500 text-xs ml-1">
-                                    +{surplusMemberCount}
-                                  </span>
-                                )}
-                              </div>
-                              <span className="text-2xs text-neutral-500">
-                                {orgMembers.length} member
-                                {orgMembers.length !== 1 ? 's' : ''}
-                              </span>
-                            </div>
-                            {team.memberRole && (
-                              <RoleLabel role={team.memberRole} size="xs" />
-                            )}
+                      <div className="space-y-1">
+                        {memberCount > 0 && (
+                          <div className="flex items-center gap-1.5 text-2xs text-neutral-500">
+                            <FaUsers className="text-xs" />
+                            <span>
+                              {memberCount} member{memberCount !== 1 ? 's' : ''}
+                            </span>
+                            {team.memberRole && <RoleLabel role={team.memberRole} size="xs" />}
                           </div>
                         )}
-                        {sas.length > 0 && (
-                          <div className="flex items-center justify-between gap-3">
-                            <div className="flex items-center gap-1.5">
-                              <div className="flex items-center">
-                                {sas.slice(0, 3).map((m, i) => (
-                                  <div
-                                    key={m.id}
-                                    className={clsx('rounded-full', i !== 0 && '-ml-2')}
-                                    style={{ zIndex: i }}
-                                  >
-                                    <Avatar
-                                      serviceAccount={m.serviceAccount!}
-                                      size="xs"
-                                      showTitle={false}
-                                    />
-                                  </div>
-                                ))}
-                                {surplusSaCount > 0 && (
-                                  <span className="text-neutral-500 text-xs ml-1">
-                                    +{surplusSaCount}
-                                  </span>
-                                )}
-                              </div>
-                              <span className="text-2xs text-neutral-500">
-                                {sas.length} Service Account
-                                {sas.length !== 1 ? 's' : ''}
-                              </span>
-                            </div>
-                            {team.serviceAccountRole && (
-                              <RoleLabel role={team.serviceAccountRole} size="xs" />
-                            )}
+                        {saCount > 0 && (
+                          <div className="flex items-center gap-1.5 text-2xs text-neutral-500">
+                            <FaRobot className="text-xs" />
+                            <span>
+                              {saCount} service account{saCount !== 1 ? 's' : ''}
+                            </span>
+                            {team.serviceAccountRole && <RoleLabel role={team.serviceAccountRole} size="xs" />}
                           </div>
                         )}
-                        {orgMembers.length === 0 && sas.length === 0 && (
+                        {memberCount === 0 && saCount === 0 && (
                           <span className="text-2xs text-neutral-500">No members</span>
                         )}
                       </div>
@@ -228,8 +180,9 @@ export default function AppTeams({ params }: { params: { team: string; app: stri
                           appId={params.app}
                           appEnvironments={appEnvironments}
                           teamEnvs={teamEnvs as TeamAppEnvironmentType[]}
+                          canManage={isTeamOwner && userCanUpdateTeams}
                         />
-                        {userCanUpdateTeams && (
+                        {isTeamOwner && userCanUpdateTeams && (
                           <div className="opacity-0 pointer-events-none group-hover:opacity-100 group-hover:pointer-events-auto transition ease">
                             <RemoveTeamFromAppDialog
                               teamId={team.id}

From 25aade9b56f52ccec8e5615c34f25c8a688b07f7 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 18:35:59 +0530
Subject: [PATCH 026/118] feat: add new app-level teams permission class

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/utils/access/roles.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/backend/api/utils/access/roles.py b/backend/api/utils/access/roles.py
index e19823eca..5fbd6d452 100644
--- a/backend/api/utils/access/roles.py
+++ b/backend/api/utils/access/roles.py
@@ -30,6 +30,7 @@
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "Integrations": ["create", "read", "update", "delete"],
             "EncryptionMode": ["read", "update"],
+            "Teams": ["create", "read", "update", "delete"],
         },
         "global_access": True,
     },
@@ -64,6 +65,7 @@
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "Integrations": ["create", "read", "update", "delete"],
             "EncryptionMode": ["read", "update"],
+            "Teams": ["create", "read", "update", "delete"],
         },
         "global_access": True,
     },
@@ -97,6 +99,7 @@
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "Integrations": ["create", "read", "update", "delete"],
             "EncryptionMode": ["read", "update"],
+            "Teams": ["create", "read", "update", "delete"],
         },
         "global_access": False,
     },
@@ -134,6 +137,7 @@
             "ServiceAccounts": ["create"],
             "Integrations": ["create", "read", "update", "delete"],
             "EncryptionMode": ["read", "update"],
+            "Teams": ["read"],
         },
         "global_access": False,
     },
@@ -167,6 +171,7 @@
             "ServiceAccounts": ["read"],
             "Integrations": ["read"],
             "EncryptionMode": ["read"],
+            "Teams": ["read"],
         },
         "global_access": False,
     },

From 536b114a3834a6a1619b52a96e217421c9e8d972 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 18:36:22 +0530
Subject: [PATCH 027/118] feat: add hook to infer app-level permission based on
 access grants

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/hooks/useAppPermissions.ts | 113 ++++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)
 create mode 100644 frontend/hooks/useAppPermissions.ts

diff --git a/frontend/hooks/useAppPermissions.ts b/frontend/hooks/useAppPermissions.ts
new file mode 100644
index 000000000..084b42d83
--- /dev/null
+++ b/frontend/hooks/useAppPermissions.ts
@@ -0,0 +1,113 @@
+import { useContext, useMemo, useCallback } from 'react'
+import { useQuery } from '@apollo/client'
+import { TeamType } from '@/apollo/graphql'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { userHasPermission, userHasGlobalAccess } from '@/utils/access/permissions'
+
+/**
+ * Hook that computes effective app-level permissions using the override role model.
+ *
+ * For app-level resources (isAppResource=true), the effective permissions depend on
+ * how the user accesses the app:
+ *
+ * - Team with memberRole override → override REPLACES the org role
+ * - Team without memberRole override → org role applies (no override)
+ * - No team-based access → org role applies (backward compat for direct membership)
+ * - Global access (Owner/Admin) → org role always applies (bypasses restrictions)
+ *
+ * When a user has multiple access paths (e.g. multiple teams), the union of all
+ * effective roles applies — most permissive wins across paths.
+ *
+ * For org-level resources (isAppResource=false), only the org role is checked.
+ */
+export function useAppPermissions(appId: string) {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const isGlobalAccess = organisation
+    ? userHasGlobalAccess(organisation.role!.permissions)
+    : false
+
+  const userCanReadTeams = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
+    : false
+
+  const { data: teamsData } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadTeams,
+  })
+
+  // Compute effective permission sources for app-level checks.
+  // Each source is a permissions JSON string representing one access path's effective role.
+  const appPermissionSources = useMemo(() => {
+    const sources: string[] = []
+
+    // Global access users always get their org role (which has all permissions)
+    if (isGlobalAccess) {
+      if (organisation?.role?.permissions) sources.push(organisation.role.permissions)
+      return sources
+    }
+
+    if (!teamsData?.teams || !organisation?.memberId) {
+      // No teams data loaded yet — fall back to org role for backward compat
+      if (organisation?.role?.permissions) sources.push(organisation.role.permissions)
+      return sources
+    }
+
+    let hasTeamAccess = false
+
+    for (const team of teamsData.teams as TeamType[]) {
+      // Does this team include this app?
+      const hasApp = team.apps?.some((a) => a.id === appId)
+      if (!hasApp) continue
+
+      // Is the current user a member of this team?
+      const isMember = team.members?.some(
+        (m) => m.orgMember?.id === organisation.memberId
+      )
+      if (!isMember) continue
+
+      hasTeamAccess = true
+
+      if (team.memberRole?.permissions) {
+        // Team has a role override → it REPLACES the org role for this access path
+        sources.push(team.memberRole.permissions)
+      } else {
+        // Team has no role override → org role is the effective role for this path
+        sources.push(organisation.role!.permissions!)
+      }
+    }
+
+    if (!hasTeamAccess) {
+      // User has no team-based access to this app → must be direct membership
+      // Use org role (backward compat)
+      if (organisation?.role?.permissions) sources.push(organisation.role.permissions)
+    }
+
+    return sources
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [teamsData, appId, organisation?.memberId, organisation?.role?.permissions, isGlobalAccess])
+
+  /**
+   * Check if the user has a specific permission, accounting for team role overrides.
+   *
+   * For app-level resources: checks effective permissions from all access paths (union).
+   * For org-level resources: checks org role only.
+   */
+  const hasPermission = useCallback(
+    (resource: string, action: string, isAppResource: boolean = false): boolean => {
+      if (isAppResource) {
+        // Use computed effective permissions (team-aware)
+        return appPermissionSources.some((perms) =>
+          userHasPermission(perms, resource, action, true)
+        )
+      }
+
+      // For org-level resources, always use org role directly
+      return userHasPermission(organisation?.role?.permissions, resource, action, false)
+    },
+    [appPermissionSources, organisation?.role?.permissions]
+  )
+
+  return { hasPermission, isGlobalAccess }
+}

From df465a40168a83dbfcdb550c4bd33acd362b7db7 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 18:36:58 +0530
Subject: [PATCH 028/118] fix: check app-level teams permission server side for
 teams mutations

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/graphene/mutations/teams.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index 69b821ce5..6b6aa9186 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -355,6 +355,12 @@ def mutate(cls, root, info, team_id, app_envs):
         for app_env in app_envs:
             app = App.objects.get(id=app_env.app_id, organisation=org)
 
+            # Check app-level Teams permission (respects team role overrides)
+            if not user_has_permission(user, "create", "Teams", org, is_app_resource=True, app=app):
+                raise GraphQLError(
+                    f"You don't have permission to add teams to app '{app.name}'"
+                )
+
             # Actor must have access to the app
             if not user_can_access_app(user.userId, app.id):
                 raise GraphQLError(
@@ -403,6 +409,12 @@ def mutate(cls, root, info, team_id, app_id):
 
         app = App.objects.get(id=app_id, organisation=org)
 
+        # Check app-level Teams permission (respects team role overrides)
+        if not user_has_permission(user, "delete", "Teams", org, is_app_resource=True, app=app):
+            raise GraphQLError(
+                "You don't have permission to remove teams from this app"
+            )
+
         # Revoke grants before removing the app-env links
         revoke_team_environment_keys(team, app=app)
 
@@ -435,6 +447,12 @@ def mutate(cls, root, info, team_id, app_id, env_ids):
 
         app = App.objects.get(id=app_id, organisation=org)
 
+        # Check app-level Teams permission (respects team role overrides)
+        if not user_has_permission(user, "update", "Teams", org, is_app_resource=True, app=app):
+            raise GraphQLError(
+                "You don't have permission to manage team environments for this app"
+            )
+
         if not user_can_access_app(user.userId, app.id):
             raise GraphQLError("You don't have access to this app")
 

From 44f234da80a03bb192a96644555e4cdbbfe443a2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 18:37:35 +0530
Subject: [PATCH 029/118] feat: misc frontend permssion and access gating for
 app actions

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../apps/[app]/_components/AppSecretRow.tsx   | 24 ++++++------
 .../apps/[app]/_components/AppSecrets.tsx     | 32 ++++------------
 .../members/_components/AddMemberDialog.tsx   | 18 ++++-----
 .../_components/ManageUserAccessDialog.tsx    | 11 +++---
 .../[team]/apps/[app]/access/members/page.tsx | 23 +++++------
 .../_components/AddAccountDialog.tsx          | 18 ++++-----
 .../_components/ManageAccountAccessDialog.tsx | 13 ++++---
 .../[app]/access/service-accounts/page.tsx    | 23 +++++------
 .../[team]/apps/[app]/access/teams/page.tsx   | 15 ++------
 .../[team]/apps/[app]/access/tokens/page.tsx  | 11 ++----
 .../[environment]/[[...path]]/page.tsx        | 38 ++++---------------
 .../app/[team]/apps/[app]/settings/page.tsx   | 16 +++-----
 .../app/[team]/apps/[app]/syncing/page.tsx    | 27 +++++++++++--
 frontend/components/apps/EnableSSEDialog.tsx  |  8 ++--
 .../apps/EncryptionModeIndicator.tsx          | 11 ++----
 .../apps/tokens/CreateServiceTokenDialog.tsx  |  8 ++--
 .../components/apps/tokens/SecretTokens.tsx   | 21 +++-------
 .../environments/secrets/SecretRow.tsx        | 13 +++----
 frontend/components/logs/SecretLogs.tsx       |  8 ++--
 .../components/syncing/SyncManagement.tsx     | 27 ++++---------
 20 files changed, 143 insertions(+), 222 deletions(-)

diff --git a/frontend/app/[team]/apps/[app]/_components/AppSecretRow.tsx b/frontend/app/[team]/apps/[app]/_components/AppSecretRow.tsx
index 4f0d9c8fc..87174e7d8 100644
--- a/frontend/app/[team]/apps/[app]/_components/AppSecretRow.tsx
+++ b/frontend/app/[team]/apps/[app]/_components/AppSecretRow.tsx
@@ -1,5 +1,5 @@
 import { ApiSecretTypeChoices, EnvironmentType, SecretType } from '@/apollo/graphql'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { Disclosure, Switch, Transition } from '@headlessui/react'
 import clsx from 'clsx'
 import {
@@ -21,7 +21,7 @@ import { Button } from '@/components/common/Button'
 import { useMutation } from '@apollo/client'
 import Link from 'next/link'
 import { LogSecretReads } from '@/graphql/mutations/environments/readSecret.gql'
-import { usePathname } from 'next/navigation'
+import { usePathname, useParams } from 'next/navigation'
 import { arraysEqual } from '@/utils/crypto'
 import { toggleBooleanKeepingCase } from '@/utils/secrets'
 import CopyButton from '@/components/common/CopyButton'
@@ -81,6 +81,8 @@ const EnvSecretComponent = ({
 }) => {
   const pathname = usePathname()
   const { activeOrganisation: organisation } = useContext(organisationContext)
+  const params = useParams<{ app: string }>()
+  const { hasPermission } = useAppPermissions(params!.app)
   const [readSecret] = useMutation(LogSecretReads)
 
   const valueIsNew = clientEnvSecret.secret?.id.includes('new')
@@ -127,12 +129,8 @@ const EnvSecretComponent = ({
   const booleanValue = clientEnvSecret.secret?.value.toLowerCase() === 'true'
 
   // Permissions
-  const userCanUpdateSecrets =
-    userHasPermission(organisation?.role?.permissions, 'Secrets', 'update', true) ||
-    !serverEnvSecret
-  const userCanDeleteSecrets =
-    userHasPermission(organisation?.role?.permissions, 'Secrets', 'delete', true) ||
-    !serverEnvSecret
+  const userCanUpdateSecrets = hasPermission('Secrets', 'update', true) || !serverEnvSecret
+  const userCanDeleteSecrets = hasPermission('Secrets', 'delete', true) || !serverEnvSecret
 
   const handleRevealSecret = async () => {
     if (isSealedAndSaved) return
@@ -390,6 +388,8 @@ const AppSecretRowComponent = ({
   revealOnHover,
 }: AppSecretRowProps) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
+  const routeParams = useParams<{ app: string }>()
+  const { hasPermission } = useAppPermissions(routeParams!.app)
 
   const { id } = clientAppSecret
   const handleOpen = () => expand(id)
@@ -419,11 +419,9 @@ const AppSecretRowComponent = ({
     })
   }
 
-  // Permisssions
-  const userCanUpdateSecrets =
-    userHasPermission(organisation?.role?.permissions, 'Secrets', 'update', true) || secretIsNew
-  const userCanDeleteSecrets =
-    userHasPermission(organisation?.role?.permissions, 'Secrets', 'delete', true) || secretIsNew
+  // Permissions
+  const userCanUpdateSecrets = hasPermission('Secrets', 'update', true) || secretIsNew
+  const userCanDeleteSecrets = hasPermission('Secrets', 'delete', true) || secretIsNew
 
   const prodSecret = clientAppSecret.envs.find(
     (env) => env.env.envType?.toLowerCase() === 'prod'
diff --git a/frontend/app/[team]/apps/[app]/_components/AppSecrets.tsx b/frontend/app/[team]/apps/[app]/_components/AppSecrets.tsx
index cb9de3842..38073bef6 100644
--- a/frontend/app/[team]/apps/[app]/_components/AppSecrets.tsx
+++ b/frontend/app/[team]/apps/[app]/_components/AppSecrets.tsx
@@ -29,7 +29,7 @@ import { organisationContext } from '@/contexts/organisationContext'
 import { Button } from '@/components/common/Button'
 import { Switch } from '@headlessui/react'
 import clsx from 'clsx'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import {
   digest,
   encryptAsymmetric,
@@ -68,30 +68,12 @@ export const AppSecrets = ({ team, app }: { team: string; app: string }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
   // Permissions
-  const userCanReadEnvironments = userHasPermission(
-    organisation?.role?.permissions,
-    'Environments',
-    'read',
-    true
-  )
-  const userCanReadSecrets = userHasPermission(
-    organisation?.role?.permissions,
-    'Secrets',
-    'read',
-    true
-  )
-  const userCanCreateSecrets = userHasPermission(
-    organisation?.role?.permissions,
-    'Secrets',
-    'create',
-    true
-  )
-  const userCanReadSyncs = userHasPermission(
-    organisation?.role?.permissions,
-    'Integrations',
-    'read',
-    true
-  )
+  const { hasPermission } = useAppPermissions(app)
+
+  const userCanReadEnvironments = hasPermission('Environments', 'read', true)
+  const userCanReadSecrets = hasPermission('Secrets', 'read', true)
+  const userCanCreateSecrets = hasPermission('Secrets', 'create', true)
+  const userCanReadSyncs = hasPermission('Integrations', 'read', true)
 
   const { data } = useQuery(GetAppDetail, {
     variables: { organisationId: organisation?.id, appId: app },
diff --git a/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx b/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
index c5718a074..f45af479d 100644
--- a/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
@@ -27,7 +27,7 @@ import Link from 'next/link'
 import { unwrapEnvSecretsForUser, wrapEnvSecretsForAccount } from '@/utils/crypto'
 import GenericDialog from '@/components/common/GenericDialog'
 import { organisationContext } from '@/contexts/organisationContext'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { KeyringContext } from '@/contexts/keyringContext'
 import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
@@ -51,18 +51,14 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
   const dialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
 
   // Permissions
-  const userCanReadAppMembers = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'Members', 'read', true)
-    : false
-  const userCanReadEnvironments = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'Environments', 'read', true)
-    : false
+  const { hasPermission } = useAppPermissions(appId)
+
+  const userCanReadAppMembers = hasPermission('Members', 'read', true)
+  const userCanReadEnvironments = hasPermission('Environments', 'read', true)
 
   // AppMembers:create + OrgMembers: read
-  const userCanAddAppMembers = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'Members', 'create', true) &&
-      userHasPermission(organisation?.role?.permissions, 'Members', 'read')
-    : false
+  const userCanAddAppMembers =
+    hasPermission('Members', 'create', true) && hasPermission('Members', 'read')
 
   const { data: orgMembersData } = useQuery(GetOrganisationMembers, {
     variables: {
diff --git a/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx b/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
index 8b09868ca..772cf121e 100644
--- a/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
@@ -12,7 +12,8 @@ import clsx from 'clsx'
 import { toast } from 'react-toastify'
 import { useSession } from '@/contexts/userContext'
 import { KeyringContext } from '@/contexts/keyringContext'
-import { userHasGlobalAccess, userHasPermission } from '@/utils/access/permissions'
+import { userHasGlobalAccess } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { Alert } from '@/components/common/Alert'
 import Link from 'next/link'
 import { arraysEqual, unwrapEnvSecretsForUser, wrapEnvSecretsForAccount } from '@/utils/crypto'
@@ -38,11 +39,11 @@ export const ManageUserAccessDialog = ({
   const dialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
 
   // Permissions
+  const { hasPermission } = useAppPermissions(appId)
+
   // AppMembers:update + Environments:read
-  const userCanUpdateMemberAccess = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'Members', 'update', true) &&
-      userHasPermission(organisation?.role?.permissions, 'Environments', 'read', true)
-    : false
+  const userCanUpdateMemberAccess =
+    hasPermission('Members', 'update', true) && hasPermission('Environments', 'read', true)
 
   const [getEnvKey] = useLazyQuery(GetEnvironmentKey)
   const [updateScope] = useMutation(UpdateEnvScope)
diff --git a/frontend/app/[team]/apps/[app]/access/members/page.tsx b/frontend/app/[team]/apps/[app]/access/members/page.tsx
index de1f8d5c9..54e79f3cf 100644
--- a/frontend/app/[team]/apps/[app]/access/members/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/page.tsx
@@ -10,6 +10,7 @@ import { FaBan, FaSearch, FaTimesCircle } from 'react-icons/fa'
 import { useSession } from '@/contexts/userContext'
 import { Avatar } from '@/components/common/Avatar'
 import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { RoleLabel } from '@/components/users/RoleLabel'
 import { TeamLabel } from '@/components/teams/TeamLabel'
 import { EmptyState } from '@/components/common/EmptyState'
@@ -26,22 +27,16 @@ export default function Members({ params }: { params: { team: string; app: strin
   const [searchQuery, setSearchQuery] = useState('')
 
   // Permissions
-  const userCanReadAppMembers = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'Members', 'read', true)
-    : false
+  const { hasPermission } = useAppPermissions(params.app)
+
+  const userCanReadAppMembers = hasPermission('Members', 'read', true)
 
   // AppMembers:create + OrgMembers: read
-  const userCanAddAppMembers = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'Members', 'create', true) &&
-      userHasPermission(organisation?.role?.permissions, 'Members', 'read')
-    : false
-  const userCanRemoveAppMembers = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'Members', 'delete', true)
-    : false
-
-  const userCanReadTeams = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
-    : false
+  const userCanAddAppMembers =
+    hasPermission('Members', 'create', true) && hasPermission('Members', 'read')
+  const userCanRemoveAppMembers = hasPermission('Members', 'delete', true)
+
+  const userCanReadTeams = hasPermission('Teams', 'read')
 
   const { data, loading } = useQuery(GetAppMembers, {
     variables: { appId: params.app },
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
index 9cefac054..172fc1d51 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
@@ -23,7 +23,7 @@ import {
 import clsx from 'clsx'
 import { toast } from 'react-toastify'
 import { KeyringContext } from '@/contexts/keyringContext'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { Alert } from '@/components/common/Alert'
 import Link from 'next/link'
 import { unwrapEnvSecretsForUser, wrapEnvSecretsForAccount } from '@/utils/crypto'
@@ -51,18 +51,14 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
   const dialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
 
   // Permissions
-  const userCanReadAppSA = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'read', true)
-    : false
-  const userCanReadEnvironments = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'Environments', 'read', true)
-    : false
+  const { hasPermission } = useAppPermissions(appId)
+
+  const userCanReadAppSA = hasPermission('ServiceAccounts', 'read', true)
+  const userCanReadEnvironments = hasPermission('Environments', 'read', true)
 
   // AppServiceAccounts:create + ServiceAccounts: read
-  const userCanAddAppSA = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'create', true) &&
-      userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'read')
-    : false
+  const userCanAddAppSA =
+    hasPermission('ServiceAccounts', 'create', true) && hasPermission('ServiceAccounts', 'read')
 
   const { data: serviceAccountsData } = useQuery(GetServiceAccounts, {
     variables: {
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx
index be6b7c2a9..35ab2989e 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx
@@ -13,7 +13,8 @@ import { FaCheckCircle, FaChevronDown, FaCircle, FaCog } from 'react-icons/fa'
 import clsx from 'clsx'
 import { toast } from 'react-toastify'
 import { KeyringContext } from '@/contexts/keyringContext'
-import { userHasGlobalAccess, userHasPermission } from '@/utils/access/permissions'
+import { userHasGlobalAccess } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { Alert } from '@/components/common/Alert'
 import Link from 'next/link'
 import { arraysEqual, unwrapEnvSecretsForUser, wrapEnvSecretsForAccount } from '@/utils/crypto'
@@ -39,11 +40,11 @@ export const ManageAccountAccessDialog = ({
   const dialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
 
   // Permissions
-  // AppMembers:update + Environments:read
-  const userCanUpdateSAAccess = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'update', true) &&
-      userHasPermission(organisation?.role?.permissions, 'Environments', 'read', true)
-    : false
+  const { hasPermission } = useAppPermissions(appId)
+
+  // AppServiceAccounts:update + Environments:read
+  const userCanUpdateSAAccess =
+    hasPermission('ServiceAccounts', 'update', true) && hasPermission('Environments', 'read', true)
 
   const [updateScope] = useMutation(UpdateEnvScope)
 
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/page.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/page.tsx
index b8d6827f9..54d1eaeb4 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/page.tsx
@@ -8,6 +8,7 @@ import { ServiceAccountType, TeamType } from '@/apollo/graphql'
 import { organisationContext } from '@/contexts/organisationContext'
 import { FaBan, FaRobot, FaSearch, FaTimesCircle } from 'react-icons/fa'
 import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { RoleLabel } from '@/components/users/RoleLabel'
 import { TeamLabel } from '@/components/teams/TeamLabel'
 import { EmptyState } from '@/components/common/EmptyState'
@@ -25,22 +26,16 @@ export default function ServiceAccounts({ params }: { params: { team: string; ap
   const [searchQuery, setSearchQuery] = useState('')
 
   // Permissions
-  const userCanReadAppSA = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'read', true)
-    : false
+  const { hasPermission } = useAppPermissions(params.app)
+
+  const userCanReadAppSA = hasPermission('ServiceAccounts', 'read', true)
 
   // AppServiceAccounts:create + ServiceAccounts: read
-  const userCanAddAppSA = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'create', true) &&
-      userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'read')
-    : false
-  const userCanRemoveAppSA = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'delete', true)
-    : false
-
-  const userCanReadTeams = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
-    : false
+  const userCanAddAppSA =
+    hasPermission('ServiceAccounts', 'create', true) && hasPermission('ServiceAccounts', 'read')
+  const userCanRemoveAppSA = hasPermission('ServiceAccounts', 'delete', true)
+
+  const userCanReadTeams = hasPermission('Teams', 'read')
 
   const { data, loading } = useQuery(GetAppServiceAccounts, {
     variables: { appId: params.app },
diff --git a/frontend/app/[team]/apps/[app]/access/teams/page.tsx b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
index 6c0e6926f..6c33e9429 100644
--- a/frontend/app/[team]/apps/[app]/access/teams/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
@@ -8,7 +8,7 @@ import { useQuery } from '@apollo/client'
 import { useContext } from 'react'
 import { FaBan, FaExclamationTriangle, FaRobot, FaUsers } from 'react-icons/fa'
 import { RoleLabel } from '@/components/users/RoleLabel'
-import { userHasPermission, userHasGlobalAccess } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
 import { AddTeamToAppDialog } from './_components/AddTeamToAppDialog'
@@ -20,17 +20,10 @@ import Link from 'next/link'
 export default function AppTeams({ params }: { params: { team: string; app: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
-  const userCanReadTeams = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
-    : false
+  const { hasPermission, isGlobalAccess: userIsGlobalAccess } = useAppPermissions(params.app)
 
-  const userCanUpdateTeams = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Teams', 'update')
-    : false
-
-  const userIsGlobalAccess = organisation
-    ? userHasGlobalAccess(organisation.role!.permissions)
-    : false
+  const userCanReadTeams = hasPermission('Teams', 'read', true)
+  const userCanUpdateTeams = hasPermission('Teams', 'update', true)
 
   const { data: teamsData, loading: teamsLoading } = useQuery(GetTeams, {
     variables: { organisationId: organisation?.id },
diff --git a/frontend/app/[team]/apps/[app]/access/tokens/page.tsx b/frontend/app/[team]/apps/[app]/access/tokens/page.tsx
index 1e7446f04..2195d9c9e 100644
--- a/frontend/app/[team]/apps/[app]/access/tokens/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/tokens/page.tsx
@@ -24,18 +24,15 @@ import {
   splitSecret,
   getWrappedKeyShare,
 } from '@/utils/crypto'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { EmptyState } from '@/components/common/EmptyState'
 
 export default function Tokens({ params }: { params: { team: string; app: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
-  const userCanReadTokens = userHasPermission(
-    organisation?.role?.permissions,
-    'Tokens',
-    'read',
-    true
-  )
+  const { hasPermission } = useAppPermissions(params.app)
+
+  const userCanReadTokens = hasPermission('Tokens', 'read', true)
 
   const { data } = useQuery(GetAppDetail, {
     variables: {
diff --git a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
index 60ec92282..caa8a7c13 100644
--- a/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
+++ b/frontend/app/[team]/apps/[app]/environments/[environment]/[[...path]]/page.tsx
@@ -79,6 +79,7 @@ import SortMenu from '@/components/environments/secrets/SortMenu'
 
 import { DeployPreview } from '@/components/environments/secrets/DeployPreview'
 import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { EnvironmentPageSkeleton } from './_components/EnvironmentPageSkeleton'
 import EnvFileDropZone from '@/components/environments/secrets/import/EnvFileDropZone'
 import SingleEnvImportDialog from '@/components/environments/secrets/import/SingleEnvImportDialog'
@@ -140,30 +141,12 @@ export default function EnvironmentPath({
 
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
-  const userCanReadEnvironments = userHasPermission(
-    organisation?.role?.permissions,
-    'Environments',
-    'read',
-    true
-  )
-  const userCanReadSecrets = userHasPermission(
-    organisation?.role?.permissions,
-    'Secrets',
-    'read',
-    true
-  )
-  const userCanCreateSecrets = userHasPermission(
-    organisation?.role?.permissions,
-    'Secrets',
-    'create',
-    true
-  )
-  const userCanReadSyncs = userHasPermission(
-    organisation?.role?.permissions,
-    'Integrations',
-    'read',
-    true
-  )
+  const { hasPermission } = useAppPermissions(params.app)
+
+  const userCanReadEnvironments = hasPermission('Environments', 'read', true)
+  const userCanReadSecrets = hasPermission('Secrets', 'read', true)
+  const userCanCreateSecrets = hasPermission('Secrets', 'create', true)
+  const userCanReadSyncs = hasPermission('Integrations', 'read', true)
 
   const [readSecrets] = useMutation(LogSecretReads)
 
@@ -982,12 +965,7 @@ export default function EnvironmentPath({
   }
 
   const NewSecretMenu = () => {
-    const userCanCreateSecrets = userHasPermission(
-      organisation?.role?.permissions,
-      'Secrets',
-      'create',
-      true
-    )
+    const userCanCreateSecrets = hasPermission('Secrets', 'create', true)
 
     const allowDynamicSecrets = organisation?.plan === ApiOrganisationPlanChoices.En
 
diff --git a/frontend/app/[team]/apps/[app]/settings/page.tsx b/frontend/app/[team]/apps/[app]/settings/page.tsx
index 088bd4341..03f389e99 100644
--- a/frontend/app/[team]/apps/[app]/settings/page.tsx
+++ b/frontend/app/[team]/apps/[app]/settings/page.tsx
@@ -11,7 +11,7 @@ import CopyButton from '@/components/common/CopyButton'
 import { EnableSSEDialog } from '@/components/apps/EnableSSEDialog'
 import Link from 'next/link'
 import { FaArrowDownUpLock } from 'react-icons/fa6'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { UpdateAppInfoOp } from '@/graphql/mutations/apps/updateAppInfo.gql'
 import { Button } from '@/components/common/Button'
 import { toast } from 'react-toastify'
@@ -35,15 +35,11 @@ export default function AppSettings({ params }: { params: { team: string; app: s
     app &&
     `${new Date(app.createdAt).toDateString()}, ${new Date(app.createdAt).toLocaleTimeString()}`
 
-  const userCanDeleteApps = organisation
-    ? userHasPermission(organisation.role?.permissions, 'Apps', 'delete')
-    : false
-  const userCanUpdateSSE = organisation
-    ? userHasPermission(organisation.role?.permissions, 'EncryptionMode', 'update', true)
-    : false
-  const userCanUpdateApps = organisation
-    ? userHasPermission(organisation.role?.permissions, 'Apps', 'update')
-    : false
+  const { hasPermission } = useAppPermissions(params.app)
+
+  const userCanDeleteApps = hasPermission('Apps', 'delete')
+  const userCanUpdateSSE = hasPermission('EncryptionMode', 'update', true)
+  const userCanUpdateApps = hasPermission('Apps', 'update')
 
   const [updateAppName] = useMutation(UpdateAppInfoOp)
 
diff --git a/frontend/app/[team]/apps/[app]/syncing/page.tsx b/frontend/app/[team]/apps/[app]/syncing/page.tsx
index 0fb4ea55d..035955d1f 100644
--- a/frontend/app/[team]/apps/[app]/syncing/page.tsx
+++ b/frontend/app/[team]/apps/[app]/syncing/page.tsx
@@ -8,8 +8,10 @@ import { organisationContext } from '@/contexts/organisationContext'
 import { SyncCard } from '@/components/syncing/SyncCard'
 import { SyncOptions } from '@/components/syncing/SyncOptions'
 import { useSearchParams } from 'next/navigation'
-import { userHasPermission, userIsAdmin } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { EnableSSEDialog } from '@/components/apps/EnableSSEDialog'
+import { EmptyState } from '@/components/common/EmptyState'
+import { FaBan } from 'react-icons/fa'
 
 export default function Syncing({ params }: { params: { team: string; app: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -18,14 +20,31 @@ export default function Syncing({ params }: { params: { team: string; app: strin
 
   const openCreateSyncPanel = searchParams?.get('newSync')
 
+  const { hasPermission } = useAppPermissions(params.app)
+
+  const userCanReadIntegrations = hasPermission('Integrations', 'read', true)
+  const userCanCreateSyncs = hasPermission('Integrations', 'create', true)
+
   const { data } = useQuery(GetAppSyncStatus, {
     variables: { appId: params.app },
     pollInterval: 10000,
+    skip: !userCanReadIntegrations,
   })
 
-  const userCanCreateSyncs = organisation
-    ? userHasPermission(organisation.role?.permissions, 'Integrations', 'create', true)
-    : false
+  if (!userCanReadIntegrations)
+    return (
+      <EmptyState
+        title="Access restricted"
+        subtitle="You don't have the permissions required to view Integrations."
+        graphic={
+          <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+            <FaBan />
+          </div>
+        }
+      >
+        <></>
+      </EmptyState>
+    )
 
   return (
     <div className="w-full space-y-3 sm:space-y-4 lg:space-y-6 pt-3 sm:pt-4 lg:pt-6 text-black dark:text-white px-3 sm:px-4 lg:px-6">
diff --git a/frontend/components/apps/EnableSSEDialog.tsx b/frontend/components/apps/EnableSSEDialog.tsx
index f3e7d08ca..81cf6ee6b 100644
--- a/frontend/components/apps/EnableSSEDialog.tsx
+++ b/frontend/components/apps/EnableSSEDialog.tsx
@@ -16,7 +16,7 @@ import { GetAppDetail } from '@/graphql/queries/getAppDetail.gql'
 import { FaServer } from 'react-icons/fa6'
 import { organisationContext } from '@/contexts/organisationContext'
 import { unwrapEnvSecretsForUser, wrapEnvSecretsForServer } from '@/utils/crypto'
-import { userHasPermission, userIsAdmin } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import Link from 'next/link'
 
 export const EnableSSEDialog = (props: { appId: string }) => {
@@ -29,9 +29,9 @@ export const EnableSSEDialog = (props: { appId: string }) => {
   const [enableSse, { loading }] = useMutation(InitAppSyncing)
   const [getEnvKey] = useLazyQuery(GetEnvironmentKey)
 
-  const userCanEnableSSE = organisation
-    ? userHasPermission(organisation.role?.permissions, 'EncryptionMode', 'update', true)
-    : false
+  const { hasPermission } = useAppPermissions(appId)
+
+  const userCanEnableSSE = hasPermission('EncryptionMode', 'update', true)
 
   const { data: appEnvsData } = useQuery(GetAppEnvironments, {
     variables: {
diff --git a/frontend/components/apps/EncryptionModeIndicator.tsx b/frontend/components/apps/EncryptionModeIndicator.tsx
index 5fc21f040..fc8cd499c 100644
--- a/frontend/components/apps/EncryptionModeIndicator.tsx
+++ b/frontend/components/apps/EncryptionModeIndicator.tsx
@@ -7,7 +7,7 @@ import { FaCog, FaServer } from 'react-icons/fa'
 import { FaArrowDownUpLock } from 'react-icons/fa6'
 import { Button } from '../common/Button'
 import clsx from 'clsx'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 
 export const SseLabel = ({ sseEnabled }: { sseEnabled: boolean }) => (
   <div
@@ -37,12 +37,9 @@ export const EncryptionModeIndicator = (props: { app: AppType; asMenu?: boolean
 
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
-  const userCanReadEncMode = userHasPermission(
-    organisation?.role?.permissions,
-    'EncryptionMode',
-    'read',
-    true
-  )
+  const { hasPermission } = useAppPermissions(app.id)
+
+  const userCanReadEncMode = hasPermission('EncryptionMode', 'read', true)
 
   if (!asMenu) return <SseLabel sseEnabled={app.sseEnabled!} />
 
diff --git a/frontend/components/apps/tokens/CreateServiceTokenDialog.tsx b/frontend/components/apps/tokens/CreateServiceTokenDialog.tsx
index f33160345..0807aaef2 100644
--- a/frontend/components/apps/tokens/CreateServiceTokenDialog.tsx
+++ b/frontend/components/apps/tokens/CreateServiceTokenDialog.tsx
@@ -29,7 +29,7 @@ import {
   wrapEnvSecretsForServiceToken,
 } from '@/utils/crypto'
 import { organisationContext } from '@/contexts/organisationContext'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 
 const compareExpiryOptions = (a: ExpiryOptionT, b: ExpiryOptionT) => {
   return a.getExpiry() === b.getExpiry()
@@ -41,9 +41,9 @@ export const CreateServiceTokenDialog = (props: { organisationId: string; appId:
   const { activeOrganisation: organisation } = useContext(organisationContext)
   const { keyring } = useContext(KeyringContext)
 
-  const userCanReadEnvironments = organisation
-    ? userHasPermission(organisation.role?.permissions, 'Environments', 'read', true)
-    : false
+  const { hasPermission } = useAppPermissions(appId)
+
+  const userCanReadEnvironments = hasPermission('Environments', 'read', true)
 
   const [isOpen, setIsOpen] = useState<boolean>(false)
   const [name, setName] = useState<string>('')
diff --git a/frontend/components/apps/tokens/SecretTokens.tsx b/frontend/components/apps/tokens/SecretTokens.tsx
index 52954eb32..8bcb9d213 100644
--- a/frontend/components/apps/tokens/SecretTokens.tsx
+++ b/frontend/components/apps/tokens/SecretTokens.tsx
@@ -10,7 +10,7 @@ import { relativeTimeFromDates } from '@/utils/time'
 import { Dialog, Transition } from '@headlessui/react'
 import { clsx } from 'clsx'
 import { organisationContext } from '@/contexts/organisationContext'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { Avatar } from '@/components/common/Avatar'
 import { CreateServiceTokenDialog } from './CreateServiceTokenDialog'
 import { MdKey } from 'react-icons/md'
@@ -26,17 +26,12 @@ export const SecretTokens = (props: { organisationId: string; appId: string }) =
   const [deleteServiceToken] = useMutation(RevokeServiceToken)
 
   const { activeOrganisation: organisation } = useContext(organisationContext)
+  const { hasPermission } = useAppPermissions(appId)
 
-  const userCanReadTokens = userHasPermission(
-    organisation?.role?.permissions,
-    'Tokens',
-    'read',
-    true
-  )
+  const userCanReadTokens = hasPermission('Tokens', 'read', true)
 
   const usercanCreateTokens =
-    userHasPermission(organisation?.role?.permissions, 'Tokens', 'create', true) &&
-    userHasPermission(organisation?.role?.permissions, 'Environments', 'read', true)
+    hasPermission('Tokens', 'create', true) && hasPermission('Environments', 'read', true)
 
   const { data: serviceTokensData, loading } = useQuery(GetServiceTokens, {
     variables: {
@@ -154,13 +149,9 @@ export const SecretTokens = (props: { organisationId: string; appId: string }) =
 
     const isExpired = token.expiresAt === null ? false : new Date(token.expiresAt) < new Date()
 
-    const userCanReadEnvironments = organisation
-      ? userHasPermission(organisation.role?.permissions, 'Environments', 'read', true)
-      : false
+    const userCanReadEnvironments = hasPermission('Environments', 'read', true)
 
-    const userCanDeleteTokens = organisation
-      ? userHasPermission(organisation.role?.permissions, 'Tokens', 'delete', true)
-      : false
+    const userCanDeleteTokens = hasPermission('Tokens', 'delete', true)
 
     const identityKeys = token.keys.map((key) => key.identityKey)
 
diff --git a/frontend/components/environments/secrets/SecretRow.tsx b/frontend/components/environments/secrets/SecretRow.tsx
index a00ff1cd2..4a088d24b 100644
--- a/frontend/components/environments/secrets/SecretRow.tsx
+++ b/frontend/components/environments/secrets/SecretRow.tsx
@@ -22,7 +22,8 @@ import { ShareSecretDialog } from './ShareSecretDialog'
 import { toggleBooleanKeepingCase } from '@/utils/secrets'
 import { Switch } from '@headlessui/react'
 import { organisationContext } from '@/contexts/organisationContext'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
+import { useParams } from 'next/navigation'
 import { MaskedTextarea } from '@/components/common/MaskedTextarea'
 import { TypeSelector } from './TypeSelector'
 import { useSecretReferenceAutocomplete } from '@/hooks/useSecretReferenceAutocomplete'
@@ -53,14 +54,12 @@ function SecretRow(props: {
   } = props
 
   const { activeOrganisation: organisation } = useContext(organisationContext)
+  const routeParams = useParams<{ app: string }>()
+  const { hasPermission } = useAppPermissions(routeParams!.app)
 
   // Permissions
-  const userCanUpdateSecrets =
-    userHasPermission(organisation?.role?.permissions, 'Secrets', 'update', true) ||
-    !canonicalSecret
-  const userCanDeleteSecrets =
-    userHasPermission(organisation?.role?.permissions, 'Secrets', 'delete', true) ||
-    !canonicalSecret
+  const userCanUpdateSecrets = hasPermission('Secrets', 'update', true) || !canonicalSecret
+  const userCanDeleteSecrets = hasPermission('Secrets', 'delete', true) || !canonicalSecret
 
   const isConfig = secret.type === ApiSecretTypeChoices.Config
   const isNewSecret = canonicalSecret === undefined
diff --git a/frontend/components/logs/SecretLogs.tsx b/frontend/components/logs/SecretLogs.tsx
index 71926334b..f933f6ab2 100644
--- a/frontend/components/logs/SecretLogs.tsx
+++ b/frontend/components/logs/SecretLogs.tsx
@@ -41,7 +41,7 @@ import {
   envKeyring,
   EnvKeypair,
 } from '@/utils/crypto'
-import { userHasPermission } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { EmptyState } from '../common/EmptyState'
 import { Combobox, RadioGroup } from '@headlessui/react'
 import { FaFilter } from 'react-icons/fa'
@@ -148,9 +148,9 @@ export default function SecretLogs(props: { app: string }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
   const { keyring } = useContext(KeyringContext)
 
-  const userCanReadLogs = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'Logs', 'read', true)
-    : false
+  const { hasPermission } = useAppPermissions(props.app)
+
+  const userCanReadLogs = hasPermission('Logs', 'read', true)
 
   const getLastLogTimestamp = () =>
     logs.length > 0 ? dateToUnixTimestamp(logs[logs.length - 1].timestamp) : getCurrentTimeStamp()
diff --git a/frontend/components/syncing/SyncManagement.tsx b/frontend/components/syncing/SyncManagement.tsx
index 975c98b63..47ca8583b 100644
--- a/frontend/components/syncing/SyncManagement.tsx
+++ b/frontend/components/syncing/SyncManagement.tsx
@@ -19,7 +19,7 @@ import { ProviderCredentialPicker } from './ProviderCredentialPicker'
 import { organisationContext } from '@/contexts/organisationContext'
 import { toast } from 'react-toastify'
 import { Switch } from '@headlessui/react'
-import { userHasPermission, userIsAdmin } from '@/utils/access/permissions'
+import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { usePathname } from 'next/navigation'
 import { ServiceInfo } from './ServiceInfo'
 
@@ -35,9 +35,10 @@ export const SyncManagement = (props: { sync: EnvironmentSyncType; closeModal?:
   const [credential, setCredential] = useState<ProviderCredentialsType | null>(sync.authentication!)
   const [isActive, setIsActive] = useState<boolean>(sync.isActive)
 
+  const { hasPermission } = useAppPermissions(sync.environment.app.id)
+
   const userCanTriggerSyncs =
-    userHasPermission(organisation?.role?.permissions, 'Integrations', 'create', true) ||
-    userHasPermission(organisation?.role?.permissions, 'Integrations', 'update', true)
+    hasPermission('Integrations', 'create', true) || hasPermission('Integrations', 'update', true)
 
   const handleSync = async () => {
     await triggerSync({
@@ -87,23 +88,9 @@ export const SyncManagement = (props: { sync: EnvironmentSyncType; closeModal?:
 
   const isSyncing = sync.status === ApiEnvironmentSyncStatusChoices.InProgress
 
-  const userCanReadCredentials = userHasPermission(
-    organisation?.role?.permissions,
-    'IntegrationCredentials',
-    'read'
-  )
-  const userCanUpdateSyncs = userHasPermission(
-    organisation?.role?.permissions,
-    'Integrations',
-    'update',
-    true
-  )
-  const userCanDeleteSyncs = userHasPermission(
-    organisation?.role?.permissions,
-    'Integrations',
-    'delete',
-    true
-  )
+  const userCanReadCredentials = hasPermission('IntegrationCredentials', 'read')
+  const userCanUpdateSyncs = hasPermission('Integrations', 'update', true)
+  const userCanDeleteSyncs = hasPermission('Integrations', 'delete', true)
 
   return (
     <div className="space-y-3 pt-4">

From 1f3c5903c2d25597d365755c6a2649c50764ca21 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 18:51:22 +0530
Subject: [PATCH 030/118] fix: copy clarification

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../[team]/access/members/[memberId]/page.tsx | 13 +++--
 .../service-accounts/[account]/page.tsx       | 56 ++++++++++++-------
 2 files changed, 44 insertions(+), 25 deletions(-)

diff --git a/frontend/app/[team]/access/members/[memberId]/page.tsx b/frontend/app/[team]/access/members/[memberId]/page.tsx
index b17adcfb9..bea69d197 100644
--- a/frontend/app/[team]/access/members/[memberId]/page.tsx
+++ b/frontend/app/[team]/access/members/[memberId]/page.tsx
@@ -11,7 +11,12 @@ import { useContext, useMemo } from 'react'
 import { FaBan, FaChevronLeft, FaClock, FaCog, FaKey, FaNetworkWired } from 'react-icons/fa'
 import { Avatar } from '@/components/common/Avatar'
 import { EmptyState } from '@/components/common/EmptyState'
-import { OrganisationMemberType, UserTokenType, AppMembershipType, TeamType } from '@/apollo/graphql'
+import {
+  OrganisationMemberType,
+  UserTokenType,
+  AppMembershipType,
+  TeamType,
+} from '@/apollo/graphql'
 import { RoleLabel } from '@/components/users/RoleLabel'
 import { DeleteMemberConfirmDialog } from '../_components/DeleteMemberConfirmDialog'
 import { RoleSelector } from '../_components/RoleSelector'
@@ -223,9 +228,7 @@ export default function MemberDetail({ params }: { params: { team: string; membe
           <div className="pt-4 space-y-3 border-t border-neutral-500/40">
             <div>
               <div className="text-base font-medium">Teams</div>
-              <div className="text-neutral-500 text-sm">
-                Teams this member belongs to
-              </div>
+              <div className="text-neutral-500 text-sm">Teams this member belongs to</div>
             </div>
 
             <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
@@ -282,7 +285,7 @@ export default function MemberDetail({ params }: { params: { team: string; membe
               <div>
                 <div className="text-base font-medium">App Access</div>
                 <div className="text-neutral-500 text-sm">
-                  Apps and Environments this member has access to
+                  Apps and Environments this member has direct access to
                 </div>
               </div>
               {userCanWriteAppMemberships && !member.self && (
diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index bb8bc0945..c3e18dd3d 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -9,7 +9,18 @@ import { userHasPermission, userHasGlobalAccess } from '@/utils/access/permissio
 import { useMutation, useQuery } from '@apollo/client'
 import Link from 'next/link'
 import { Fragment, useContext, useEffect, useMemo, useRef, useState } from 'react'
-import { FaBan, FaBoxOpen, FaBuilding, FaChevronDown, FaChevronLeft, FaCog, FaEdit, FaNetworkWired, FaUsers, FaUsersCog } from 'react-icons/fa'
+import {
+  FaBan,
+  FaBoxOpen,
+  FaBuilding,
+  FaChevronDown,
+  FaChevronLeft,
+  FaCog,
+  FaEdit,
+  FaNetworkWired,
+  FaUsers,
+  FaUsersCog,
+} from 'react-icons/fa'
 import { FaServer, FaArrowDownUpLock } from 'react-icons/fa6'
 import { DeleteServiceAccountDialog } from '../_components/DeleteServiceAccountDialog'
 import { AddAppButton } from './_components/AddAppsToServiceAccountsButton'
@@ -280,7 +291,10 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                     {account.team.name}
                   </Link>
                 ) : (
-                  <span className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-neutral-500/15 text-neutral-600 dark:text-neutral-400" title="Organisation-level account — visible org-wide">
+                  <span
+                    className="inline-flex items-center gap-1 text-2xs px-2 py-0.5 rounded-full bg-neutral-500/15 text-neutral-600 dark:text-neutral-400"
+                    title="Organisation-level account — visible org-wide"
+                  >
                     <FaBuilding className="text-[0.55rem]" />
                     Organisation
                   </span>
@@ -314,10 +328,11 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           {/* Role Selector and Description */}
           <div className="space-y-2">
             <div className="text-sm w-max flex items-center gap-2">
-              <ServiceAccountRoleSelector account={account} displayOnly={!userCanUpdateSA || isTeamOwned} />
-              {isTeamOwned && (
-                <span className="text-2xs text-neutral-500">(managed by team)</span>
-              )}
+              <ServiceAccountRoleSelector
+                account={account}
+                displayOnly={!userCanUpdateSA || isTeamOwned}
+              />
+              {isTeamOwned && <span className="text-2xs text-neutral-500">(managed by team)</span>}
             </div>
 
             <div className="flex flex-col gap-1">
@@ -452,10 +467,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                       variant="primary"
                       onClick={handleOwnershipSave}
                       isLoading={savingOwnership}
-                      disabled={
-                        isMultiTeamOrg ||
-                        selectedTeamId === (account.team?.id || null)
-                      }
+                      disabled={isMultiTeamOrg || selectedTeamId === (account.team?.id || null)}
                     >
                       Save
                     </Button>
@@ -470,9 +482,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           <div className="py-4 space-y-3">
             <div>
               <div className="text-base font-medium">Teams</div>
-              <div className="text-neutral-500 text-sm">
-                Teams this account belongs to
-              </div>
+              <div className="text-neutral-500 text-sm">Teams this account belongs to</div>
             </div>
 
             <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
@@ -490,7 +500,9 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                         >
                           {team.name}
                         </Link>
-                        {team.serviceAccountRole && <RoleLabel role={team.serviceAccountRole} size="xs" />}
+                        {team.serviceAccountRole && (
+                          <RoleLabel role={team.serviceAccountRole} size="xs" />
+                        )}
                       </div>
                       {team.description && (
                         <div className="text-2xs text-neutral-500 truncate max-w-md">
@@ -540,7 +552,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                     team.
                   </>
                 ) : (
-                  'Manage the Apps and Environments that this account has access to'
+                  'Manage the Apps and Environments that this account has direct access to'
                 )}
               </div>
             </div>
@@ -665,7 +677,10 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
             {!userCanManageTeamSA ? (
               <div className="py-6 text-center text-neutral-500 text-sm">
                 You must be a member of the{' '}
-                <Link href={`/${params.team}/access/teams/${account.team!.id}`} className="text-blue-600 dark:text-blue-400 hover:underline">
+                <Link
+                  href={`/${params.team}/access/teams/${account.team!.id}`}
+                  className="text-blue-600 dark:text-blue-400 hover:underline"
+                >
                   {account.team!.name}
                 </Link>{' '}
                 team to manage network policies for this account.
@@ -717,13 +732,14 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           <div className="py-4 space-y-3">
             <div>
               <div className="text-base font-medium">Tokens</div>
-              <div className="text-neutral-500 text-sm">
-                Service account access tokens
-              </div>
+              <div className="text-neutral-500 text-sm">Service account access tokens</div>
             </div>
             <div className="py-6 text-center text-neutral-500 text-sm">
               You must be a member of the{' '}
-              <Link href={`/${params.team}/access/teams/${account.team!.id}`} className="text-blue-600 dark:text-blue-400 hover:underline">
+              <Link
+                href={`/${params.team}/access/teams/${account.team!.id}`}
+                className="text-blue-600 dark:text-blue-400 hover:underline"
+              >
                 {account.team!.name}
               </Link>{' '}
               team to manage tokens for this account.

From ebd1fb4ed16c365493e1d5b725ce0db825899182 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 19:01:19 +0530
Subject: [PATCH 031/118] feat: command palette actions for teams

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/CommandPalette.tsx | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/frontend/components/common/CommandPalette.tsx b/frontend/components/common/CommandPalette.tsx
index e850a8718..c67eea34d 100644
--- a/frontend/components/common/CommandPalette.tsx
+++ b/frontend/components/common/CommandPalette.tsx
@@ -24,6 +24,8 @@ import {
 import { useRouter } from 'next/navigation'
 import { useQuery } from '@apollo/client'
 import { GetApps } from '@/graphql/queries/getApps.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { TeamType } from '@/apollo/graphql'
 import { organisationContext } from '@/contexts/organisationContext'
 import { ThemeContext } from '@/contexts/themeContext'
 import { BsListColumnsReverse } from 'react-icons/bs'
@@ -71,11 +73,27 @@ const CommandPalette: React.FC = () => {
     'create'
   )
 
+  const userCanReadTeams = userHasPermission(
+    activeOrganisation?.role?.permissions,
+    'Teams',
+    'read'
+  )
+  const userCanCreateTeams = userHasPermission(
+    activeOrganisation?.role?.permissions,
+    'Teams',
+    'create'
+  )
+
   const { data: appsData } = useQuery(GetApps, {
     variables: { organisationId: activeOrganisation?.id },
     skip: !activeOrganisation?.id || !userCanReadApps,
   })
 
+  const { data: teamsData } = useQuery(GetTeams, {
+    variables: { organisationId: activeOrganisation?.id },
+    skip: !activeOrganisation?.id || !userCanReadTeams,
+  })
+
   const handleNavigation = (url: string) => {
     router.push(url)
     setIsOpen(false)
@@ -124,6 +142,13 @@ const CommandPalette: React.FC = () => {
       icon: <FaKey />,
       action: () => handleNavigation(`/${activeOrganisation?.name}/access/members`),
     },
+    {
+      id: 'go-teams',
+      name: 'Go to Teams',
+      description: 'Manage organization teams',
+      icon: <FaUsers />,
+      action: () => handleNavigation(`/${activeOrganisation?.name}/access/teams`),
+    },
     {
       id: 'go-settings',
       name: 'Go to Settings',
@@ -172,6 +197,15 @@ const CommandPalette: React.FC = () => {
       action: () => handleNavigation(`/${activeOrganisation?.name}/access/members?invite=true`),
     })
 
+  if (userCanCreateTeams)
+    actionCommands.push({
+      id: 'create-team',
+      name: 'Create a Team',
+      description: 'Create a new team',
+      icon: <FaPlus />,
+      action: () => handleNavigation(`/${activeOrganisation?.name}/access/teams`),
+    })
+
   const externalResources: CommandItem[] = [
     {
       id: 'open-docs',
@@ -247,6 +281,14 @@ const CommandPalette: React.FC = () => {
           icon: <FaArrowsRotate />,
           action: () => handleNavigation(`/${activeOrganisation?.name}/apps/${app.id}/syncing`),
         },
+        {
+          id: `${app.id}-teams`,
+          name: `Teams`,
+          description: `Manage team access for ${app.name}`,
+          icon: <FaUsers />,
+          action: () =>
+            handleNavigation(`/${activeOrganisation?.name}/apps/${app.id}/access/teams`),
+        },
         {
           id: `${app.id}-logs`,
           name: `Logs`,
@@ -257,6 +299,22 @@ const CommandPalette: React.FC = () => {
       ],
     })) || []
 
+  const teamCommands: CommandGroup[] =
+    teamsData?.teams?.map((team: TeamType) => ({
+      name: team.name,
+      icon: <FaUsers />,
+      items: [
+        {
+          id: `team-${team.id}`,
+          name: `${team.name}`,
+          description: `Go to team ${team.name}`,
+          icon: <FaUsers />,
+          action: () =>
+            handleNavigation(`/${activeOrganisation?.name}/access/teams/${team.id}`),
+        },
+      ],
+    })) || []
+
   // Debounce helper for query input
   const debouncedSetQuery = React.useMemo(() => debounce((val: string) => setQuery(val), 250), [])
   React.useEffect(() => {
@@ -304,6 +362,7 @@ const CommandPalette: React.FC = () => {
         ]
       : []),
     ...(appCommands.length > 0 ? appCommands : []),
+    ...(teamCommands.length > 0 ? teamCommands : []),
     {
       name: 'Resources',
       icon: <FaBook />,

From 8cb6fc731cd904a706ef689beeab8b19acca8021 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 19:32:44 +0530
Subject: [PATCH 032/118] fix: team mutation gates for team owners

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/graphene/mutations/teams.py | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index 6b6aa9186..68424b29f 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -40,6 +40,13 @@ def _check_team_membership(user, team):
         raise GraphQLError("You don't have access to this team")
 
 
+def _is_team_creator(user, team):
+    """Check if the user is the creator of the team."""
+    if team.created_by is None:
+        return False
+    return team.created_by.user_id == user.userId
+
+
 class CreateTeamMutation(graphene.Mutation):
     class Arguments:
         organisation_id = graphene.ID(required=True)
@@ -355,8 +362,8 @@ def mutate(cls, root, info, team_id, app_envs):
         for app_env in app_envs:
             app = App.objects.get(id=app_env.app_id, organisation=org)
 
-            # Check app-level Teams permission (respects team role overrides)
-            if not user_has_permission(user, "create", "Teams", org, is_app_resource=True, app=app):
+            # Check app-level Teams permission (team creators always have access)
+            if not _is_team_creator(user, team) and not user_has_permission(user, "create", "Teams", org, is_app_resource=True, app=app):
                 raise GraphQLError(
                     f"You don't have permission to add teams to app '{app.name}'"
                 )
@@ -409,8 +416,8 @@ def mutate(cls, root, info, team_id, app_id):
 
         app = App.objects.get(id=app_id, organisation=org)
 
-        # Check app-level Teams permission (respects team role overrides)
-        if not user_has_permission(user, "delete", "Teams", org, is_app_resource=True, app=app):
+        # Check app-level Teams permission (team creators always have access)
+        if not _is_team_creator(user, team) and not user_has_permission(user, "delete", "Teams", org, is_app_resource=True, app=app):
             raise GraphQLError(
                 "You don't have permission to remove teams from this app"
             )
@@ -447,8 +454,8 @@ def mutate(cls, root, info, team_id, app_id, env_ids):
 
         app = App.objects.get(id=app_id, organisation=org)
 
-        # Check app-level Teams permission (respects team role overrides)
-        if not user_has_permission(user, "update", "Teams", org, is_app_resource=True, app=app):
+        # Check app-level Teams permission (team creators always have access)
+        if not _is_team_creator(user, team) and not user_has_permission(user, "update", "Teams", org, is_app_resource=True, app=app):
             raise GraphQLError(
                 "You don't have permission to manage team environments for this app"
             )

From 9f35a82aded178accd691d6a75be3622f6a75c73 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 19:33:06 +0530
Subject: [PATCH 033/118] feat: add a remove app dialog on team page

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/RemoveTeamAppDialog.tsx       | 72 +++++++++++++++++++
 .../app/[team]/access/teams/[teamId]/page.tsx | 12 +++-
 2 files changed, 82 insertions(+), 2 deletions(-)
 create mode 100644 frontend/app/[team]/access/teams/[teamId]/_components/RemoveTeamAppDialog.tsx

diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/RemoveTeamAppDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/RemoveTeamAppDialog.tsx
new file mode 100644
index 000000000..50f75cd7d
--- /dev/null
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/RemoveTeamAppDialog.tsx
@@ -0,0 +1,72 @@
+'use client'
+
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { RemoveTeamAppOp } from '@/graphql/mutations/teams/removeTeamApp.gql'
+import { useMutation } from '@apollo/client'
+import { useContext, useRef } from 'react'
+import { FaTrashAlt } from 'react-icons/fa'
+import { toast } from 'react-toastify'
+
+export const RemoveTeamAppDialog = ({
+  teamId,
+  teamName,
+  appId,
+  appName,
+}: {
+  teamId: string
+  teamName: string
+  appId: string
+  appName: string
+}) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+  const [removeApp, { loading }] = useMutation(RemoveTeamAppOp)
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const handleRemove = async () => {
+    try {
+      await removeApp({
+        variables: { teamId, appId },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id },
+          },
+        ],
+      })
+      toast.success(`Removed ${appName} from ${teamName}`)
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  return (
+    <GenericDialog
+      title={`Remove ${appName}?`}
+      buttonContent={
+        <div className="py-1">
+          <FaTrashAlt />
+        </div>
+      }
+      buttonVariant="danger"
+      ref={dialogRef}
+    >
+      <div className="space-y-4 pt-4">
+        <p className="text-sm text-neutral-500">
+          This will remove <strong className="text-zinc-900 dark:text-zinc-100">{appName}</strong>{' '}
+          from team <strong className="text-zinc-900 dark:text-zinc-100">{teamName}</strong>. Team
+          members will lose access to environments granted through this team unless they have
+          individual access, or access through any other teams.
+        </p>
+        <div className="flex justify-end gap-2">
+          <Button variant="danger" onClick={handleRemove} isLoading={loading}>
+            Remove App
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index 3c4deb526..7f9050a32 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -33,6 +33,7 @@ import { UpdateTeamDialog } from './_components/UpdateTeamDialog'
 import { DeleteTeamDialog } from '../_components/DeleteTeamDialog'
 import { CreateServiceAccountDialog } from '../../service-accounts/_components/CreateServiceAccountDialog'
 import { DeleteServiceAccountDialog } from '../../service-accounts/_components/DeleteServiceAccountDialog'
+import { RemoveTeamAppDialog } from './_components/RemoveTeamAppDialog'
 
 export default function TeamDetail({ params }: { params: { team: string; teamId: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -427,9 +428,8 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                     </div>
                   </div>
 
-                  <div className="flex justify-end">
+                  <div className="flex justify-end gap-2 opacity-0 group-hover:opacity-100 transition ease">
                     <Link
-                      className="opacity-0 group-hover:opacity-100 transition ease"
                       href={`/${params.team}/apps/${appId}/access/teams`}
                       title={`Manage team access to ${app.name}`}
                     >
@@ -437,6 +437,14 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                         Manage
                       </Button>
                     </Link>
+                    {canUpdateTeam && (
+                      <RemoveTeamAppDialog
+                        teamId={team.id}
+                        teamName={team.name}
+                        appId={appId}
+                        appName={app.name}
+                      />
+                    )}
                   </div>
                 </div>
               ))

From 1005ecb2415a9b34fb056560bf6f19b40b024dd2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 19:33:21 +0530
Subject: [PATCH 034/118] fix: misc permission fixes

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/app/[team]/apps/[app]/access/teams/page.tsx | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/frontend/app/[team]/apps/[app]/access/teams/page.tsx b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
index 6c33e9429..e36cdd0c8 100644
--- a/frontend/app/[team]/apps/[app]/access/teams/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
@@ -20,7 +20,7 @@ import Link from 'next/link'
 export default function AppTeams({ params }: { params: { team: string; app: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
-  const { hasPermission, isGlobalAccess: userIsGlobalAccess } = useAppPermissions(params.app)
+  const { hasPermission } = useAppPermissions(params.app)
 
   const userCanReadTeams = hasPermission('Teams', 'read', true)
   const userCanUpdateTeams = hasPermission('Teams', 'update', true)
@@ -122,7 +122,6 @@ export default function AppTeams({ params }: { params: { team: string; app: stri
                 const memberCount = team.members?.filter((m) => m.orgMember).length || 0
                 const saCount = team.members?.filter((m) => m.serviceAccount).length || 0
                 const isTeamOwner =
-                  userIsGlobalAccess ||
                   team.createdBy?.id === organisation?.memberId
 
                 return (
@@ -173,9 +172,9 @@ export default function AppTeams({ params }: { params: { team: string; app: stri
                           appId={params.app}
                           appEnvironments={appEnvironments}
                           teamEnvs={teamEnvs as TeamAppEnvironmentType[]}
-                          canManage={isTeamOwner && userCanUpdateTeams}
+                          canManage={isTeamOwner || userCanUpdateTeams}
                         />
-                        {isTeamOwner && userCanUpdateTeams && (
+                        {(isTeamOwner || userCanUpdateTeams) && (
                           <div className="opacity-0 pointer-events-none group-hover:opacity-100 group-hover:pointer-events-auto transition ease">
                             <RemoveTeamFromAppDialog
                               teamId={team.id}

From 3c28e40d86325a4e42149dee884ab0d0532a6985 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 19:33:32 +0530
Subject: [PATCH 035/118] feat: checkbox stying tweaks for dark theme

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/Checkbox.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/components/common/Checkbox.tsx b/frontend/components/common/Checkbox.tsx
index f0b1faea0..95d2bcc2f 100644
--- a/frontend/components/common/Checkbox.tsx
+++ b/frontend/components/common/Checkbox.tsx
@@ -35,11 +35,11 @@ export const Checkbox = (props: {
           styles.box,
           label && styles.offset,
           checked
-            ? 'bg-emerald-500 dark:bg-emerald-600 ring-emerald-500'
+            ? 'bg-emerald-500 ring-emerald-500 dark:bg-emerald-400/20 dark:ring-emerald-400/20'
             : 'bg-zinc-100 dark:bg-zinc-800 ring-neutral-500/40 group-hover:ring-neutral-500/60'
         )}
       >
-        {checked && <FaCheck className={clsx('text-white', styles.icon)} />}
+        {checked && <FaCheck className={clsx('text-white dark:text-emerald-400', styles.icon)} />}
       </div>
       {label && <span className="text-xs text-neutral-500 text-left select-none">{label}</span>}
     </button>

From c77b7ba32e4a76c193c7911b94d9d1d33798b57d Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 19:33:53 +0530
Subject: [PATCH 036/118] feat: show all apps on manage team access dialog,
 misc ux updates

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/AddTeamAppsDialog.tsx         | 181 ++++++++++++++----
 1 file changed, 141 insertions(+), 40 deletions(-)

diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx
index 553e125e5..d27268fa2 100644
--- a/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/AddTeamAppsDialog.tsx
@@ -1,6 +1,6 @@
 'use client'
 
-import { AppType, TeamType } from '@/apollo/graphql'
+import { AppType, TeamType, TeamAppEnvironmentType } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Button } from '@/components/common/Button'
 import { Checkbox } from '@/components/common/Checkbox'
@@ -8,8 +8,10 @@ import { organisationContext } from '@/contexts/organisationContext'
 import { GetApps } from '@/graphql/queries/getApps.gql'
 import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { AddTeamAppsOp } from '@/graphql/mutations/teams/addTeamApps.gql'
+import { UpdateTeamAppEnvironmentsOp } from '@/graphql/mutations/teams/updateTeamAppEnvironments.gql'
+import { RemoveTeamAppOp } from '@/graphql/mutations/teams/removeTeamApp.gql'
 import { useMutation, useQuery } from '@apollo/client'
-import { useContext, useRef, useState } from 'react'
+import { useContext, useRef, useState, useEffect } from 'react'
 import { useParams } from 'next/navigation'
 import Link from 'next/link'
 import { FaChevronDown, FaExclamationTriangle, FaExternalLinkAlt, FaSearch, FaTimesCircle } from 'react-icons/fa'
@@ -27,16 +29,39 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
     skip: !organisation,
   })
 
-  const [addApps, { loading }] = useMutation(AddTeamAppsOp)
+  const [addApps, { loading: addLoading }] = useMutation(AddTeamAppsOp)
+  const [updateEnvs, { loading: updateLoading }] = useMutation(UpdateTeamAppEnvironmentsOp)
+  const [removeApp, { loading: removeLoading }] = useMutation(RemoveTeamAppOp)
+
+  const loading = addLoading || updateLoading || removeLoading
 
   const dialogRef = useRef<{ closeModal: () => void }>(null)
   const [selectedEnvs, setSelectedEnvs] = useState<Record<string, Set<string>>>({})
   const [searchQuery, setSearchQuery] = useState('')
+  const [isOpen, setIsOpen] = useState(false)
 
+  // Build the initial state from existing team app-environment assignments
   const existingAppIds = new Set(team.apps?.map((a) => a!.id) || [])
 
-  const allApps: AppType[] =
-    appsData?.apps?.filter((app: AppType) => !existingAppIds.has(app.id)) || []
+  const getInitialEnvs = (): Record<string, Set<string>> => {
+    const initial: Record<string, Set<string>> = {}
+    for (const tae of (team.appEnvironments || []) as TeamAppEnvironmentType[]) {
+      if (!tae?.app?.id || !tae?.environment?.id) continue
+      if (!initial[tae.app.id]) initial[tae.app.id] = new Set()
+      initial[tae.app.id].add(tae.environment.id)
+    }
+    return initial
+  }
+
+  // Reset selected envs from team data when dialog opens
+  useEffect(() => {
+    if (isOpen) {
+      setSelectedEnvs(getInitialEnvs())
+    }
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [isOpen])
+
+  const allApps: AppType[] = appsData?.apps || []
 
   const sseApps = allApps.filter((app) => app.sseEnabled)
   const nonSseApps = allApps.filter((app) => !app.sseEnabled)
@@ -80,29 +105,87 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
     })
   }
 
-  const selectedCount = Object.keys(selectedEnvs).length
+  // Compute what changed vs the initial state
+  const computeChanges = () => {
+    const initial = getInitialEnvs()
+    const toAdd: { appId: string; envIds: string[] }[] = []
+    const toUpdate: { appId: string; envIds: string[] }[] = []
+    const toRemove: string[] = []
+
+    // Check apps in selectedEnvs
+    for (const [appId, envIds] of Object.entries(selectedEnvs)) {
+      if (!initial[appId]) {
+        // New app
+        toAdd.push({ appId, envIds: Array.from(envIds) })
+      } else {
+        // Existing app — check if envs changed
+        const initialSet = initial[appId]
+        const changed =
+          envIds.size !== initialSet.size ||
+          [...envIds].some((id) => !initialSet.has(id))
+        if (changed) {
+          toUpdate.push({ appId, envIds: Array.from(envIds) })
+        }
+      }
+    }
+
+    // Check for removed apps (in initial but not in selectedEnvs)
+    for (const appId of Object.keys(initial)) {
+      if (!selectedEnvs[appId]) {
+        toRemove.push(appId)
+      }
+    }
+
+    return { toAdd, toUpdate, toRemove }
+  }
+
+  const { toAdd, toUpdate, toRemove } = computeChanges()
+  const hasChanges = toAdd.length > 0 || toUpdate.length > 0 || toRemove.length > 0
 
   const handleSubmit = async () => {
-    if (selectedCount === 0) return
+    if (!hasChanges) return
+
     try {
-      const appEnvs = Object.entries(selectedEnvs).map(([appId, envIds]) => ({
-        appId,
-        envIds: Array.from(envIds),
-      }))
-      await addApps({
-        variables: {
-          teamId: team.id,
-          appEnvs,
+      const refetchQueries = [
+        {
+          query: GetTeams,
+          variables: { organisationId: organisation!.id, teamId: team.id },
         },
-        refetchQueries: [
-          {
-            query: GetTeams,
-            variables: { organisationId: organisation!.id, teamId: team.id },
+      ]
+
+      // Add new apps
+      if (toAdd.length > 0) {
+        await addApps({
+          variables: {
+            teamId: team.id,
+            appEnvs: toAdd,
           },
-        ],
-      })
-      toast.success(`Granted access to ${selectedCount} app${selectedCount !== 1 ? 's' : ''}`)
-      reset()
+          refetchQueries,
+        })
+      }
+
+      // Update existing apps with changed envs
+      for (const { appId, envIds } of toUpdate) {
+        await updateEnvs({
+          variables: { teamId: team.id, appId, envIds },
+          refetchQueries,
+        })
+      }
+
+      // Remove apps with all envs deselected
+      for (const appId of toRemove) {
+        await removeApp({
+          variables: { teamId: team.id, appId },
+          refetchQueries,
+        })
+      }
+
+      const parts = []
+      if (toAdd.length > 0) parts.push(`added ${toAdd.length}`)
+      if (toUpdate.length > 0) parts.push(`updated ${toUpdate.length}`)
+      if (toRemove.length > 0) parts.push(`removed ${toRemove.length}`)
+      toast.success(`App access ${parts.join(', ')}`)
+
       dialogRef.current?.closeModal()
     } catch (err: any) {
       toast.error(err.message)
@@ -112,6 +195,7 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
   const reset = () => {
     setSelectedEnvs({})
     setSearchQuery('')
+    setIsOpen(false)
   }
 
   return (
@@ -119,18 +203,19 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
       title="Manage app access"
       buttonContent={
         <>
-          <FaCubes /> Manage app Access
+          <FaCubes /> Manage app access
         </>
       }
       buttonVariant="primary"
       ref={dialogRef}
       size="lg"
       onClose={reset}
+      onOpen={() => setIsOpen(true)}
     >
       <div className="space-y-3 pt-4">
         <p className="text-2xs text-neutral-500">
-          Grant this team access to apps and environments. Only SSE-enabled apps can be assigned to
-          teams.
+          Manage this team&apos;s access to apps and environments. Only SSE-enabled apps can be
+          assigned to teams.
         </p>
 
         <div className="relative flex items-center bg-zinc-200 dark:bg-zinc-800 rounded-md px-2">
@@ -153,9 +238,7 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
 
         {filteredSseApps.length === 0 && filteredNonSseApps.length === 0 ? (
           <p className="text-xs text-neutral-500 text-center py-4">
-            {searchQuery
-              ? 'No apps match your search'
-              : 'No available apps. All SSE-enabled apps are already assigned to this team.'}
+            {searchQuery ? 'No apps match your search' : 'No SSE-enabled apps available.'}
           </p>
         ) : (
           <div className="max-h-[80vh] overflow-y-auto space-y-1.5">
@@ -163,19 +246,27 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
               const envIds = app.environments?.filter(Boolean).map((e) => e!.id) || []
               const appSelected = selectedEnvs[app.id]
               const allEnvsSelected = appSelected && envIds.every((id) => appSelected.has(id))
+              const isExisting = existingAppIds.has(app.id)
 
               return (
-                <Disclosure key={app.id}>
+                <Disclosure key={app.id} defaultOpen={isExisting}>
                   {({ open }) => (
                     <div className="border border-zinc-500/20 rounded-lg overflow-hidden">
                       <Disclosure.Button className="w-full flex items-center justify-between px-3 py-2 hover:bg-zinc-100 dark:hover:bg-zinc-800">
                         <div className="flex items-center gap-2">
-                          <span className="font-medium text-xs text-zinc-900 dark:text-zinc-100">{app.name}</span>
+                          <span className="font-medium text-xs text-zinc-900 dark:text-zinc-100">
+                            {app.name}
+                          </span>
                           {appSelected && (
                             <span className="text-2xs px-1.5 py-0.5 rounded-full bg-emerald-500/20 text-emerald-500">
                               {appSelected.size} env{appSelected.size !== 1 ? 's' : ''}
                             </span>
                           )}
+                          {isExisting && !appSelected && (
+                            <span className="text-2xs px-1.5 py-0.5 rounded-full bg-red-500/20 text-red-500">
+                              removing
+                            </span>
+                          )}
                         </div>
                         <FaChevronDown
                           className={clsx(
@@ -186,15 +277,15 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
                       </Disclosure.Button>
                       <Disclosure.Panel className="px-3 pb-2 border-t border-zinc-500/20">
                         <div
-                          className="flex items-center justify-between py-2 cursor-pointer"
+                          className="flex items-center gap-2 py-2 cursor-pointer"
                           onClick={() => toggleAllEnvs(app.id, envIds)}
                         >
-                          <span className="text-2xs text-neutral-500">All environments</span>
                           <Checkbox
                             size="sm"
                             checked={!!allEnvsSelected}
                             onChange={() => toggleAllEnvs(app.id, envIds)}
                           />
+                          <span className="text-2xs text-neutral-500">All environments</span>
                         </div>
                         <div className="flex flex-wrap gap-1.5">
                           {app.environments?.map((env) => {
@@ -211,7 +302,9 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
                                 )}
                                 onClick={() => toggleEnv(app.id, env.id)}
                               >
-                                <span className="text-2xs text-zinc-900 dark:text-zinc-100">{env.name}</span>
+                                <span className="text-2xs text-zinc-900 dark:text-zinc-100">
+                                  {env.name}
+                                </span>
                                 <Checkbox
                                   size="sm"
                                   checked={isSelected}
@@ -237,7 +330,10 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
                       <Disclosure.Button className="w-full flex items-center justify-between py-2 px-3 text-2xs text-amber-500">
                         <div className="flex items-center gap-1.5">
                           <FaExclamationTriangle className="shrink-0" />
-                          <span>{filteredNonSseApps.length} hidden app{filteredNonSseApps.length !== 1 ? 's' : ''}</span>
+                          <span>
+                            {filteredNonSseApps.length} hidden app
+                            {filteredNonSseApps.length !== 1 ? 's' : ''}
+                          </span>
                         </div>
                         <FaChevronDown
                           className={clsx(
@@ -248,10 +344,14 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
                       </Disclosure.Button>
                       <Disclosure.Panel className="space-y-1">
                         <p className="text-2xs text-neutral-500 mb-2">
-                          These apps need SSE enabled in settings before they can be assigned to teams.
+                          These apps need SSE enabled in settings before they can be assigned to
+                          teams.
                         </p>
                         {filteredNonSseApps.map((app: AppType) => (
-                          <div key={app.id} className="flex items-center justify-between py-1.5 px-2">
+                          <div
+                            key={app.id}
+                            className="flex items-center justify-between py-1.5 px-2"
+                          >
                             <Link
                               href={`/${params!.team}/apps/${app.id}/settings`}
                               className="font-medium text-xs text-zinc-900 dark:text-zinc-100 hover:text-emerald-500 dark:hover:text-emerald-400 transition"
@@ -272,15 +372,16 @@ export const AddTeamAppsDialog = ({ team }: { team: TeamType }) => {
 
         <div className="flex justify-between items-center pt-1">
           <span className="text-2xs text-neutral-500">
-            {selectedCount} app{selectedCount !== 1 ? 's' : ''} selected
+            {Object.keys(selectedEnvs).length} app
+            {Object.keys(selectedEnvs).length !== 1 ? 's' : ''} with access
           </span>
           <Button
             variant="primary"
             onClick={handleSubmit}
             isLoading={loading}
-            disabled={selectedCount === 0}
+            disabled={!hasChanges}
           >
-            Grant Access
+            Save
           </Button>
         </div>
       </div>

From 5efa27bf4c5909031d003de6ce6da247faeafbdc Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 20:34:37 +0530
Subject: [PATCH 037/118] feat: add team ownership set and  transfer flow

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/migrations/0123_add_team_owner.py |  19 +++
 .../migrations/0124_populate_team_owner.py    |  27 ++++
 backend/api/models.py                         |   7 +
 backend/backend/graphene/mutations/teams.py   |  57 +++++++-
 backend/backend/graphene/types.py             |   1 +
 backend/backend/schema.py                     |   2 +
 frontend/apollo/gql.ts                        |  12 +-
 frontend/apollo/graphql.ts                    |  26 +++-
 frontend/apollo/schema.graphql                |   6 +
 .../service-accounts/[account]/page.tsx       |   4 +-
 .../TransferTeamOwnershipDialog.tsx           | 130 ++++++++++++++++++
 .../app/[team]/access/teams/[teamId]/page.tsx |  37 ++++-
 .../[team]/apps/[app]/access/teams/page.tsx   |   2 +-
 .../mutations/teams/transferTeamOwnership.gql |   7 +
 frontend/graphql/queries/teams/getTeams.gql   |   6 +
 15 files changed, 322 insertions(+), 21 deletions(-)
 create mode 100644 backend/api/migrations/0123_add_team_owner.py
 create mode 100644 backend/api/migrations/0124_populate_team_owner.py
 create mode 100644 frontend/app/[team]/access/teams/[teamId]/_components/TransferTeamOwnershipDialog.tsx
 create mode 100644 frontend/graphql/mutations/teams/transferTeamOwnership.gql

diff --git a/backend/api/migrations/0123_add_team_owner.py b/backend/api/migrations/0123_add_team_owner.py
new file mode 100644
index 000000000..f8bef1e83
--- /dev/null
+++ b/backend/api/migrations/0123_add_team_owner.py
@@ -0,0 +1,19 @@
+# Generated by Django 4.2.29 on 2026-04-14 14:22
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0122_serviceaccount_team'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='team',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='owned_teams', to='api.organisationmember'),
+        ),
+    ]
diff --git a/backend/api/migrations/0124_populate_team_owner.py b/backend/api/migrations/0124_populate_team_owner.py
new file mode 100644
index 000000000..48e2f2a8b
--- /dev/null
+++ b/backend/api/migrations/0124_populate_team_owner.py
@@ -0,0 +1,27 @@
+# Generated by Django 4.2.29 on 2026-04-14 14:22
+
+from django.db import migrations, models
+
+
+def populate_team_owner(apps, schema_editor):
+    """Set owner = created_by for all existing teams."""
+    Team = apps.get_model("api", "Team")
+    Team.objects.filter(owner__isnull=True, created_by__isnull=False).update(
+        owner=models.F("created_by")
+    )
+
+
+def reverse(apps, schema_editor):
+    """No-op reverse — owner data is additive."""
+    pass
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0123_add_team_owner'),
+    ]
+
+    operations = [
+        migrations.RunPython(populate_team_owner, reverse),
+    ]
diff --git a/backend/api/models.py b/backend/api/models.py
index fb4a7a4a8..683aa2469 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -1092,6 +1092,13 @@ class Team(models.Model):
     )
 
     is_scim_managed = models.BooleanField(default=False)
+    owner = models.ForeignKey(
+        OrganisationMember,
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="owned_teams",
+    )
     created_by = models.ForeignKey(
         OrganisationMember,
         null=True,
diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index 68424b29f..f351e3569 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -14,6 +14,7 @@
     TeamMembership,
 )
 from api.utils.access.permissions import (
+    role_has_global_access,
     user_can_access_app,
     user_has_permission,
     user_is_org_member,
@@ -40,11 +41,11 @@ def _check_team_membership(user, team):
         raise GraphQLError("You don't have access to this team")
 
 
-def _is_team_creator(user, team):
-    """Check if the user is the creator of the team."""
-    if team.created_by is None:
+def _is_team_owner(user, team):
+    """Check if the user is the owner of the team."""
+    if team.owner is None:
         return False
-    return team.created_by.user_id == user.userId
+    return team.owner.user_id == user.userId
 
 
 class CreateTeamMutation(graphene.Mutation):
@@ -103,6 +104,7 @@ def mutate(
             organisation=org,
             member_role=member_role,
             service_account_role=sa_role,
+            owner=org_member,
             created_by=org_member,
         )
 
@@ -180,6 +182,47 @@ def mutate(
         return UpdateTeamMutation(team=team)
 
 
+class TransferTeamOwnershipMutation(graphene.Mutation):
+    class Arguments:
+        team_id = graphene.ID(required=True)
+        new_owner_id = graphene.ID(required=True)
+
+    team = graphene.Field(TeamType)
+
+    @classmethod
+    def mutate(cls, root, info, team_id, new_owner_id):
+        user = info.context.user
+        team = Team.objects.get(id=team_id, deleted_at__isnull=True)
+        org = team.organisation
+
+        if not user_is_org_member(user.userId, org.id):
+            raise GraphQLError("You don't have access to this organisation")
+
+        org_member = _get_org_member(user, org)
+
+        # Only the current team owner or global access users can transfer ownership
+        is_owner = team.owner_id is not None and team.owner_id == org_member.id
+        if not is_owner and not role_has_global_access(org_member.role):
+            raise GraphQLError(
+                "Only the team owner or organisation admins can transfer team ownership"
+            )
+
+        # Validate the new owner is a team member
+        new_owner = OrganisationMember.objects.get(
+            id=new_owner_id, organisation=org, deleted_at=None
+        )
+        if not TeamMembership.objects.filter(
+            team=team, org_member=new_owner
+        ).exists():
+            raise GraphQLError(
+                "The new owner must be a member of the team"
+            )
+
+        team.owner = new_owner
+        team.save()
+        return TransferTeamOwnershipMutation(team=team)
+
+
 class DeleteTeamMutation(graphene.Mutation):
     class Arguments:
         team_id = graphene.ID(required=True)
@@ -363,7 +406,7 @@ def mutate(cls, root, info, team_id, app_envs):
             app = App.objects.get(id=app_env.app_id, organisation=org)
 
             # Check app-level Teams permission (team creators always have access)
-            if not _is_team_creator(user, team) and not user_has_permission(user, "create", "Teams", org, is_app_resource=True, app=app):
+            if not _is_team_owner(user, team) and not user_has_permission(user, "create", "Teams", org, is_app_resource=True, app=app):
                 raise GraphQLError(
                     f"You don't have permission to add teams to app '{app.name}'"
                 )
@@ -417,7 +460,7 @@ def mutate(cls, root, info, team_id, app_id):
         app = App.objects.get(id=app_id, organisation=org)
 
         # Check app-level Teams permission (team creators always have access)
-        if not _is_team_creator(user, team) and not user_has_permission(user, "delete", "Teams", org, is_app_resource=True, app=app):
+        if not _is_team_owner(user, team) and not user_has_permission(user, "delete", "Teams", org, is_app_resource=True, app=app):
             raise GraphQLError(
                 "You don't have permission to remove teams from this app"
             )
@@ -455,7 +498,7 @@ def mutate(cls, root, info, team_id, app_id, env_ids):
         app = App.objects.get(id=app_id, organisation=org)
 
         # Check app-level Teams permission (team creators always have access)
-        if not _is_team_creator(user, team) and not user_has_permission(user, "update", "Teams", org, is_app_resource=True, app=app):
+        if not _is_team_owner(user, team) and not user_has_permission(user, "update", "Teams", org, is_app_resource=True, app=app):
             raise GraphQLError(
                 "You don't have permission to manage team environments for this app"
             )
diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index 4cdfb144a..47294785d 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -1196,6 +1196,7 @@ class Meta:
             "member_role",
             "service_account_role",
             "is_scim_managed",
+            "owner",
             "created_by",
             "created_at",
             "updated_at",
diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index 57ae954b4..e09d36f4b 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -133,6 +133,7 @@
     DeleteTeamMutation,
     RemoveTeamAppMutation,
     RemoveTeamMemberMutation,
+    TransferTeamOwnershipMutation,
     UpdateTeamAppEnvironmentsMutation,
     UpdateTeamMutation,
 )
@@ -1155,6 +1156,7 @@ class Mutation(graphene.ObjectType):
     # Teams
     create_team = CreateTeamMutation.Field()
     update_team = UpdateTeamMutation.Field()
+    transfer_team_ownership = TransferTeamOwnershipMutation.Field()
     delete_team = DeleteTeamMutation.Field()
     add_team_members = AddTeamMembersMutation.Field()
     remove_team_member = RemoveTeamMemberMutation.Field()
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index c41441b36..a90be6d66 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -109,6 +109,7 @@ type Documents = {
     "mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}": typeof types.DeleteTeamOpDocument,
     "mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}": typeof types.RemoveTeamAppOpDocument,
     "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": typeof types.RemoveTeamMemberOpDocument,
+    "mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}": typeof types.TransferTeamOwnershipOpDocument,
     "mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": typeof types.UpdateTeamOpDocument,
     "mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}": typeof types.UpdateTeamAppEnvironmentsOpDocument,
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": typeof types.CreateNewUserTokenDocument,
@@ -180,7 +181,7 @@ type Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": typeof types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": typeof types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": typeof types.GetVercelProjectsDocument,
-    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": typeof types.GetTeamsDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": typeof types.GetTeamsDocument,
     "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": typeof types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": typeof types.GetUserTokensDocument,
 };
@@ -280,6 +281,7 @@ const documents: Documents = {
     "mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}": types.DeleteTeamOpDocument,
     "mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}": types.RemoveTeamAppOpDocument,
     "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": types.RemoveTeamMemberOpDocument,
+    "mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}": types.TransferTeamOwnershipOpDocument,
     "mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": types.UpdateTeamOpDocument,
     "mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}": types.UpdateTeamAppEnvironmentsOpDocument,
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": types.CreateNewUserTokenDocument,
@@ -351,7 +353,7 @@ const documents: Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": types.GetVercelProjectsDocument,
-    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": types.GetTeamsDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": types.GetTeamsDocument,
     "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": types.GetUserTokensDocument,
 };
@@ -750,6 +752,10 @@ export function graphql(source: "mutation RemoveTeamAppOp($teamId: ID!, $appId:
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -1037,7 +1043,7 @@ export function graphql(source: "query GetVercelProjects($credentialId: ID!) {\n
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"): (typeof documents)["query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"];
+export function graphql(source: "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"): (typeof documents)["query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 00f8644cc..336d22c1b 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -1068,6 +1068,7 @@ export type Mutation = {
    * The new owner must have global access (Admin role) to ensure they have all necessary keys.
    */
   transferOrganisationOwnership?: Maybe<TransferOrganisationOwnershipMutation>;
+  transferTeamOwnership?: Maybe<TransferTeamOwnershipMutation>;
   triggerSync?: Maybe<TriggerSync>;
   updateAccountNetworkAccessPolicies?: Maybe<UpdateAccountNetworkAccessPolicies>;
   updateAppInfo?: Maybe<UpdateAppInfoMutation>;
@@ -1692,6 +1693,12 @@ export type MutationTransferOrganisationOwnershipArgs = {
 };
 
 
+export type MutationTransferTeamOwnershipArgs = {
+  newOwnerId: Scalars['ID']['input'];
+  teamId: Scalars['ID']['input'];
+};
+
+
 export type MutationTriggerSyncArgs = {
   syncId?: InputMaybe<Scalars['ID']['input']>;
 };
@@ -2710,6 +2717,7 @@ export type TeamType = {
   memberRole?: Maybe<RoleType>;
   members?: Maybe<Array<TeamMembershipType>>;
   name: Scalars['String']['output'];
+  owner?: Maybe<OrganisationMemberType>;
   serviceAccountRole?: Maybe<RoleType>;
   updatedAt: Scalars['DateTime']['output'];
 };
@@ -2737,6 +2745,11 @@ export type TransferOrganisationOwnershipMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
+export type TransferTeamOwnershipMutation = {
+  __typename?: 'TransferTeamOwnershipMutation';
+  team?: Maybe<TeamType>;
+};
+
 export type TriggerSync = {
   __typename?: 'TriggerSync';
   sync?: Maybe<EnvironmentSyncType>;
@@ -3785,6 +3798,14 @@ export type RemoveTeamMemberOpMutationVariables = Exact<{
 
 export type RemoveTeamMemberOpMutation = { __typename?: 'Mutation', removeTeamMember?: { __typename?: 'RemoveTeamMemberMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
 
+export type TransferTeamOwnershipOpMutationVariables = Exact<{
+  teamId: Scalars['ID']['input'];
+  newOwnerId: Scalars['ID']['input'];
+}>;
+
+
+export type TransferTeamOwnershipOpMutation = { __typename?: 'Mutation', transferTeamOwnership?: { __typename?: 'TransferTeamOwnershipMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
+
 export type UpdateTeamOpMutationVariables = Exact<{
   teamId: Scalars['ID']['input'];
   name?: InputMaybe<Scalars['String']['input']>;
@@ -4320,7 +4341,7 @@ export type GetTeamsQueryVariables = Exact<{
 }>;
 
 
-export type GetTeamsQuery = { __typename?: 'Query', teams?: Array<{ __typename?: 'TeamType', id: string, name: string, description?: string | null, isScimManaged: boolean, createdAt?: any | null, updatedAt: any, memberCount?: number | null, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, serviceAccountRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, members?: Array<{ __typename?: 'TeamMembershipType', id: string, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, orgMember?: { __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, team?: { __typename?: 'TeamType', id: string, name: string } | null } | null }> | null, apps?: Array<{ __typename?: 'AppType', id: string, name: string, sseEnabled: boolean }> | null, appEnvironments?: Array<{ __typename?: 'TeamAppEnvironmentType', id: string, createdAt?: any | null, app: { __typename?: 'AppMembershipType', id: string, name: string }, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices } }> | null } | null> | null };
+export type GetTeamsQuery = { __typename?: 'Query', teams?: Array<{ __typename?: 'TeamType', id: string, name: string, description?: string | null, isScimManaged: boolean, createdAt?: any | null, updatedAt: any, memberCount?: number | null, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, serviceAccountRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, owner?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, members?: Array<{ __typename?: 'TeamMembershipType', id: string, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, orgMember?: { __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, team?: { __typename?: 'TeamType', id: string, name: string } | null } | null }> | null, apps?: Array<{ __typename?: 'AppType', id: string, name: string, sseEnabled: boolean }> | null, appEnvironments?: Array<{ __typename?: 'TeamAppEnvironmentType', id: string, createdAt?: any | null, app: { __typename?: 'AppMembershipType', id: string, name: string }, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices } }> | null } | null> | null };
 
 export type GetOrganisationMemberDetailQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
@@ -4433,6 +4454,7 @@ export const CreateTeamOpDocument = {"kind":"Document","definitions":[{"kind":"O
 export const DeleteTeamOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteTeamOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteTeam"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteTeamOpMutation, DeleteTeamOpMutationVariables>;
 export const RemoveTeamAppOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveTeamAppOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeTeamApp"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveTeamAppOpMutation, RemoveTeamAppOpMutationVariables>;
 export const RemoveTeamMemberOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveTeamMemberOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeTeamMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveTeamMemberOpMutation, RemoveTeamMemberOpMutationVariables>;
+export const TransferTeamOwnershipOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"TransferTeamOwnershipOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"transferTeamOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"newOwnerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<TransferTeamOwnershipOpMutation, TransferTeamOwnershipOpMutationVariables>;
 export const UpdateTeamOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateTeamOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateTeam"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateTeamOpMutation, UpdateTeamOpMutationVariables>;
 export const UpdateTeamAppEnvironmentsOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateTeamAppEnvironmentsOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envIds"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateTeamAppEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateTeamAppEnvironmentsOpMutation, UpdateTeamAppEnvironmentsOpMutationVariables>;
 export const CreateNewUserTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewUserToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createUserToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<CreateNewUserTokenMutation, CreateNewUserTokenMutationVariables>;
@@ -4504,6 +4526,6 @@ export const GetRailwayProjectsDocument = {"kind":"Document","definitions":[{"ki
 export const GetRenderResourcesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetRenderResources"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"renderServices"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}},{"kind":"Field","name":{"kind":"Name","value":"renderEnvgroups"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]} as unknown as DocumentNode<GetRenderResourcesQuery, GetRenderResourcesQueryVariables>;
 export const TestVaultAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"TestVaultAuth"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"testVaultCreds"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}]}]}}]} as unknown as DocumentNode<TestVaultAuthQuery, TestVaultAuthQueryVariables>;
 export const GetVercelProjectsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetVercelProjects"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"vercelProjects"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"teamName"}},{"kind":"Field","name":{"kind":"Name","value":"projects"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"slug"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetVercelProjectsQuery, GetVercelProjectsQueryVariables>;
-export const GetTeamsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetTeams"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"teams"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"memberCount"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<GetTeamsQuery, GetTeamsQueryVariables>;
+export const GetTeamsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetTeams"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"teams"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"owner"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"memberCount"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<GetTeamsQuery, GetTeamsQueryVariables>;
 export const GetOrganisationMemberDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationMemberDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastLogin"}},{"kind":"Field","name":{"kind":"Name","value":"self"}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationMemberDetailQuery, GetOrganisationMemberDetailQueryVariables>;
 export const GetUserTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetUserTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyShare"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]} as unknown as DocumentNode<GetUserTokensQuery, GetUserTokensQueryVariables>;
\ No newline at end of file
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 1eb40991a..e59d2c536 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -324,6 +324,7 @@ type TeamType {
   memberRole: RoleType
   serviceAccountRole: RoleType
   isScimManaged: Boolean!
+  owner: OrganisationMemberType
   createdBy: OrganisationMemberType
   createdAt: DateTime
   updatedAt: DateTime!
@@ -1071,6 +1072,7 @@ type Mutation {
   deleteIdentity(id: ID!): DeleteIdentityMutation
   createTeam(description: String, memberRoleId: ID, name: String!, organisationId: ID!, serviceAccountRoleId: ID): CreateTeamMutation
   updateTeam(description: String, memberRoleId: ID, name: String, serviceAccountRoleId: ID, teamId: ID!): UpdateTeamMutation
+  transferTeamOwnership(newOwnerId: ID!, teamId: ID!): TransferTeamOwnershipMutation
   deleteTeam(teamId: ID!): DeleteTeamMutation
   addTeamMembers(memberIds: [ID!]!, memberType: MemberType = USER, teamId: ID!): AddTeamMembersMutation
   removeTeamMember(memberId: ID!, memberType: MemberType = USER, teamId: ID!): RemoveTeamMemberMutation
@@ -1340,6 +1342,10 @@ type UpdateTeamMutation {
   team: TeamType
 }
 
+type TransferTeamOwnershipMutation {
+  team: TeamType
+}
+
 type DeleteTeamMutation {
   ok: Boolean
 }
diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index c3e18dd3d..dfbb700fc 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -114,8 +114,8 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
 
   const userCanManageOwnership = useMemo(() => {
     if (userIsGlobalAccess) return true
-    if (ownerTeam?.createdBy?.id && organisation?.memberId) {
-      return ownerTeam.createdBy.id === organisation.memberId
+    if (ownerTeam?.owner?.id && organisation?.memberId) {
+      return ownerTeam.owner.id === organisation.memberId
     }
     return false
   }, [userIsGlobalAccess, ownerTeam, organisation])
diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/TransferTeamOwnershipDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/TransferTeamOwnershipDialog.tsx
new file mode 100644
index 000000000..ccd9d7fd9
--- /dev/null
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/TransferTeamOwnershipDialog.tsx
@@ -0,0 +1,130 @@
+'use client'
+
+import { TeamMembershipType, TeamType } from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Button } from '@/components/common/Button'
+import { ProfileCard } from '@/components/common/ProfileCard'
+import { RoleLabel } from '@/components/users/RoleLabel'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
+import { TransferTeamOwnershipOp } from '@/graphql/mutations/teams/transferTeamOwnership.gql'
+import { useMutation } from '@apollo/client'
+import { useContext, useRef, useState } from 'react'
+import { FaCrown } from 'react-icons/fa'
+import clsx from 'clsx'
+import { toast } from 'react-toastify'
+
+export const TransferTeamOwnershipDialog = ({ team }: { team: TeamType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+  const [transferOwnership, { loading }] = useMutation(TransferTeamOwnershipOp)
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+  const [selectedMemberId, setSelectedMemberId] = useState<string | null>(null)
+
+  const humanMembers = (team.members || []).filter(
+    (m): m is TeamMembershipType & { orgMember: NonNullable<TeamMembershipType['orgMember']> } =>
+      !!m.orgMember
+  )
+
+  const handleTransfer = async () => {
+    if (!selectedMemberId) return
+    try {
+      await transferOwnership({
+        variables: { teamId: team.id, newOwnerId: selectedMemberId },
+        refetchQueries: [
+          {
+            query: GetTeams,
+            variables: { organisationId: organisation!.id, teamId: team.id },
+          },
+        ],
+      })
+      const newOwner = humanMembers.find((m) => m.orgMember.id === selectedMemberId)
+      toast.success(
+        `Transferred ownership to ${newOwner?.fullName || newOwner?.email || 'member'}`
+      )
+      setSelectedMemberId(null)
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message)
+    }
+  }
+
+  return (
+    <GenericDialog
+      title="Transfer team ownership"
+      buttonContent={
+        <>
+          <FaCrown /> {team.owner ? 'Transfer ownership' : 'Set owner'}
+        </>
+      }
+      buttonVariant="secondary"
+      ref={dialogRef}
+      onClose={() => setSelectedMemberId(null)}
+    >
+      <div className="space-y-4 pt-4">
+        <p className="text-sm text-neutral-500">
+          {team.owner
+            ? 'Select a team member to transfer ownership to. The new owner will have full control over this team.'
+            : 'This team has no owner. Select a team member to assign as owner.'}
+        </p>
+
+        <div className="max-h-64 overflow-y-auto space-y-1">
+          {humanMembers.map((membership) => {
+            const isCurrentOwner = team.owner?.id === membership.orgMember.id
+            const isSelected = selectedMemberId === membership.orgMember.id
+
+            return (
+              <div
+                key={membership.id}
+                className={clsx(
+                  'p-2 rounded-lg cursor-pointer transition',
+                  isCurrentOwner
+                    ? 'opacity-50 cursor-not-allowed'
+                    : isSelected
+                      ? 'bg-emerald-500/10 ring-1 ring-inset ring-emerald-500/30'
+                      : 'hover:bg-zinc-100 dark:hover:bg-zinc-800'
+                )}
+                onClick={() => {
+                  if (!isCurrentOwner) setSelectedMemberId(membership.orgMember.id)
+                }}
+              >
+                <div className="grid grid-cols-[1fr_auto_auto] items-center gap-3 w-full">
+                  <ProfileCard
+                    user={{
+                      name: membership.fullName,
+                      email: membership.email,
+                      image: membership.avatarUrl,
+                    }}
+                    size="md"
+                  />
+                  <div>
+                    {membership.orgMember.role && (
+                      <RoleLabel role={membership.orgMember.role} size="xs" />
+                    )}
+                  </div>
+                  <div>
+                    {isCurrentOwner && (
+                      <span className="text-2xs text-amber-500 flex items-center gap-1">
+                        <FaCrown /> Current owner
+                      </span>
+                    )}
+                  </div>
+                </div>
+              </div>
+            )
+          })}
+        </div>
+
+        <div className="flex justify-end gap-2">
+          <Button
+            variant="primary"
+            onClick={handleTransfer}
+            isLoading={loading}
+            disabled={!selectedMemberId}
+          >
+            {team.owner ? 'Transfer Ownership' : 'Set Owner'}
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index 7f9050a32..ad755b99d 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -34,6 +34,7 @@ import { DeleteTeamDialog } from '../_components/DeleteTeamDialog'
 import { CreateServiceAccountDialog } from '../../service-accounts/_components/CreateServiceAccountDialog'
 import { DeleteServiceAccountDialog } from '../../service-accounts/_components/DeleteServiceAccountDialog'
 import { RemoveTeamAppDialog } from './_components/RemoveTeamAppDialog'
+import { TransferTeamOwnershipDialog } from './_components/TransferTeamOwnershipDialog'
 
 export default function TeamDetail({ params }: { params: { team: string; teamId: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -103,8 +104,8 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
     team.members?.some((m) => m.orgMember?.id === organisation?.memberId) ||
     false
 
-  // Team owner (creator) retains full access; other members use effective permissions
-  const isTeamOwner = team.createdBy?.id === organisation?.memberId
+  // Team owner retains full access; other members use effective permissions
+  const isTeamOwner = team.owner?.id === organisation?.memberId
 
   // Effective permissions: team member role override takes precedence over org-level role
   const effectivePermissions = team.memberRole?.permissions ?? organisation.role!.permissions
@@ -223,7 +224,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                 humanMembers.map((membership: TeamMembershipType) => {
                   const memberId = membership.orgMember!.id
                   const displayName = membership.fullName || membership.email || 'Unknown'
-                  const isTeamCreator = team.createdBy?.id === membership.orgMember?.id
+                  const isMemberOwner = team.owner?.id === membership.orgMember?.id
 
                   return (
                     <div
@@ -243,7 +244,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                         {!team.memberRole && membership.orgMember?.role && (
                           <RoleLabel role={membership.orgMember.role} size="xs" />
                         )}
-                        {isTeamCreator && (
+                        {isMemberOwner && (
                           <FaCrown className="text-amber-500 text-xs shrink-0" title="Team owner" />
                         )}
                       </div>
@@ -263,7 +264,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                         </Link>
                         {canUpdateTeam &&
                           !team.isScimManaged &&
-                          !(team.createdBy?.id === membership.orgMember?.id) && (
+                          !isMemberOwner && (
                             <RemoveTeamMemberDialog
                               teamId={team.id}
                               memberId={memberId}
@@ -457,8 +458,32 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
           </div>
         </div>
 
+        {/* Ownership */}
+        {(userIsGlobalAccess || isTeamOwner) && (
+          <div className="pt-4 space-y-3 border-t border-neutral-500/40">
+            <div className="flex items-center justify-between">
+              <div>
+                <div className="text-base font-medium">Ownership</div>
+                <div className="text-neutral-500 text-sm">
+                  {team.owner ? (
+                    <>
+                      Owned by{' '}
+                      <span className="text-zinc-900 dark:text-zinc-100">
+                        {team.owner.fullName || team.owner.email}
+                      </span>
+                    </>
+                  ) : (
+                    'This team has no owner. Assign one to enable owner-level management.'
+                  )}
+                </div>
+              </div>
+              <TransferTeamOwnershipDialog team={team} />
+            </div>
+          </div>
+        )}
+
         {/* Danger Zone */}
-        {canDeleteTeam && !team.isScimManaged && (userIsGlobalAccess || team.createdBy?.id === organisation?.memberId) && (
+        {canDeleteTeam && !team.isScimManaged && (userIsGlobalAccess || isTeamOwner) && (
           <div className="pt-4 space-y-2 border-t border-neutral-500/40">
             <div>
               <div className="text-base font-medium">Danger Zone</div>
diff --git a/frontend/app/[team]/apps/[app]/access/teams/page.tsx b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
index e36cdd0c8..813cc952d 100644
--- a/frontend/app/[team]/apps/[app]/access/teams/page.tsx
+++ b/frontend/app/[team]/apps/[app]/access/teams/page.tsx
@@ -122,7 +122,7 @@ export default function AppTeams({ params }: { params: { team: string; app: stri
                 const memberCount = team.members?.filter((m) => m.orgMember).length || 0
                 const saCount = team.members?.filter((m) => m.serviceAccount).length || 0
                 const isTeamOwner =
-                  team.createdBy?.id === organisation?.memberId
+                  team.owner?.id === organisation?.memberId
 
                 return (
                   <tr key={team.id} className="group">
diff --git a/frontend/graphql/mutations/teams/transferTeamOwnership.gql b/frontend/graphql/mutations/teams/transferTeamOwnership.gql
new file mode 100644
index 000000000..d5fed88b8
--- /dev/null
+++ b/frontend/graphql/mutations/teams/transferTeamOwnership.gql
@@ -0,0 +1,7 @@
+mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {
+  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {
+    team {
+      id
+    }
+  }
+}
diff --git a/frontend/graphql/queries/teams/getTeams.gql b/frontend/graphql/queries/teams/getTeams.gql
index 2cb00a7b6..3f4e125d5 100644
--- a/frontend/graphql/queries/teams/getTeams.gql
+++ b/frontend/graphql/queries/teams/getTeams.gql
@@ -18,6 +18,12 @@ query GetTeams($organisationId: ID!, $teamId: ID) {
       permissions
     }
     isScimManaged
+    owner {
+      id
+      fullName
+      email
+      avatarUrl
+    }
     createdBy {
       id
       fullName

From dfd64074604e89402501b5ba2948521b3b9ec5f9 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:30:46 +0530
Subject: [PATCH 038/118] feat: add SCIM models and migrations

---
 .../api/migrations/0122_add_scim_models.py    |  72 +++++++++
 backend/api/migrations/0123_scim_phase2.py    |  51 +++++++
 backend/api/models.py                         | 139 ++++++++++++++++++
 3 files changed, 262 insertions(+)
 create mode 100644 backend/api/migrations/0122_add_scim_models.py
 create mode 100644 backend/api/migrations/0123_scim_phase2.py

diff --git a/backend/api/migrations/0122_add_scim_models.py b/backend/api/migrations/0122_add_scim_models.py
new file mode 100644
index 000000000..694bcd027
--- /dev/null
+++ b/backend/api/migrations/0122_add_scim_models.py
@@ -0,0 +1,72 @@
+# Generated by Django 4.2.29 on 2026-03-31 14:24
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0121_backfill_environment_key_grants'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SCIMUser',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('external_id', models.CharField(max_length=255)),
+                ('email', models.EmailField(max_length=254)),
+                ('display_name', models.CharField(blank=True, max_length=255)),
+                ('active', models.BooleanField(default=True)),
+                ('scim_data', models.JSONField(default=dict)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('org_member', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='api.organisationmember')),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_users', to='api.organisation')),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='SCIMToken',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=64)),
+                ('token_hash', models.CharField(db_index=True, max_length=128, unique=True)),
+                ('token_prefix', models.CharField(max_length=12)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('expires_at', models.DateTimeField(blank=True, null=True)),
+                ('last_used_at', models.DateTimeField(blank=True, null=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('created_by', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='api.organisationmember')),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_tokens', to='api.organisation')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='SCIMGroup',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('external_id', models.CharField(max_length=255)),
+                ('display_name', models.CharField(max_length=255)),
+                ('scim_data', models.JSONField(default=dict)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_groups', to='api.organisation')),
+                ('team', models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='scim_group', to='api.team')),
+            ],
+        ),
+        migrations.AddConstraint(
+            model_name='scimuser',
+            constraint=models.UniqueConstraint(fields=('external_id', 'organisation'), name='unique_scim_user_external_id'),
+        ),
+        migrations.AddConstraint(
+            model_name='scimuser',
+            constraint=models.UniqueConstraint(fields=('email', 'organisation'), name='unique_scim_user_email'),
+        ),
+        migrations.AddConstraint(
+            model_name='scimgroup',
+            constraint=models.UniqueConstraint(fields=('external_id', 'organisation'), name='unique_scim_group_external_id'),
+        ),
+    ]
diff --git a/backend/api/migrations/0123_scim_phase2.py b/backend/api/migrations/0123_scim_phase2.py
new file mode 100644
index 000000000..a6a876ebf
--- /dev/null
+++ b/backend/api/migrations/0123_scim_phase2.py
@@ -0,0 +1,51 @@
+# Generated by Django 4.2.29 on 2026-04-01 17:02
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0122_add_scim_models'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='organisation',
+            name='scim_enabled',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='scimtoken',
+            name='is_active',
+            field=models.BooleanField(default=True),
+        ),
+        migrations.CreateModel(
+            name='SCIMEvent',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('event_type', models.CharField(choices=[('user_created', 'User Created'), ('user_updated', 'User Updated'), ('user_deactivated', 'User Deactivated'), ('user_reactivated', 'User Reactivated'), ('group_created', 'Group Created'), ('group_updated', 'Group Updated'), ('group_deleted', 'Group Deleted'), ('member_added', 'Member Added to Group'), ('member_removed', 'Member Removed from Group')], max_length=32)),
+                ('status', models.CharField(choices=[('success', 'Success'), ('error', 'Error')], default='success', max_length=8)),
+                ('resource_type', models.CharField(choices=[('user', 'User'), ('group', 'Group')], max_length=16)),
+                ('resource_id', models.TextField(blank=True)),
+                ('resource_name', models.CharField(blank=True, max_length=255)),
+                ('detail', models.JSONField(default=dict)),
+                ('request_method', models.CharField(blank=True, max_length=8)),
+                ('request_path', models.TextField(blank=True)),
+                ('request_body', models.JSONField(blank=True, null=True)),
+                ('response_status', models.IntegerField(blank=True, null=True)),
+                ('response_body', models.JSONField(blank=True, null=True)),
+                ('ip_address', models.GenericIPAddressField(blank=True, null=True)),
+                ('user_agent', models.TextField(blank=True, null=True)),
+                ('timestamp', models.DateTimeField(auto_now_add=True)),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_events', to='api.organisation')),
+                ('scim_token', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='events', to='api.scimtoken')),
+            ],
+            options={
+                'ordering': ['-timestamp'],
+                'indexes': [models.Index(fields=['organisation', '-timestamp'], name='scim_event_org_ts_idx'), models.Index(fields=['scim_token', '-timestamp'], name='scim_event_token_ts_idx')],
+            },
+        ),
+    ]
diff --git a/backend/api/models.py b/backend/api/models.py
index 683aa2469..339980cf3 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -112,6 +112,7 @@ class Organisation(models.Model):
     stripe_subscription_id = models.CharField(max_length=255, blank=True, null=True)
     pricing_version = models.IntegerField(default=1)
     require_sso = models.BooleanField(default=False)
+    scim_enabled = models.BooleanField(default=False)
     list_display = ("name", "identity_key", "id")
 
     def save(self, *args, **kwargs):
@@ -1196,6 +1197,144 @@ class EnvironmentKeyGrant(models.Model):
     created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
 
 
+class SCIMToken(models.Model):
+    """Bearer token for SCIM v2 provisioning API."""
+
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    organisation = models.ForeignKey(
+        Organisation, on_delete=models.CASCADE, related_name="scim_tokens"
+    )
+    name = models.CharField(max_length=64)
+    token_hash = models.CharField(max_length=128, unique=True, db_index=True)
+    token_prefix = models.CharField(max_length=12)
+    created_by = models.ForeignKey(
+        OrganisationMember, on_delete=models.SET_NULL, null=True
+    )
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+    expires_at = models.DateTimeField(null=True, blank=True)
+    last_used_at = models.DateTimeField(null=True, blank=True)
+    is_active = models.BooleanField(default=True)
+    deleted_at = models.DateTimeField(null=True, blank=True)
+
+    def delete(self, *args, **kwargs):
+        self.deleted_at = timezone.now()
+        self.save()
+
+
+class SCIMUser(models.Model):
+    """Maps a SCIM external user ID to a Phase CustomUser + OrganisationMember."""
+
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    external_id = models.CharField(max_length=255)
+    organisation = models.ForeignKey(
+        Organisation, on_delete=models.CASCADE, related_name="scim_users"
+    )
+    user = models.ForeignKey(
+        CustomUser, on_delete=models.CASCADE, null=True, blank=True
+    )
+    org_member = models.ForeignKey(
+        OrganisationMember, on_delete=models.CASCADE, null=True, blank=True
+    )
+    email = models.EmailField()
+    display_name = models.CharField(max_length=255, blank=True)
+    active = models.BooleanField(default=True)
+    scim_data = models.JSONField(default=dict)
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+    updated_at = models.DateTimeField(auto_now=True)
+
+    class Meta:
+        constraints = [
+            models.UniqueConstraint(
+                fields=["external_id", "organisation"],
+                name="unique_scim_user_external_id",
+            ),
+            models.UniqueConstraint(
+                fields=["email", "organisation"],
+                name="unique_scim_user_email",
+            ),
+        ]
+
+
+class SCIMGroup(models.Model):
+    """Maps a SCIM external group ID to a Phase Team."""
+
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    external_id = models.CharField(max_length=255)
+    organisation = models.ForeignKey(
+        Organisation, on_delete=models.CASCADE, related_name="scim_groups"
+    )
+    team = models.OneToOneField(
+        Team, on_delete=models.CASCADE, null=True, blank=True, related_name="scim_group"
+    )
+    display_name = models.CharField(max_length=255)
+    scim_data = models.JSONField(default=dict)
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+    updated_at = models.DateTimeField(auto_now=True)
+
+    class Meta:
+        constraints = [
+            models.UniqueConstraint(
+                fields=["external_id", "organisation"],
+                name="unique_scim_group_external_id",
+            ),
+        ]
+
+
+class SCIMEvent(models.Model):
+    """Audit log for SCIM provisioning operations."""
+
+    EVENT_TYPES = [
+        ("user_created", "User Created"),
+        ("user_updated", "User Updated"),
+        ("user_deactivated", "User Deactivated"),
+        ("user_reactivated", "User Reactivated"),
+        ("group_created", "Group Created"),
+        ("group_updated", "Group Updated"),
+        ("group_deleted", "Group Deleted"),
+        ("member_added", "Member Added to Group"),
+        ("member_removed", "Member Removed from Group"),
+    ]
+
+    RESOURCE_TYPES = [("user", "User"), ("group", "Group")]
+
+    STATUS_CHOICES = [("success", "Success"), ("error", "Error")]
+
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    organisation = models.ForeignKey(
+        Organisation, on_delete=models.CASCADE, related_name="scim_events"
+    )
+    scim_token = models.ForeignKey(
+        SCIMToken, on_delete=models.SET_NULL, null=True, related_name="events"
+    )
+    event_type = models.CharField(max_length=32, choices=EVENT_TYPES)
+    status = models.CharField(max_length=8, choices=STATUS_CHOICES, default="success")
+    resource_type = models.CharField(max_length=16, choices=RESOURCE_TYPES)
+    resource_id = models.TextField(blank=True)
+    resource_name = models.CharField(max_length=255, blank=True)
+    detail = models.JSONField(default=dict)
+    request_method = models.CharField(max_length=8, blank=True)
+    request_path = models.TextField(blank=True)
+    request_body = models.JSONField(null=True, blank=True)
+    response_status = models.IntegerField(null=True, blank=True)
+    response_body = models.JSONField(null=True, blank=True)
+    ip_address = models.GenericIPAddressField(null=True, blank=True)
+    user_agent = models.TextField(null=True, blank=True)
+    timestamp = models.DateTimeField(auto_now_add=True)
+
+    class Meta:
+        indexes = [
+            models.Index(
+                fields=["organisation", "-timestamp"],
+                name="scim_event_org_ts_idx",
+            ),
+            models.Index(
+                fields=["scim_token", "-timestamp"],
+                name="scim_event_token_ts_idx",
+            ),
+        ]
+        ordering = ["-timestamp"]
+
+
 class Lockbox(models.Model):
     id = models.TextField(default=uuid4, primary_key=True, editable=False)
     data = models.JSONField()

From 3f776317b86935e71d7c00876c5ede142d4bd6eb Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:30:54 +0530
Subject: [PATCH 039/118] feat: add SCIM quota check and RBAC permissions

---
 backend/api/utils/access/roles.py |  5 +++++
 backend/backend/quotas.py         | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/backend/api/utils/access/roles.py b/backend/api/utils/access/roles.py
index 5fbd6d452..2ece4d9de 100644
--- a/backend/api/utils/access/roles.py
+++ b/backend/api/utils/access/roles.py
@@ -18,6 +18,7 @@
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
             "SSO": ["create", "read", "update", "delete"],
             "Teams": ["create", "read", "update", "delete"],
+            "SCIM": ["create", "read", "update", "delete"],
         },
         "app_permissions": {
             "Environments": ["create", "read", "update", "delete"],
@@ -53,6 +54,7 @@
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
             "SSO": ["create", "read", "update", "delete"],
             "Teams": ["create", "read", "update", "delete"],
+            "SCIM": ["create", "read", "update", "delete"],
         },
         "app_permissions": {
             "Environments": ["create", "read", "update", "delete"],
@@ -87,6 +89,7 @@
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
             "SSO": [],
             "Teams": ["create", "read", "update", "delete"],
+            "SCIM": [],
         },
         "app_permissions": {
             "Environments": ["read", "create", "update"],
@@ -125,6 +128,7 @@
             "NetworkAccessPolicies": ["read"],
             "SSO": [],
             "Teams": ["read"],
+            "SCIM": [],
         },
         "app_permissions": {
             "Environments": ["read", "create", "update"],
@@ -159,6 +163,7 @@
             "NetworkAccessPolicies": ["read"],
             "SSO": [],
             "Teams": [],
+            "SCIM": [],
         },
         "app_permissions": {
             "Environments": ["read", "create", "update", "delete"],
diff --git a/backend/backend/quotas.py b/backend/backend/quotas.py
index 30d72b6e0..6df78cda7 100644
--- a/backend/backend/quotas.py
+++ b/backend/backend/quotas.py
@@ -144,6 +144,16 @@ def can_use_teams(organisation):
     return organisation.plan in ("PR", "EN")
 
 
+def can_use_scim(organisation):
+    """SCIM provisioning requires an Enterprise plan or activated license."""
+    ActivatedPhaseLicense = apps.get_model("api", "ActivatedPhaseLicense")
+
+    if ActivatedPhaseLicense.objects.filter(organisation=organisation).exists():
+        return True
+
+    return organisation.plan == "EN"
+
+
 def can_add_service_token(app):
     """Check if a new service token can be added to the app."""
 

From 022836100dad0bf527cc2d634445e0f0bb472a32 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:30:58 +0530
Subject: [PATCH 040/118] feat: add SCIM v2 REST API with user and group
 provisioning

---
 backend/ee/authentication/scim/__init__.py    |   0
 backend/ee/authentication/scim/auth.py        |  78 ++++
 backend/ee/authentication/scim/constants.py   |  14 +
 backend/ee/authentication/scim/exceptions.py  |  35 ++
 backend/ee/authentication/scim/filters.py     |  73 ++++
 backend/ee/authentication/scim/logging.py     |  53 +++
 backend/ee/authentication/scim/serializers.py |  92 +++++
 backend/ee/authentication/scim/urls.py        |  22 ++
 backend/ee/authentication/scim/utils.py       | 120 ++++++
 .../ee/authentication/scim/views/__init__.py  |   0
 .../ee/authentication/scim/views/discovery.py | 261 +++++++++++++
 .../ee/authentication/scim/views/groups.py    | 360 ++++++++++++++++++
 backend/ee/authentication/scim/views/users.py | 315 +++++++++++++++
 13 files changed, 1423 insertions(+)
 create mode 100644 backend/ee/authentication/scim/__init__.py
 create mode 100644 backend/ee/authentication/scim/auth.py
 create mode 100644 backend/ee/authentication/scim/constants.py
 create mode 100644 backend/ee/authentication/scim/exceptions.py
 create mode 100644 backend/ee/authentication/scim/filters.py
 create mode 100644 backend/ee/authentication/scim/logging.py
 create mode 100644 backend/ee/authentication/scim/serializers.py
 create mode 100644 backend/ee/authentication/scim/urls.py
 create mode 100644 backend/ee/authentication/scim/utils.py
 create mode 100644 backend/ee/authentication/scim/views/__init__.py
 create mode 100644 backend/ee/authentication/scim/views/discovery.py
 create mode 100644 backend/ee/authentication/scim/views/groups.py
 create mode 100644 backend/ee/authentication/scim/views/users.py

diff --git a/backend/ee/authentication/scim/__init__.py b/backend/ee/authentication/scim/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/ee/authentication/scim/auth.py b/backend/ee/authentication/scim/auth.py
new file mode 100644
index 000000000..4307a4fff
--- /dev/null
+++ b/backend/ee/authentication/scim/auth.py
@@ -0,0 +1,78 @@
+import hashlib
+import logging
+
+from django.utils import timezone
+from rest_framework import authentication, exceptions
+
+from api.models import SCIMToken
+from backend.quotas import can_use_scim
+
+logger = logging.getLogger(__name__)
+
+
+class SCIMServiceUser:
+    """Minimal user object satisfying DRF's request.user contract."""
+
+    def __init__(self, scim_token):
+        self.id = scim_token.id
+        self.is_authenticated = True
+        self.is_active = True
+        self.scim_token = scim_token
+        self.organisation = scim_token.organisation
+
+
+class SCIMTokenAuthentication(authentication.BaseAuthentication):
+    """
+    Authenticates SCIM v2 requests via Bearer token.
+    Header format: Authorization: Bearer <token>
+    """
+
+    def authenticate(self, request):
+        auth_header = request.headers.get("Authorization", "")
+        if not auth_header.startswith("Bearer "):
+            return None
+
+        raw_token = auth_header[7:]
+
+        # Only match SCIM tokens (ph_scim: prefix)
+        if not raw_token.startswith("ph_scim:"):
+            return None
+
+        token_hash = hashlib.sha256(raw_token.encode()).hexdigest()
+
+        try:
+            scim_token = SCIMToken.objects.select_related("organisation").get(
+                token_hash=token_hash,
+                deleted_at__isnull=True,
+            )
+        except SCIMToken.DoesNotExist:
+            raise exceptions.AuthenticationFailed("Invalid SCIM token")
+
+        if scim_token.expires_at and scim_token.expires_at < timezone.now():
+            raise exceptions.AuthenticationFailed("SCIM token has expired")
+
+        if not scim_token.organisation.scim_enabled:
+            raise exceptions.AuthenticationFailed(
+                "SCIM is not enabled for this organisation"
+            )
+
+        if not scim_token.is_active:
+            raise exceptions.AuthenticationFailed(
+                "This SCIM token is disabled"
+            )
+
+        if not can_use_scim(scim_token.organisation):
+            raise exceptions.AuthenticationFailed(
+                "SCIM provisioning requires an Enterprise plan"
+            )
+
+        # Track usage
+        scim_token.last_used_at = timezone.now()
+        scim_token.save(update_fields=["last_used_at"])
+
+        user = SCIMServiceUser(scim_token)
+        auth_info = {
+            "scim_token": scim_token,
+            "organisation": scim_token.organisation,
+        }
+        return (user, auth_info)
diff --git a/backend/ee/authentication/scim/constants.py b/backend/ee/authentication/scim/constants.py
new file mode 100644
index 000000000..3533e1f2c
--- /dev/null
+++ b/backend/ee/authentication/scim/constants.py
@@ -0,0 +1,14 @@
+# SCIM v2 Schema URNs (RFC 7643)
+SCIM_USER_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:User"
+SCIM_GROUP_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Group"
+SCIM_LIST_RESPONSE_SCHEMA = "urn:ietf:params:scim:api:messages:2.0:ListResponse"
+SCIM_PATCH_OP_SCHEMA = "urn:ietf:params:scim:api:messages:2.0:PatchOp"
+SCIM_SERVICE_PROVIDER_CONFIG_SCHEMA = (
+    "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
+)
+SCIM_SCHEMA_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Schema"
+SCIM_RESOURCE_TYPE_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
+
+# Pagination defaults
+SCIM_MAX_RESULTS = 100
+SCIM_DEFAULT_COUNT = 100
diff --git a/backend/ee/authentication/scim/exceptions.py b/backend/ee/authentication/scim/exceptions.py
new file mode 100644
index 000000000..869a8575a
--- /dev/null
+++ b/backend/ee/authentication/scim/exceptions.py
@@ -0,0 +1,35 @@
+from django.http import JsonResponse
+
+SCIM_ERROR_SCHEMA = "urn:ietf:params:scim:api:messages:2.0:Error"
+
+
+def scim_error(status, detail, scim_type=None):
+    """Return a SCIM-formatted error response (RFC 7644 Section 3.12)."""
+    body = {
+        "schemas": [SCIM_ERROR_SCHEMA],
+        "status": str(status),
+        "detail": detail,
+    }
+    if scim_type:
+        body["scimType"] = scim_type
+    return JsonResponse(body, status=status)
+
+
+def scim_not_found(detail="Resource not found"):
+    return scim_error(404, detail)
+
+
+def scim_conflict(detail="Resource already exists"):
+    return scim_error(409, detail, scim_type="uniqueness")
+
+
+def scim_bad_request(detail="Invalid request"):
+    return scim_error(400, detail, scim_type="invalidValue")
+
+
+def scim_forbidden(detail="Operation not permitted"):
+    return scim_error(403, detail)
+
+
+def scim_server_error(detail="Internal server error"):
+    return scim_error(500, detail)
diff --git a/backend/ee/authentication/scim/filters.py b/backend/ee/authentication/scim/filters.py
new file mode 100644
index 000000000..549dbe145
--- /dev/null
+++ b/backend/ee/authentication/scim/filters.py
@@ -0,0 +1,73 @@
+import re
+
+
+def parse_scim_filter(filter_string):
+    """
+    Parse a minimal subset of SCIM filter expressions (RFC 7644 Section 3.4.2.2).
+
+    Supports:
+      - eq operator: 'userName eq "user@example.com"'
+      - and conjunction: 'userName eq "foo" and externalId eq "bar"'
+
+    Returns a list of (attribute, operator, value) tuples.
+    """
+    if not filter_string:
+        return []
+
+    clauses = []
+    # Split on ' and ' (case-insensitive)
+    parts = re.split(r"\s+and\s+", filter_string, flags=re.IGNORECASE)
+
+    for part in parts:
+        part = part.strip()
+        match = re.match(
+            r'^(\S+)\s+(eq|ne|co|sw|ew)\s+"([^"]*)"$', part, re.IGNORECASE
+        )
+        if match:
+            attr, op, value = match.groups()
+            clauses.append((attr.lower(), op.lower(), value))
+
+    return clauses
+
+
+def parse_patch_path_filter(path):
+    """
+    Parse Azure Entra ID-style PATCH member removal path.
+
+    Example: 'members[value eq "abc-123"]'
+    Returns the extracted value, or None if the path doesn't match.
+    """
+    match = re.match(r'^members\[value\s+eq\s+"([^"]+)"\]$', path, re.IGNORECASE)
+    if match:
+        return match.group(1)
+    return None
+
+
+# Maps SCIM user attribute names to Django ORM lookups
+SCIM_USER_ATTR_MAP = {
+    "username": "email__iexact",
+    "externalid": "external_id",
+    "emails.value": "email__iexact",
+    "displayname": "display_name__icontains",
+}
+
+# Maps SCIM group attribute names to Django ORM lookups
+SCIM_GROUP_ATTR_MAP = {
+    "displayname": "display_name__icontains",
+    "externalid": "external_id",
+}
+
+
+def scim_filter_to_queryset(queryset, filter_string, attr_map):
+    """
+    Apply SCIM filter clauses to a Django queryset.
+    Only 'eq' is supported — other operators are silently ignored.
+    """
+    clauses = parse_scim_filter(filter_string)
+    for attr, op, value in clauses:
+        if op != "eq":
+            continue
+        lookup = attr_map.get(attr)
+        if lookup:
+            queryset = queryset.filter(**{lookup: value})
+    return queryset
diff --git a/backend/ee/authentication/scim/logging.py b/backend/ee/authentication/scim/logging.py
new file mode 100644
index 000000000..b30733e16
--- /dev/null
+++ b/backend/ee/authentication/scim/logging.py
@@ -0,0 +1,53 @@
+import json
+import logging
+
+from api.models import SCIMEvent
+from api.utils.access.ip import get_client_ip
+
+logger = logging.getLogger(__name__)
+
+MAX_BODY_SIZE = 32768  # 32KB
+
+
+def log_scim_event(
+    request,
+    event_type,
+    resource_type,
+    resource_id="",
+    resource_name="",
+    detail=None,
+    status="success",
+    response_status=None,
+    response_body=None,
+):
+    """Log a SCIM provisioning event."""
+    try:
+        SCIMEvent.objects.create(
+            organisation=request.auth["organisation"],
+            scim_token=request.auth.get("scim_token"),
+            event_type=event_type,
+            status=status,
+            resource_type=resource_type,
+            resource_id=str(resource_id),
+            resource_name=resource_name,
+            detail=detail or {},
+            request_method=request.method,
+            request_path=request.path,
+            request_body=_safe_parse_body(request),
+            response_status=response_status,
+            response_body=response_body,
+            ip_address=get_client_ip(request),
+            user_agent=request.META.get("HTTP_USER_AGENT", ""),
+        )
+    except Exception:
+        logger.exception("Failed to log SCIM event")
+
+
+def _safe_parse_body(request):
+    """Parse request body as JSON, returning None if not JSON or too large."""
+    try:
+        if len(request.body) > MAX_BODY_SIZE:
+            return {"_truncated": True, "size": len(request.body)}
+        return json.loads(request.body)
+    except (json.JSONDecodeError, Exception):
+        return None
diff --git a/backend/ee/authentication/scim/serializers.py b/backend/ee/authentication/scim/serializers.py
new file mode 100644
index 000000000..2e392db7e
--- /dev/null
+++ b/backend/ee/authentication/scim/serializers.py
@@ -0,0 +1,92 @@
+from ee.authentication.scim.constants import (
+    SCIM_GROUP_SCHEMA,
+    SCIM_LIST_RESPONSE_SCHEMA,
+    SCIM_USER_SCHEMA,
+)
+
+
+def serialize_scim_user(scim_user, base_url=""):
+    """Serialize a SCIMUser model instance to a SCIM v2 User resource."""
+    resource = {
+        "schemas": [SCIM_USER_SCHEMA],
+        "id": str(scim_user.id),
+        "externalId": scim_user.external_id,
+        "userName": scim_user.email,
+        "displayName": scim_user.display_name,
+        "active": scim_user.active,
+        "emails": [
+            {
+                "value": scim_user.email,
+                "type": "work",
+                "primary": True,
+            }
+        ],
+        "meta": {
+            "resourceType": "User",
+            "created": (
+                scim_user.created_at.isoformat() if scim_user.created_at else None
+            ),
+            "lastModified": (
+                scim_user.updated_at.isoformat() if scim_user.updated_at else None
+            ),
+            "location": f"{base_url}/scim/v2/Users/{scim_user.id}",
+        },
+    }
+
+    # Include name if available from scim_data
+    name_data = scim_user.scim_data.get("name")
+    if name_data:
+        resource["name"] = name_data
+
+    return resource
+
+
+def serialize_scim_group(scim_group, base_url=""):
+    """Serialize a SCIMGroup model instance to a SCIM v2 Group resource."""
+    members = []
+    if scim_group.team:
+        from api.models import SCIMUser
+
+        for membership in scim_group.team.memberships.select_related(
+            "org_member"
+        ).filter(org_member__isnull=False):
+            scim_user = SCIMUser.objects.filter(
+                org_member=membership.org_member,
+                organisation=scim_group.organisation,
+            ).first()
+            if scim_user:
+                members.append(
+                    {
+                        "value": str(scim_user.id),
+                        "display": scim_user.display_name or scim_user.email,
+                    }
+                )
+
+    return {
+        "schemas": [SCIM_GROUP_SCHEMA],
+        "id": str(scim_group.id),
+        "externalId": scim_group.external_id,
+        "displayName": scim_group.display_name,
+        "members": members,
+        "meta": {
+            "resourceType": "Group",
+            "created": (
+                scim_group.created_at.isoformat() if scim_group.created_at else None
+            ),
+            "lastModified": (
+                scim_group.updated_at.isoformat() if scim_group.updated_at else None
+            ),
+            "location": f"{base_url}/scim/v2/Groups/{scim_group.id}",
+        },
+    }
+
+
+def serialize_list_response(resources, total_results, start_index=1, items_per_page=100):
+    """Serialize a SCIM v2 ListResponse."""
+    return {
+        "schemas": [SCIM_LIST_RESPONSE_SCHEMA],
+        "totalResults": total_results,
+        "startIndex": start_index,
+        "itemsPerPage": items_per_page,
+        "Resources": resources,
+    }
diff --git a/backend/ee/authentication/scim/urls.py b/backend/ee/authentication/scim/urls.py
new file mode 100644
index 000000000..34148c313
--- /dev/null
+++ b/backend/ee/authentication/scim/urls.py
@@ -0,0 +1,22 @@
+from django.urls import path
+
+from ee.authentication.scim.views.discovery import (
+    resource_types,
+    schemas,
+    service_provider_config,
+)
+from ee.authentication.scim.views.groups import groups_detail, groups_list
+from ee.authentication.scim.views.users import users_detail, users_list
+
+urlpatterns = [
+    # Discovery endpoints (RFC 7643)
+    path("ServiceProviderConfig", service_provider_config, name="scim-service-provider-config"),
+    path("Schemas", schemas, name="scim-schemas"),
+    path("ResourceTypes", resource_types, name="scim-resource-types"),
+    # User provisioning (RFC 7644)
+    path("Users", users_list, name="scim-users-list"),
+    path("Users/<str:scim_user_id>", users_detail, name="scim-users-detail"),
+    # Group provisioning (RFC 7644)
+    path("Groups", groups_list, name="scim-groups-list"),
+    path("Groups/<str:scim_group_id>", groups_detail, name="scim-groups-detail"),
+]
diff --git a/backend/ee/authentication/scim/utils.py b/backend/ee/authentication/scim/utils.py
new file mode 100644
index 000000000..cb84583a2
--- /dev/null
+++ b/backend/ee/authentication/scim/utils.py
@@ -0,0 +1,120 @@
+import logging
+
+from django.utils import timezone
+
+from api.models import (
+    CustomUser,
+    OrganisationMember,
+    Role,
+    SCIMUser,
+    TeamMembership,
+)
+from api.utils.keys import revoke_team_environment_keys
+
+logger = logging.getLogger(__name__)
+
+
+def provision_scim_user(organisation, external_id, email, display_name, scim_data=None):
+    """
+    Create or link a SCIM user to a Phase CustomUser + OrganisationMember.
+
+    - If a CustomUser with this email exists, link to it.
+    - If an OrganisationMember exists but is soft-deleted, reactivate it.
+    - Otherwise create both from scratch.
+
+    Returns the SCIMUser instance.
+    """
+    email = email.lower().strip()
+
+    # Get default role for SCIM-provisioned users
+    default_role = Role.objects.get(
+        organisation=organisation, name__iexact="developer"
+    )
+
+    # Try to find existing CustomUser by email
+    user = CustomUser.objects.filter(email__iexact=email).first()
+
+    if user is None:
+        # Create new CustomUser (no password — SSO-only)
+        user = CustomUser.objects.create(
+            username=email,
+            email=email,
+        )
+        user.set_unusable_password()
+        user.save()
+
+    # Try to find existing OrganisationMember
+    org_member = OrganisationMember.objects.filter(
+        user=user, organisation=organisation
+    ).first()
+
+    if org_member is None:
+        # Create pre-provisioned OrgMember (no identity_key yet)
+        org_member = OrganisationMember.objects.create(
+            user=user,
+            organisation=organisation,
+            role=default_role,
+            identity_key="",
+            wrapped_keyring="",
+            wrapped_recovery="",
+        )
+    elif org_member.deleted_at is not None:
+        # Reactivate soft-deleted member
+        org_member.deleted_at = None
+        org_member.save(update_fields=["deleted_at"])
+
+    scim_user = SCIMUser.objects.create(
+        external_id=external_id,
+        organisation=organisation,
+        user=user,
+        org_member=org_member,
+        email=email,
+        display_name=display_name or "",
+        active=True,
+        scim_data=scim_data or {},
+    )
+
+    return scim_user
+
+
+def deactivate_scim_user(scim_user):
+    """
+    Deactivate a SCIM user: soft-delete OrgMember and revoke team keys.
+    Does NOT delete CustomUser (may belong to other orgs).
+    """
+    scim_user.active = False
+    scim_user.save(update_fields=["active"])
+
+    if scim_user.org_member:
+        # Revoke team environment keys for all teams
+        team_memberships = TeamMembership.objects.filter(
+            org_member=scim_user.org_member,
+            team__deleted_at__isnull=True,
+        ).select_related("team")
+
+        for tm in team_memberships:
+            revoke_team_environment_keys(tm.team, member=scim_user.org_member)
+
+        # Wipe crypto material so user must redo key ceremony if reactivated
+        scim_user.org_member.identity_key = ""
+        scim_user.org_member.wrapped_keyring = ""
+        scim_user.org_member.wrapped_recovery = ""
+
+        # Soft-delete the org member
+        scim_user.org_member.deleted_at = timezone.now()
+        scim_user.org_member.save(update_fields=[
+            "identity_key", "wrapped_keyring", "wrapped_recovery", "deleted_at",
+        ])
+
+
+def reactivate_scim_user(scim_user):
+    """
+    Reactivate a previously deactivated SCIM user.
+    Team keys will be provisioned at next login via provision_pending_team_keys().
+    """
+    scim_user.active = True
+    scim_user.save(update_fields=["active"])
+
+    if scim_user.org_member and scim_user.org_member.deleted_at is not None:
+        scim_user.org_member.deleted_at = None
+        scim_user.org_member.save(update_fields=["deleted_at"])
diff --git a/backend/ee/authentication/scim/views/__init__.py b/backend/ee/authentication/scim/views/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/ee/authentication/scim/views/discovery.py b/backend/ee/authentication/scim/views/discovery.py
new file mode 100644
index 000000000..5a51d78c2
--- /dev/null
+++ b/backend/ee/authentication/scim/views/discovery.py
@@ -0,0 +1,261 @@
+from django.http import JsonResponse
+from rest_framework.decorators import api_view, authentication_classes, permission_classes
+
+from ee.authentication.scim.constants import (
+    SCIM_GROUP_SCHEMA,
+    SCIM_RESOURCE_TYPE_SCHEMA,
+    SCIM_SCHEMA_SCHEMA,
+    SCIM_SERVICE_PROVIDER_CONFIG_SCHEMA,
+    SCIM_USER_SCHEMA,
+)
+
+
+@api_view(["GET"])
+@authentication_classes([])
+@permission_classes([])
+def service_provider_config(request):
+    """GET /scim/v2/ServiceProviderConfig — RFC 7643 Section 5."""
+    return JsonResponse(
+        {
+            "schemas": [SCIM_SERVICE_PROVIDER_CONFIG_SCHEMA],
+            "documentationUri": "https://docs.phase.dev/scim",
+            "patch": {"supported": True},
+            "bulk": {
+                "supported": False,
+                "maxOperations": 0,
+                "maxPayloadSize": 0,
+            },
+            "filter": {
+                "supported": True,
+                "maxResults": 100,
+            },
+            "changePassword": {"supported": False},
+            "sort": {"supported": False},
+            "etag": {"supported": False},
+            "authenticationSchemes": [
+                {
+                    "type": "oauthbearertoken",
+                    "name": "OAuth Bearer Token",
+                    "description": "Authentication scheme using a bearer token",
+                    "specUri": "https://www.rfc-editor.org/info/rfc6750",
+                    "primary": True,
+                }
+            ],
+        }
+    )
+
+
+@api_view(["GET"])
+@authentication_classes([])
+@permission_classes([])
+def schemas(request):
+    """GET /scim/v2/Schemas — RFC 7643 Section 7."""
+    return JsonResponse(
+        {
+            "schemas": [SCIM_SCHEMA_SCHEMA],
+            "totalResults": 2,
+            "itemsPerPage": 2,
+            "startIndex": 1,
+            "Resources": [
+                {
+                    "id": SCIM_USER_SCHEMA,
+                    "name": "User",
+                    "description": "User Account",
+                    "attributes": [
+                        {
+                            "name": "userName",
+                            "type": "string",
+                            "multiValued": False,
+                            "required": True,
+                            "caseExact": False,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                            "uniqueness": "server",
+                        },
+                        {
+                            "name": "displayName",
+                            "type": "string",
+                            "multiValued": False,
+                            "required": False,
+                            "caseExact": False,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                            "uniqueness": "none",
+                        },
+                        {
+                            "name": "active",
+                            "type": "boolean",
+                            "multiValued": False,
+                            "required": False,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                        },
+                        {
+                            "name": "emails",
+                            "type": "complex",
+                            "multiValued": True,
+                            "required": True,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                            "subAttributes": [
+                                {
+                                    "name": "value",
+                                    "type": "string",
+                                    "multiValued": False,
+                                    "required": True,
+                                },
+                                {
+                                    "name": "type",
+                                    "type": "string",
+                                    "multiValued": False,
+                                    "required": False,
+                                },
+                                {
+                                    "name": "primary",
+                                    "type": "boolean",
+                                    "multiValued": False,
+                                    "required": False,
+                                },
+                            ],
+                        },
+                        {
+                            "name": "name",
+                            "type": "complex",
+                            "multiValued": False,
+                            "required": False,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                            "subAttributes": [
+                                {
+                                    "name": "givenName",
+                                    "type": "string",
+                                    "multiValued": False,
+                                    "required": False,
+                                },
+                                {
+                                    "name": "familyName",
+                                    "type": "string",
+                                    "multiValued": False,
+                                    "required": False,
+                                },
+                                {
+                                    "name": "formatted",
+                                    "type": "string",
+                                    "multiValued": False,
+                                    "required": False,
+                                },
+                            ],
+                        },
+                        {
+                            "name": "externalId",
+                            "type": "string",
+                            "multiValued": False,
+                            "required": False,
+                            "caseExact": True,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                            "uniqueness": "global",
+                        },
+                    ],
+                    "meta": {
+                        "resourceType": "Schema",
+                        "location": "/scim/v2/Schemas/" + SCIM_USER_SCHEMA,
+                    },
+                },
+                {
+                    "id": SCIM_GROUP_SCHEMA,
+                    "name": "Group",
+                    "description": "Group (maps to Phase Team)",
+                    "attributes": [
+                        {
+                            "name": "displayName",
+                            "type": "string",
+                            "multiValued": False,
+                            "required": True,
+                            "caseExact": False,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                            "uniqueness": "none",
+                        },
+                        {
+                            "name": "members",
+                            "type": "complex",
+                            "multiValued": True,
+                            "required": False,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                            "subAttributes": [
+                                {
+                                    "name": "value",
+                                    "type": "string",
+                                    "multiValued": False,
+                                    "required": True,
+                                    "mutability": "immutable",
+                                },
+                                {
+                                    "name": "display",
+                                    "type": "string",
+                                    "multiValued": False,
+                                    "required": False,
+                                    "mutability": "readOnly",
+                                },
+                            ],
+                        },
+                        {
+                            "name": "externalId",
+                            "type": "string",
+                            "multiValued": False,
+                            "required": False,
+                            "caseExact": True,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                            "uniqueness": "global",
+                        },
+                    ],
+                    "meta": {
+                        "resourceType": "Schema",
+                        "location": "/scim/v2/Schemas/" + SCIM_GROUP_SCHEMA,
+                    },
+                },
+            ],
+        }
+    )
+
+
+@api_view(["GET"])
+@authentication_classes([])
+@permission_classes([])
+def resource_types(request):
+    """GET /scim/v2/ResourceTypes — RFC 7643 Section 6."""
+    return JsonResponse(
+        {
+            "schemas": [SCIM_RESOURCE_TYPE_SCHEMA],
+            "totalResults": 2,
+            "itemsPerPage": 2,
+            "startIndex": 1,
+            "Resources": [
+                {
+                    "schemas": [SCIM_RESOURCE_TYPE_SCHEMA],
+                    "id": "User",
+                    "name": "User",
+                    "endpoint": "/scim/v2/Users",
+                    "schema": SCIM_USER_SCHEMA,
+                    "meta": {
+                        "resourceType": "ResourceType",
+                        "location": "/scim/v2/ResourceTypes/User",
+                    },
+                },
+                {
+                    "schemas": [SCIM_RESOURCE_TYPE_SCHEMA],
+                    "id": "Group",
+                    "name": "Group",
+                    "endpoint": "/scim/v2/Groups",
+                    "schema": SCIM_GROUP_SCHEMA,
+                    "meta": {
+                        "resourceType": "ResourceType",
+                        "location": "/scim/v2/ResourceTypes/Group",
+                    },
+                },
+            ],
+        }
+    )
diff --git a/backend/ee/authentication/scim/views/groups.py b/backend/ee/authentication/scim/views/groups.py
new file mode 100644
index 000000000..8ba224100
--- /dev/null
+++ b/backend/ee/authentication/scim/views/groups.py
@@ -0,0 +1,360 @@
+import json
+import logging
+
+from django.db import IntegrityError
+from django.http import HttpResponse, JsonResponse
+from rest_framework.decorators import (
+    api_view,
+    authentication_classes,
+    permission_classes,
+)
+from rest_framework.permissions import IsAuthenticated
+
+from api.models import (
+    SCIMGroup,
+    SCIMUser,
+    Team,
+    TeamAppEnvironment,
+    TeamMembership,
+)
+from api.utils.keys import provision_team_environment_keys, revoke_team_environment_keys
+from ee.authentication.scim.auth import SCIMTokenAuthentication
+from ee.authentication.scim.constants import SCIM_DEFAULT_COUNT
+from ee.authentication.scim.exceptions import (
+    scim_bad_request,
+    scim_conflict,
+    scim_not_found,
+    scim_server_error,
+)
+from ee.authentication.scim.logging import log_scim_event
+from ee.authentication.scim.filters import (
+    SCIM_GROUP_ATTR_MAP,
+    parse_patch_path_filter,
+    scim_filter_to_queryset,
+)
+from ee.authentication.scim.serializers import (
+    serialize_list_response,
+    serialize_scim_group,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def _get_base_url(request):
+    return f"{request.scheme}://{request.get_host()}"
+
+
+def _provision_keys_for_membership(team, membership):
+    """Provision environment keys for a new team member across all team apps."""
+    app_ids = (
+        TeamAppEnvironment.objects.filter(team=team)
+        .values_list("app_id", flat=True)
+        .distinct()
+    )
+    for app_id in app_ids:
+        from api.models import App
+
+        try:
+            app = App.objects.get(id=app_id, is_deleted=False)
+            if app.sse_enabled:
+                provision_team_environment_keys(team, app, members=[membership])
+        except App.DoesNotExist:
+            continue
+        except Exception:
+            logger.exception("Failed to provision keys for team %s, app %s", team.id, app_id)
+
+
+def _add_member_to_team(team, scim_user, org):
+    """Add a SCIM user to a team, creating TeamMembership and provisioning keys."""
+    if not scim_user.org_member:
+        return None
+
+    membership, created = TeamMembership.objects.get_or_create(
+        team=team,
+        org_member=scim_user.org_member,
+    )
+
+    if created:
+        _provision_keys_for_membership(team, membership)
+
+    return membership
+
+
+def _remove_member_from_team(team, scim_user):
+    """Remove a SCIM user from a team, revoking keys and deleting membership."""
+    if not scim_user.org_member:
+        return
+
+    membership = TeamMembership.objects.filter(
+        team=team, org_member=scim_user.org_member
+    ).first()
+
+    if membership:
+        revoke_team_environment_keys(team, member=scim_user.org_member)
+        membership.delete()
+
+
+@api_view(["GET", "POST"])
+@authentication_classes([SCIMTokenAuthentication])
+@permission_classes([IsAuthenticated])
+def groups_list(request):
+    """
+    GET  /scim/v2/Groups — List/filter groups
+    POST /scim/v2/Groups — Create a new group
+    """
+    org = request.auth["organisation"]
+
+    if request.method == "GET":
+        return _list_groups(request, org)
+    else:
+        return _create_group(request, org)
+
+
+@api_view(["GET", "PUT", "PATCH", "DELETE"])
+@authentication_classes([SCIMTokenAuthentication])
+@permission_classes([IsAuthenticated])
+def groups_detail(request, scim_group_id):
+    """
+    GET    /scim/v2/Groups/:id — Get group
+    PUT    /scim/v2/Groups/:id — Replace group
+    PATCH  /scim/v2/Groups/:id — Partial update (Azure Entra's primary method)
+    DELETE /scim/v2/Groups/:id — Delete group
+    """
+    org = request.auth["organisation"]
+
+    try:
+        scim_group = SCIMGroup.objects.select_related("team").get(
+            id=scim_group_id, organisation=org
+        )
+    except SCIMGroup.DoesNotExist:
+        return scim_not_found("Group not found")
+
+    if request.method == "GET":
+        return JsonResponse(
+            serialize_scim_group(scim_group, _get_base_url(request))
+        )
+    elif request.method == "PUT":
+        return _replace_group(request, scim_group)
+    elif request.method == "PATCH":
+        return _patch_group(request, scim_group)
+    elif request.method == "DELETE":
+        return _delete_group(request, scim_group)
+
+
+def _list_groups(request, org):
+    filter_str = request.GET.get("filter", "")
+    start_index = max(int(request.GET.get("startIndex", 1)), 1)
+    count = min(int(request.GET.get("count", SCIM_DEFAULT_COUNT)), SCIM_DEFAULT_COUNT)
+
+    qs = SCIMGroup.objects.filter(organisation=org).order_by("created_at")
+    if filter_str:
+        qs = scim_filter_to_queryset(qs, filter_str, SCIM_GROUP_ATTR_MAP)
+
+    total = qs.count()
+    offset = start_index - 1
+    page = qs[offset : offset + count]
+
+    base_url = _get_base_url(request)
+    resources = [serialize_scim_group(g, base_url) for g in page]
+    return JsonResponse(serialize_list_response(resources, total, start_index, count))
+
+
+def _create_group(request, org):
+    try:
+        data = json.loads(request.body)
+    except json.JSONDecodeError:
+        return scim_bad_request("Invalid JSON body")
+
+    display_name = data.get("displayName", "").strip()
+    external_id = data.get("externalId", "")
+
+    if not display_name:
+        return scim_bad_request("displayName is required")
+    if not external_id:
+        return scim_bad_request("externalId is required")
+
+    # Create Team
+    try:
+        team = Team.objects.create(
+            name=display_name[:64],
+            organisation=org,
+            is_scim_managed=True,
+            created_by=None,
+        )
+    except Exception as e:
+        logger.exception("Failed to create team for SCIM group")
+        return scim_server_error(str(e))
+
+    # Create SCIMGroup
+    try:
+        scim_group = SCIMGroup.objects.create(
+            external_id=external_id,
+            organisation=org,
+            team=team,
+            display_name=display_name,
+            scim_data=data,
+        )
+    except IntegrityError:
+        team.delete()
+        log_scim_event(
+            request, "group_created", "group", "", display_name,
+            status="error", response_status=409,
+            response_body={"detail": f"Group with externalId '{external_id}' already exists"},
+        )
+        return scim_conflict(
+            f"Group with externalId '{external_id}' already exists"
+        )
+
+    # Add initial members
+    members = data.get("members", [])
+    for member_ref in members:
+        member_id = member_ref.get("value")
+        if member_id:
+            scim_user = SCIMUser.objects.filter(
+                id=member_id, organisation=org
+            ).first()
+            if scim_user:
+                _add_member_to_team(team, scim_user, org)
+
+    response_data = serialize_scim_group(scim_group, _get_base_url(request))
+    log_scim_event(
+        request, "group_created", "group", scim_group.id, display_name,
+        response_status=201, response_body=response_data,
+    )
+    return JsonResponse(response_data, status=201)
+
+
+def _replace_group(request, scim_group):
+    try:
+        data = json.loads(request.body)
+    except json.JSONDecodeError:
+        return scim_bad_request("Invalid JSON body")
+
+    org = scim_group.organisation
+    display_name = data.get("displayName", "").strip()
+    external_id = data.get("externalId", scim_group.external_id)
+
+    if display_name:
+        scim_group.display_name = display_name
+        if scim_group.team:
+            scim_group.team.name = display_name[:64]
+            scim_group.team.save(update_fields=["name", "updated_at"])
+
+    scim_group.external_id = external_id
+    scim_group.scim_data = data
+    scim_group.save()
+
+    if scim_group.team:
+        # Diff membership: incoming vs current
+        incoming_ids = {m.get("value") for m in data.get("members", []) if m.get("value")}
+
+        current_memberships = TeamMembership.objects.filter(
+            team=scim_group.team, org_member__isnull=False
+        ).select_related("org_member")
+
+        current_scim_ids = set()
+        for tm in current_memberships:
+            scim_user = SCIMUser.objects.filter(
+                org_member=tm.org_member, organisation=org
+            ).first()
+            if scim_user:
+                current_scim_ids.add(scim_user.id)
+
+        # Add new members
+        for scim_id in incoming_ids - current_scim_ids:
+            scim_user = SCIMUser.objects.filter(id=scim_id, organisation=org).first()
+            if scim_user:
+                _add_member_to_team(scim_group.team, scim_user, org)
+
+        # Remove departed members
+        for scim_id in current_scim_ids - incoming_ids:
+            scim_user = SCIMUser.objects.filter(id=scim_id, organisation=org).first()
+            if scim_user:
+                _remove_member_from_team(scim_group.team, scim_user)
+
+    response_data = serialize_scim_group(scim_group, _get_base_url(request))
+    log_scim_event(
+        request, "group_updated", "group", scim_group.id, scim_group.display_name,
+        response_status=200, response_body=response_data,
+    )
+    return JsonResponse(response_data)
+
+
+def _patch_group(request, scim_group):
+    try:
+        data = json.loads(request.body)
+    except json.JSONDecodeError:
+        return scim_bad_request("Invalid JSON body")
+
+    org = scim_group.organisation
+    operations = data.get("Operations", [])
+    if not operations:
+        return scim_bad_request("No operations provided")
+
+    for op in operations:
+        op_type = op.get("op", "").lower()
+        path = op.get("path", "")
+        value = op.get("value")
+
+        if op_type == "replace":
+            if path.lower() == "displayname":
+                scim_group.display_name = value
+                scim_group.save(update_fields=["display_name"])
+                if scim_group.team:
+                    scim_group.team.name = str(value)[:64]
+                    scim_group.team.save(update_fields=["name", "updated_at"])
+
+        elif op_type == "add" and path.lower() == "members":
+            members = value if isinstance(value, list) else [value]
+            for member_ref in members:
+                member_id = member_ref.get("value") if isinstance(member_ref, dict) else member_ref
+                if member_id and scim_group.team:
+                    scim_user = SCIMUser.objects.filter(
+                        id=member_id, organisation=org
+                    ).first()
+                    if scim_user:
+                        _add_member_to_team(scim_group.team, scim_user, org)
+                        log_scim_event(
+                            request, "member_added", "group", scim_group.id,
+                            scim_group.display_name,
+                            detail={"member_email": scim_user.email, "member_id": str(scim_user.id)},
+                            response_status=200,
+                        )
+
+        elif op_type == "remove":
+            # Azure Entra format: members[value eq "abc-123"]
+            member_id = parse_patch_path_filter(path)
+            if member_id and scim_group.team:
+                scim_user = SCIMUser.objects.filter(
+                    id=member_id, organisation=org
+                ).first()
+                if scim_user:
+                    _remove_member_from_team(scim_group.team, scim_user)
+                    log_scim_event(
+                        request, "member_removed", "group", scim_group.id,
+                        scim_group.display_name,
+                        detail={"member_email": scim_user.email, "member_id": str(scim_user.id)},
+                        response_status=200,
+                    )
+
+    response_data = serialize_scim_group(scim_group, _get_base_url(request))
+    log_scim_event(
+        request, "group_updated", "group", scim_group.id, scim_group.display_name,
+        response_status=200, response_body=response_data,
+    )
+    return JsonResponse(response_data)
+
+
+def _delete_group(request, scim_group):
+    log_scim_event(
+        request, "group_deleted", "group", scim_group.id, scim_group.display_name,
+        response_status=204,
+    )
+    if scim_group.team:
+        revoke_team_environment_keys(scim_group.team)
+        from django.utils import timezone
+        scim_group.team.deleted_at = timezone.now()
+        scim_group.team.save(update_fields=["deleted_at"])
+
+    scim_group.delete()
+    return HttpResponse(status=204)
diff --git a/backend/ee/authentication/scim/views/users.py b/backend/ee/authentication/scim/views/users.py
new file mode 100644
index 000000000..3fd7ea030
--- /dev/null
+++ b/backend/ee/authentication/scim/views/users.py
@@ -0,0 +1,315 @@
+import json
+import logging
+
+from django.db import IntegrityError
+from django.http import JsonResponse
+from django.http import HttpResponse
+from rest_framework.decorators import (
+    api_view,
+    authentication_classes,
+    permission_classes,
+)
+from rest_framework.permissions import IsAuthenticated
+
+from api.models import SCIMUser
+from backend.quotas import can_add_account
+from ee.authentication.scim.auth import SCIMTokenAuthentication
+from ee.authentication.scim.exceptions import (
+    scim_bad_request,
+    scim_conflict,
+    scim_forbidden,
+    scim_not_found,
+    scim_server_error,
+)
+from ee.authentication.scim.filters import (
+    SCIM_USER_ATTR_MAP,
+    scim_filter_to_queryset,
+)
+from ee.authentication.scim.constants import SCIM_DEFAULT_COUNT
+from ee.authentication.scim.serializers import (
+    serialize_list_response,
+    serialize_scim_user,
+)
+from ee.authentication.scim.logging import log_scim_event
+from ee.authentication.scim.utils import (
+    deactivate_scim_user,
+    provision_scim_user,
+    reactivate_scim_user,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def _get_base_url(request):
+    return f"{request.scheme}://{request.get_host()}"
+
+
+def _extract_user_fields(data):
+    """Extract user fields from a SCIM User resource."""
+    email = data.get("userName", "").strip()
+    if not email:
+        # Try emails array
+        emails = data.get("emails", [])
+        for e in emails:
+            if e.get("primary") or not email:
+                email = e.get("value", "").strip()
+
+    external_id = data.get("externalId", "")
+    display_name = data.get("displayName", "")
+
+    # Build display name from name object if not provided
+    if not display_name:
+        name = data.get("name", {})
+        parts = [name.get("givenName", ""), name.get("familyName", "")]
+        display_name = " ".join(p for p in parts if p).strip()
+
+    active = data.get("active", True)
+
+    return email, external_id, display_name, active
+
+
+@api_view(["GET", "POST"])
+@authentication_classes([SCIMTokenAuthentication])
+@permission_classes([IsAuthenticated])
+def users_list(request):
+    """
+    GET  /scim/v2/Users — List/filter users
+    POST /scim/v2/Users — Create a new user
+    """
+    org = request.auth["organisation"]
+
+    if request.method == "GET":
+        return _list_users(request, org)
+    else:
+        return _create_user(request, org)
+
+
+@api_view(["GET", "PUT", "PATCH", "DELETE"])
+@authentication_classes([SCIMTokenAuthentication])
+@permission_classes([IsAuthenticated])
+def users_detail(request, scim_user_id):
+    """
+    GET    /scim/v2/Users/:id — Get user
+    PUT    /scim/v2/Users/:id — Replace user
+    PATCH  /scim/v2/Users/:id — Partial update
+    DELETE /scim/v2/Users/:id — Deactivate user
+    """
+    org = request.auth["organisation"]
+
+    try:
+        scim_user = SCIMUser.objects.select_related("user", "org_member").get(
+            id=scim_user_id, organisation=org
+        )
+    except SCIMUser.DoesNotExist:
+        return scim_not_found("User not found")
+
+    if request.method == "GET":
+        return JsonResponse(
+            serialize_scim_user(scim_user, _get_base_url(request))
+        )
+    elif request.method == "PUT":
+        return _replace_user(request, scim_user)
+    elif request.method == "PATCH":
+        return _patch_user(request, scim_user)
+    elif request.method == "DELETE":
+        return _delete_user(request, scim_user)
+
+
+def _list_users(request, org):
+    filter_str = request.GET.get("filter", "")
+    start_index = max(int(request.GET.get("startIndex", 1)), 1)
+    count = min(int(request.GET.get("count", SCIM_DEFAULT_COUNT)), SCIM_DEFAULT_COUNT)
+
+    qs = SCIMUser.objects.filter(organisation=org).order_by("created_at")
+    if filter_str:
+        qs = scim_filter_to_queryset(qs, filter_str, SCIM_USER_ATTR_MAP)
+
+    total = qs.count()
+    # SCIM pagination is 1-indexed
+    offset = start_index - 1
+    page = qs[offset : offset + count]
+
+    base_url = _get_base_url(request)
+    resources = [serialize_scim_user(u, base_url) for u in page]
+    return JsonResponse(serialize_list_response(resources, total, start_index, count))
+
+
+def _create_user(request, org):
+    try:
+        data = json.loads(request.body)
+    except json.JSONDecodeError:
+        return scim_bad_request("Invalid JSON body")
+
+    email, external_id, display_name, active = _extract_user_fields(data)
+
+    if not email:
+        return scim_bad_request("userName (email) is required")
+    if not external_id:
+        return scim_bad_request("externalId is required")
+
+    # Check seat quota
+    if not can_add_account(org):
+        return scim_forbidden("Organisation has reached its seat limit")
+
+    try:
+        scim_user = provision_scim_user(
+            organisation=org,
+            external_id=external_id,
+            email=email,
+            display_name=display_name,
+            scim_data=data,
+        )
+    except IntegrityError:
+        log_scim_event(
+            request, "user_created", "user", "", email,
+            status="error", response_status=409,
+            response_body={"detail": f"User with externalId '{external_id}' or email '{email}' already exists"},
+        )
+        return scim_conflict(
+            f"User with externalId '{external_id}' or email '{email}' already exists"
+        )
+    except Exception as e:
+        logger.exception("SCIM user creation failed")
+        log_scim_event(
+            request, "user_created", "user", "", email,
+            status="error", response_status=500,
+            response_body={"detail": str(e)},
+        )
+        return scim_server_error(str(e))
+
+    if not active:
+        deactivate_scim_user(scim_user)
+
+    response_data = serialize_scim_user(scim_user, _get_base_url(request))
+    log_scim_event(
+        request, "user_created", "user", scim_user.id, email,
+        response_status=201, response_body=response_data,
+    )
+    return JsonResponse(response_data, status=201)
+
+
+def _replace_user(request, scim_user):
+    try:
+        data = json.loads(request.body)
+    except json.JSONDecodeError:
+        return scim_bad_request("Invalid JSON body")
+
+    email, external_id, display_name, active = _extract_user_fields(data)
+
+    if email and email != scim_user.email:
+        scim_user.email = email
+        if scim_user.user:
+            scim_user.user.email = email
+            scim_user.user.username = email
+            scim_user.user.save(update_fields=["email", "username"])
+
+    if external_id:
+        scim_user.external_id = external_id
+    if display_name:
+        scim_user.display_name = display_name
+
+    scim_user.scim_data = data
+    scim_user.save()
+
+    # Handle activation state change
+    if active and not scim_user.active:
+        reactivate_scim_user(scim_user)
+    elif not active and scim_user.active:
+        deactivate_scim_user(scim_user)
+
+    response_data = serialize_scim_user(scim_user, _get_base_url(request))
+    log_scim_event(
+        request, "user_updated", "user", scim_user.id, scim_user.email,
+        response_status=200, response_body=response_data,
+    )
+    return JsonResponse(response_data)
+
+
+def _patch_user(request, scim_user):
+    try:
+        data = json.loads(request.body)
+    except json.JSONDecodeError:
+        return scim_bad_request("Invalid JSON body")
+
+    operations = data.get("Operations", [])
+    if not operations:
+        return scim_bad_request("No operations provided")
+
+    for op in operations:
+        op_type = op.get("op", "").lower()
+        path = op.get("path", "").lower()
+        value = op.get("value")
+
+        if op_type == "replace":
+            if path == "active":
+                active = value if isinstance(value, bool) else str(value).lower() == "true"
+                if active and not scim_user.active:
+                    reactivate_scim_user(scim_user)
+                elif not active and scim_user.active:
+                    deactivate_scim_user(scim_user)
+            elif path == "username":
+                scim_user.email = value
+                if scim_user.user:
+                    scim_user.user.email = value
+                    scim_user.user.username = value
+                    scim_user.user.save(update_fields=["email", "username"])
+                scim_user.save(update_fields=["email"])
+            elif path == "displayname":
+                scim_user.display_name = value
+                scim_user.save(update_fields=["display_name"])
+            elif path == "name.givenname" or path == "name.familyname":
+                name_data = scim_user.scim_data.get("name", {})
+                if path == "name.givenname":
+                    name_data["givenName"] = value
+                else:
+                    name_data["familyName"] = value
+                scim_user.scim_data["name"] = name_data
+                # Update display_name from name parts
+                given = name_data.get("givenName", "")
+                family = name_data.get("familyName", "")
+                scim_user.display_name = f"{given} {family}".strip()
+                scim_user.save(update_fields=["scim_data", "display_name"])
+            elif not path:
+                # Valueless replace — value is a dict of attributes
+                if isinstance(value, dict):
+                    if "active" in value:
+                        active = value["active"]
+                        if isinstance(active, str):
+                            active = active.lower() == "true"
+                        if active and not scim_user.active:
+                            reactivate_scim_user(scim_user)
+                        elif not active and scim_user.active:
+                            deactivate_scim_user(scim_user)
+
+    response_data = serialize_scim_user(scim_user, _get_base_url(request))
+
+    # Determine the most specific event type from operations
+    event_type = "user_updated"
+    for op in operations:
+        op_type = op.get("op", "").lower()
+        path = op.get("path", "").lower()
+        value = op.get("value")
+        if op_type == "replace" and path == "active":
+            active = value if isinstance(value, bool) else str(value).lower() == "true"
+            event_type = "user_reactivated" if active else "user_deactivated"
+        elif op_type == "replace" and not path and isinstance(value, dict) and "active" in value:
+            active = value["active"]
+            if isinstance(active, str):
+                active = active.lower() == "true"
+            event_type = "user_reactivated" if active else "user_deactivated"
+
+    log_scim_event(
+        request, event_type, "user", scim_user.id, scim_user.email,
+        response_status=200, response_body=response_data,
+    )
+    return JsonResponse(response_data)
+
+
+def _delete_user(request, scim_user):
+    if scim_user.active:
+        deactivate_scim_user(scim_user)
+    log_scim_event(
+        request, "user_deactivated", "user", scim_user.id, scim_user.email,
+        response_status=204,
+    )
+    return HttpResponse(status=204)

From 93ddbe3bb30d155c63e41f8b20650d3b3ef0fa13 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:03 +0530
Subject: [PATCH 041/118] feat: mount SCIM URLs and add social account
 auto-linking adapter

---
 backend/api/authentication/adapters/social.py | 57 +++++++++++++++++++
 backend/backend/settings.py                   |  1 +
 backend/backend/urls.py                       |  6 ++
 3 files changed, 64 insertions(+)
 create mode 100644 backend/api/authentication/adapters/social.py

diff --git a/backend/api/authentication/adapters/social.py b/backend/api/authentication/adapters/social.py
new file mode 100644
index 000000000..b0aa05279
--- /dev/null
+++ b/backend/api/authentication/adapters/social.py
@@ -0,0 +1,57 @@
+import logging
+
+from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
+from allauth.socialaccount.models import SocialAccount
+from django.contrib.auth import get_user_model
+
+logger = logging.getLogger(__name__)
+
+User = get_user_model()
+
+
+class AutoLinkSocialAccountAdapter(DefaultSocialAccountAdapter):
+    """
+    Custom SocialAccountAdapter that automatically links social logins
+    to existing users with matching email addresses.
+
+    This is essential for SCIM-provisioned users: SCIM creates the
+    CustomUser + OrganisationMember but no SocialAccount. Without this
+    adapter, the first SSO login would fail with "User is already
+    registered with this e-mail address."
+    """
+
+    def pre_social_login(self, request, sociallogin):
+        # If the social account is already linked, nothing to do
+        if sociallogin.is_existing:
+            return
+
+        email = sociallogin.user.email
+        if not email:
+            return
+
+        try:
+            existing_user = User.objects.get(email=email)
+        except User.DoesNotExist:
+            return
+
+        # Link the social account to the existing user
+        sociallogin.user = existing_user
+        social_account, created = SocialAccount.objects.get_or_create(
+            provider=sociallogin.account.provider,
+            uid=sociallogin.account.uid,
+            defaults={
+                "user": existing_user,
+                "extra_data": sociallogin.account.extra_data,
+            },
+        )
+
+        if not created:
+            social_account.extra_data = sociallogin.account.extra_data
+            social_account.save()
+
+        sociallogin.account = social_account
+
+        logger.info(
+            f"Auto-linked social account ({sociallogin.account.provider}) "
+            f"to existing user {email}"
+        )
diff --git a/backend/backend/settings.py b/backend/backend/settings.py
index 712cd2128..5638157e5 100644
--- a/backend/backend/settings.py
+++ b/backend/backend/settings.py
@@ -193,6 +193,7 @@ def get_version():
 }
 
 
+SOCIALACCOUNT_ADAPTER = "api.authentication.adapters.social.AutoLinkSocialAccountAdapter"
 SOCIALACCOUNT_EMAIL_VERIFICATION = "none"
 SOCIALACCOUNT_EMAIL_REQUIRED = True
 SOCIALACCOUNT_QUERY_EMAIL = True
diff --git a/backend/backend/urls.py b/backend/backend/urls.py
index 87506c106..43eb80ba7 100644
--- a/backend/backend/urls.py
+++ b/backend/backend/urls.py
@@ -76,6 +76,12 @@
     path("public/identities/external/v1/azure/entra/auth/", azure_entra_auth),
 ]
 
+# SCIM v2 Provisioning API (Enterprise)
+scim_urls = [
+    path("scim/v2/", include("ee.authentication.scim.urls")),
+]
+urlpatterns.extend(scim_urls)
+
 # Add public URLs to main urlpatterns
 urlpatterns.extend(public_urls)
 

From 8a0ecb0a091ceed71b8c542166c4815d81a01e1c Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:09 +0530
Subject: [PATCH 042/118] feat: add SCIM GraphQL types, token management
 mutations, and event queries

---
 backend/backend/graphene/mutations/scim.py | 150 +++++++++++++++++++++
 backend/backend/graphene/queries/scim.py   |  78 +++++++++++
 backend/backend/graphene/types.py          |  66 ++++++++-
 backend/backend/schema.py                  |  34 ++++-
 4 files changed, 325 insertions(+), 3 deletions(-)
 create mode 100644 backend/backend/graphene/mutations/scim.py
 create mode 100644 backend/backend/graphene/queries/scim.py

diff --git a/backend/backend/graphene/mutations/scim.py b/backend/backend/graphene/mutations/scim.py
new file mode 100644
index 000000000..377e25b0b
--- /dev/null
+++ b/backend/backend/graphene/mutations/scim.py
@@ -0,0 +1,150 @@
+import hashlib
+import secrets
+
+import graphene
+from graphql import GraphQLError
+
+from api.models import Organisation, OrganisationMember, SCIMToken
+from api.utils.access.permissions import user_has_permission
+from backend.graphene.types import SCIMTokenType
+from backend.quotas import can_use_scim
+from django.utils import timezone
+
+
+def _generate_scim_token():
+    """Generate a SCIM bearer token: ph_scim:v1:<prefix>:<random>."""
+    prefix = secrets.token_hex(4)  # 8 chars
+    body = secrets.token_hex(32)  # 64 chars
+    full_token = f"ph_scim:v1:{prefix}:{body}"
+    token_hash = hashlib.sha256(full_token.encode()).hexdigest()
+    return full_token, token_hash, prefix
+
+
+class CreateSCIMTokenMutation(graphene.Mutation):
+    class Arguments:
+        organisation_id = graphene.ID(required=True)
+        name = graphene.String(required=True)
+        expiry_days = graphene.Int(required=False)
+
+    token = graphene.String()
+    scim_token = graphene.Field(SCIMTokenType)
+
+    @classmethod
+    def mutate(cls, root, info, organisation_id, name, expiry_days=None):
+        org = Organisation.objects.get(id=organisation_id)
+
+        # Check permission: Admin+ for SCIM token management
+        if not user_has_permission(
+            info.context.user, "update", "SCIM", org
+        ):
+            raise GraphQLError(
+                "You don't have permission to manage SCIM tokens."
+            )
+
+        if not can_use_scim(org):
+            raise GraphQLError(
+                "SCIM provisioning requires an Enterprise plan."
+            )
+
+        org_member = OrganisationMember.objects.get(
+            user=info.context.user, organisation=org, deleted_at=None
+        )
+
+        full_token, token_hash, prefix = _generate_scim_token()
+
+        expires_at = None
+        if expiry_days:
+            expires_at = timezone.now() + timezone.timedelta(days=expiry_days)
+
+        scim_token = SCIMToken.objects.create(
+            organisation=org,
+            name=name.strip(),
+            token_hash=token_hash,
+            token_prefix=prefix,
+            created_by=org_member,
+            expires_at=expires_at,
+        )
+
+        return CreateSCIMTokenMutation(token=full_token, scim_token=scim_token)
+
+
+class DeleteSCIMTokenMutation(graphene.Mutation):
+    class Arguments:
+        token_id = graphene.ID(required=True)
+
+    ok = graphene.Boolean()
+
+    @classmethod
+    def mutate(cls, root, info, token_id):
+        scim_token = SCIMToken.objects.get(id=token_id, deleted_at__isnull=True)
+        org = scim_token.organisation
+
+        if not user_has_permission(
+            info.context.user, "update", "SCIM", org
+        ):
+            raise GraphQLError(
+                "You don't have permission to manage SCIM tokens."
+            )
+
+        scim_token.deleted_at = timezone.now()
+        scim_token.save(update_fields=["deleted_at"])
+
+        return DeleteSCIMTokenMutation(ok=True)
+
+
+class ToggleSCIMMutation(graphene.Mutation):
+    """Master switch: enable/disable SCIM for the organisation."""
+
+    class Arguments:
+        organisation_id = graphene.ID(required=True)
+        enabled = graphene.Boolean(required=True)
+
+    ok = graphene.Boolean()
+
+    @classmethod
+    def mutate(cls, root, info, organisation_id, enabled):
+        org = Organisation.objects.get(id=organisation_id)
+
+        if not user_has_permission(
+            info.context.user, "update", "SCIM", org
+        ):
+            raise GraphQLError(
+                "You don't have permission to manage SCIM settings."
+            )
+
+        if not can_use_scim(org):
+            raise GraphQLError(
+                "SCIM provisioning requires an Enterprise plan."
+            )
+
+        org.scim_enabled = enabled
+        org.save(update_fields=["scim_enabled"])
+
+        return ToggleSCIMMutation(ok=True)
+
+
+class ToggleSCIMTokenMutation(graphene.Mutation):
+    """Per-provider toggle: enable/disable a single SCIM token."""
+
+    class Arguments:
+        token_id = graphene.ID(required=True)
+        is_active = graphene.Boolean(required=True)
+
+    ok = graphene.Boolean()
+
+    @classmethod
+    def mutate(cls, root, info, token_id, is_active):
+        scim_token = SCIMToken.objects.get(id=token_id, deleted_at__isnull=True)
+        org = scim_token.organisation
+
+        if not user_has_permission(
+            info.context.user, "update", "SCIM", org
+        ):
+            raise GraphQLError(
+                "You don't have permission to manage SCIM tokens."
+            )
+
+        scim_token.is_active = is_active
+        scim_token.save(update_fields=["is_active"])
+
+        return ToggleSCIMTokenMutation(ok=True)
diff --git a/backend/backend/graphene/queries/scim.py b/backend/backend/graphene/queries/scim.py
new file mode 100644
index 000000000..4ca543f3a
--- /dev/null
+++ b/backend/backend/graphene/queries/scim.py
@@ -0,0 +1,78 @@
+from graphql import GraphQLError
+from api.models import OrganisationMember, SCIMEvent, SCIMToken
+from api.utils.access.permissions import user_has_permission, user_is_org_member
+from datetime import datetime
+
+
+def resolve_scim_tokens(root, info, organisation_id):
+    """Return SCIM tokens for the organisation. Requires SCIM.read permission (Admin+)."""
+    user = info.context.user
+
+    if not user_is_org_member(user.userId, organisation_id):
+        raise GraphQLError("You don't have access to this organisation")
+
+    org_member = OrganisationMember.objects.get(
+        user_id=user.userId, organisation_id=organisation_id, deleted_at=None
+    )
+
+    if not user_has_permission(user, "read", "SCIM", org_member.organisation):
+        raise GraphQLError("You don't have permission to view SCIM tokens.")
+
+    return SCIMToken.objects.filter(
+        organisation_id=organisation_id, deleted_at__isnull=True
+    ).order_by("-created_at")
+
+
+PAGE_SIZE = 25
+
+
+def resolve_scim_events(
+    root,
+    info,
+    organisation_id,
+    start=None,
+    end=None,
+    event_types=None,
+    token_id=None,
+    status=None,
+):
+    """Return SCIM audit events with cursor-based pagination and filtering. Requires SCIM.read permission."""
+    user = info.context.user
+
+    if not user_is_org_member(user.userId, organisation_id):
+        raise GraphQLError("You don't have access to this organisation")
+
+    org_member = OrganisationMember.objects.get(
+        user_id=user.userId, organisation_id=organisation_id, deleted_at=None
+    )
+
+    if not user_has_permission(user, "read", "SCIM", org_member.organisation):
+        raise GraphQLError("You don't have permission to view SCIM events.")
+
+    qs = SCIMEvent.objects.filter(organisation_id=organisation_id)
+
+    if start is not None:
+        qs = qs.filter(timestamp__gte=datetime.fromtimestamp(start / 1000))
+
+    if end is not None:
+        qs = qs.filter(timestamp__lte=datetime.fromtimestamp(end / 1000))
+
+    if event_types:
+        # Frontend sends uppercase enum values (e.g. USER_CREATED),
+        # DB stores lowercase (e.g. user_created)
+        lowered = [et.lower() for et in event_types]
+        qs = qs.filter(event_type__in=lowered)
+
+    if token_id:
+        qs = qs.filter(scim_token_id=token_id)
+
+    if status:
+        # Frontend sends uppercase (SUCCESS/ERROR), DB stores lowercase
+        qs = qs.filter(status=status.lower())
+
+    count = qs.count()
+    events = list(
+        qs.select_related("scim_token").order_by("-timestamp", "-id")[:PAGE_SIZE]
+    )
+
+    return {"events": events, "count": count}
diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index 47294785d..d4af74876 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -43,6 +43,8 @@
     Team,
     TeamMembership,
     TeamAppEnvironment,
+    SCIMToken,
+    SCIMEvent,
 )
 from logs.dynamodb_models import KMSLog
 from django.utils import timezone
@@ -146,6 +148,7 @@ class Meta:
             "recovery",
             "pricing_version",
             "require_sso",
+            "scim_enabled",
         )
 
     def resolve_sso_providers(self, info):
@@ -213,6 +216,7 @@ class OrganisationMemberType(DjangoObjectType):
     role = graphene.Field(RoleType)
     self = graphene.Boolean()
     last_login = graphene.DateTime()
+    scim_managed = graphene.Boolean()
     app_memberships = graphene.List(graphene.NonNull(lambda: AppMembershipType))
     tokens = graphene.List(graphene.NonNull(lambda: UserTokenType))
     network_policies = graphene.List(graphene.NonNull(lambda: NetworkAccessPolicyType))
@@ -246,6 +250,10 @@ def resolve_full_name(self, info):
                 return name
         if self.user.full_name:
             return self.user.full_name
+        # Fall back to SCIM display name
+        scim_user = self.scimuser_set.first()
+        if scim_user and scim_user.display_name:
+            return scim_user.display_name
         return None
 
     def resolve_avatar_url(self, info):
@@ -262,6 +270,9 @@ def resolve_self(self, info):
     def resolve_last_login(self, info):
         return self.user.last_login
 
+    def resolve_scim_managed(self, info):
+        return self.scimuser_set.exists()
+
     def resolve_app_memberships(self, info):
         # Find all EnvironmentKeys for this user
         user_env_keys = EnvironmentKey.objects.filter(
@@ -1205,7 +1216,11 @@ class Meta:
     def resolve_members(self, info):
         return self.memberships.select_related(
             "org_member__user", "service_account"
-        ).all()
+        ).exclude(
+            org_member__deleted_at__isnull=False,
+        ).exclude(
+            service_account__deleted_at__isnull=False,
+        )
 
     def resolve_apps(self, info):
         app_ids = (
@@ -1217,4 +1232,51 @@ def resolve_app_environments(self, info):
         return self.app_environments.select_related("app", "environment").all()
 
     def resolve_member_count(self, info):
-        return self.memberships.count()
+        return self.memberships.exclude(
+            org_member__deleted_at__isnull=False,
+        ).exclude(
+            service_account__deleted_at__isnull=False,
+        ).count()
+
+
+class SCIMTokenType(DjangoObjectType):
+    class Meta:
+        model = SCIMToken
+        fields = (
+            "id",
+            "name",
+            "token_prefix",
+            "created_by",
+            "created_at",
+            "expires_at",
+            "last_used_at",
+            "is_active",
+        )
+
+
+class SCIMEventType(DjangoObjectType):
+    class Meta:
+        model = SCIMEvent
+        fields = (
+            "id",
+            "scim_token",
+            "event_type",
+            "status",
+            "resource_type",
+            "resource_id",
+            "resource_name",
+            "detail",
+            "request_method",
+            "request_path",
+            "request_body",
+            "response_status",
+            "response_body",
+            "ip_address",
+            "user_agent",
+            "timestamp",
+        )
+
+
+class SCIMEventsResponseType(ObjectType):
+    events = graphene.List(SCIMEventType)
+    count = graphene.Int()
diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index e09d36f4b..a36c836b6 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -126,6 +126,13 @@
 from .graphene.queries.license import resolve_license, resolve_organisation_license
 from .graphene.queries.auth import resolve_verify_password
 from .graphene.queries.teams import resolve_teams
+from .graphene.queries.scim import resolve_scim_tokens, resolve_scim_events
+from .graphene.mutations.scim import (
+    CreateSCIMTokenMutation,
+    DeleteSCIMTokenMutation,
+    ToggleSCIMMutation,
+    ToggleSCIMTokenMutation,
+)
 from .graphene.mutations.teams import (
     AddTeamAppsMutation,
     AddTeamMembersMutation,
@@ -239,6 +246,8 @@
     ServiceTokenType,
     ServiceType,
     TeamType,
+    SCIMTokenType,
+    SCIMEventsResponseType,
     TimeRange,
     UserTokenType,
     AWSValidationResultType,
@@ -297,6 +306,21 @@ class Query(graphene.ObjectType):
         team_id=graphene.ID(required=False),
     )
 
+    scim_tokens = graphene.List(
+        SCIMTokenType,
+        organisation_id=graphene.ID(),
+    )
+
+    scim_events = graphene.Field(
+        SCIMEventsResponseType,
+        organisation_id=graphene.ID(),
+        start=graphene.BigInt(required=False),
+        end=graphene.BigInt(required=False),
+        event_types=graphene.List(graphene.String, required=False),
+        token_id=graphene.ID(required=False),
+        status=graphene.String(required=False),
+    )
+
     organisation_name_available = graphene.Boolean(name=graphene.String())
 
     verify_password = graphene.Boolean(auth_hash=graphene.String(required=True))
@@ -581,6 +605,8 @@ def resolve_organisations(root, info):
 
     # Teams
     resolve_teams = resolve_teams
+    resolve_scim_tokens = resolve_scim_tokens
+    resolve_scim_events = resolve_scim_events
 
     resolve_organisation_plan = resolve_organisation_plan
 
@@ -710,7 +736,7 @@ def resolve_app_environments(
 
         accessible_env_ids = set(
             EnvironmentKey.objects.filter(
-                environment__app_id=app_id, **key_filter
+                environment__app_id=app_id, deleted_at__isnull=True, **key_filter
             ).values_list("environment_id", flat=True)
         )
 
@@ -1164,6 +1190,12 @@ class Mutation(graphene.ObjectType):
     remove_team_app = RemoveTeamAppMutation.Field()
     update_team_app_environments = UpdateTeamAppEnvironmentsMutation.Field()
 
+    # SCIM
+    create_scim_token = CreateSCIMTokenMutation.Field()
+    delete_scim_token = DeleteSCIMTokenMutation.Field()
+    toggle_scim = ToggleSCIMMutation.Field()
+    toggle_scim_token = ToggleSCIMTokenMutation.Field()
+
     # Service Accounts
     create_service_account = CreateServiceAccountMutation.Field()
     enable_service_account_server_side_key_management = (

From a3d1051c0b7ad37247cc7efd8748c8b9ce435970 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:13 +0530
Subject: [PATCH 043/118] feat: guard SCIM-managed member and team deletion

---
 .../backend/graphene/mutations/organisation.py | 18 +++++++++++++++++-
 backend/backend/graphene/mutations/teams.py    |  5 +++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/backend/backend/graphene/mutations/organisation.py b/backend/backend/graphene/mutations/organisation.py
index 28183bbfe..d0c82ac08 100644
--- a/backend/backend/graphene/mutations/organisation.py
+++ b/backend/backend/graphene/mutations/organisation.py
@@ -8,6 +8,9 @@
 from api.utils.access.roles import default_roles
 from api.utils.keys import provision_pending_team_keys
 from api.tasks.emails import send_invite_email_job
+import logging
+
+logger = logging.getLogger(__name__)
 from backend.quotas import can_add_account
 import graphene
 from django.db import transaction
@@ -142,7 +145,14 @@ def mutate(cls, root, info, org_id, identity_key, wrapped_keyring, wrapped_recov
         # Provision team environment keys for SCIM-preprovisioned users
         # completing their key ceremony for the first time
         if first_key_ceremony:
-            provision_pending_team_keys(org_member)
+            try:
+                provision_pending_team_keys(org_member)
+            except Exception as e:
+                # Log but don't fail the key ceremony — keys can be re-provisioned
+                logger.error(
+                    f"Failed to provision pending team keys for {org_member.id}: {e}",
+                    exc_info=True,
+                )
 
         return UpdateUserWrappedSecretsMutation(org_member=org_member)
 
@@ -553,6 +563,12 @@ def mutate(cls, root, info, member_id):
         if org_member.user == info.context.user:
             raise GraphQLError("You can't remove yourself from an organisation")
 
+        if org_member.scimuser_set.exists():
+            raise GraphQLError(
+                "SCIM-managed members cannot be removed from the console. "
+                "Deprovision them from your identity provider."
+            )
+
         org_member.delete()
 
         if settings.APP_HOST == "cloud":
diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index f351e3569..681a89d68 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -241,6 +241,11 @@ def mutate(cls, root, info, team_id):
         if not user_has_permission(user, "delete", "Teams", org):
             raise GraphQLError("You don't have permission to delete Teams")
 
+        if team.is_scim_managed:
+            raise GraphQLError(
+                "This team is managed by SCIM and cannot be manually deleted"
+            )
+
         _check_team_membership(user, team)
 
         # Revoke all team environment key grants

From d46dc4e2b4b811830ceeae96e1d045ba630c1494 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:17 +0530
Subject: [PATCH 044/118] fix: convert Ed25519 identity keys to Curve25519 for
 key wrapping

---
 backend/api/utils/keys.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/backend/api/utils/keys.py b/backend/api/utils/keys.py
index 5a0456c0c..e30f3608c 100644
--- a/backend/api/utils/keys.py
+++ b/backend/api/utils/keys.py
@@ -7,6 +7,7 @@
 
 from django.apps import apps
 from django.utils import timezone
+from nacl.bindings import crypto_sign_ed25519_pk_to_curve25519
 from api.utils.crypto import (
     get_server_keypair,
     decrypt_asymmetric,
@@ -35,8 +36,13 @@ def server_wrap_env_key_for_member(environment, identity_key):
         server_env_key.wrapped_salt, server_sk.hex(), server_pk.hex()
     )
 
-    wrapped_seed = encrypt_asymmetric(seed, identity_key)
-    wrapped_salt = encrypt_asymmetric(salt, identity_key)
+    # identity_key is Ed25519; encrypt_asymmetric needs Curve25519
+    kx_pubkey_hex = crypto_sign_ed25519_pk_to_curve25519(
+        bytes.fromhex(identity_key)
+    ).hex()
+
+    wrapped_seed = encrypt_asymmetric(seed, kx_pubkey_hex)
+    wrapped_salt = encrypt_asymmetric(salt, kx_pubkey_hex)
     return wrapped_seed, wrapped_salt
 
 

From 5fbaac4580f0581f10430d7dba6ce07973335618 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:23 +0530
Subject: [PATCH 045/118] feat: add SCIM GraphQL operations and
 scimManaged/scimEnabled fields to queries

---
 .../organisation/initAccountKeys.gql          |  7 ++++
 .../mutations/scim/createSCIMToken.gql        | 19 +++++++++
 .../mutations/scim/deleteSCIMToken.gql        |  5 +++
 .../graphql/mutations/scim/toggleSCIM.gql     |  5 +++
 .../mutations/scim/toggleSCIMToken.gql        |  5 +++
 frontend/graphql/queries/getOrganisations.gql |  1 +
 .../organisation/getOrganisationMembers.gql   |  1 +
 .../graphql/queries/scim/getSCIMEvents.gql    | 40 +++++++++++++++++++
 .../graphql/queries/scim/getSCIMTokens.gql    | 17 ++++++++
 frontend/graphql/queries/teams/getTeams.gql   |  4 ++
 .../users/getOrganisationMemberDetail.gql     |  1 +
 11 files changed, 105 insertions(+)
 create mode 100644 frontend/graphql/mutations/organisation/initAccountKeys.gql
 create mode 100644 frontend/graphql/mutations/scim/createSCIMToken.gql
 create mode 100644 frontend/graphql/mutations/scim/deleteSCIMToken.gql
 create mode 100644 frontend/graphql/mutations/scim/toggleSCIM.gql
 create mode 100644 frontend/graphql/mutations/scim/toggleSCIMToken.gql
 create mode 100644 frontend/graphql/queries/scim/getSCIMEvents.gql
 create mode 100644 frontend/graphql/queries/scim/getSCIMTokens.gql

diff --git a/frontend/graphql/mutations/organisation/initAccountKeys.gql b/frontend/graphql/mutations/organisation/initAccountKeys.gql
new file mode 100644
index 000000000..f51635ada
--- /dev/null
+++ b/frontend/graphql/mutations/organisation/initAccountKeys.gql
@@ -0,0 +1,7 @@
+mutation InitAccountKeys($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {
+  updateMemberWrappedSecrets(orgId: $orgId, identityKey: $identityKey, wrappedKeyring: $wrappedKeyring, wrappedRecovery: $wrappedRecovery) {
+    orgMember {
+      id
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/scim/createSCIMToken.gql b/frontend/graphql/mutations/scim/createSCIMToken.gql
new file mode 100644
index 000000000..5fd0383ed
--- /dev/null
+++ b/frontend/graphql/mutations/scim/createSCIMToken.gql
@@ -0,0 +1,19 @@
+mutation CreateSCIMTokenOp($organisationId: ID!, $name: String!, $expiryDays: Int) {
+  createScimToken(organisationId: $organisationId, name: $name, expiryDays: $expiryDays) {
+    token
+    scimToken {
+      id
+      name
+      tokenPrefix
+      createdBy {
+        id
+        fullName
+        email
+        avatarUrl
+      }
+      createdAt
+      expiresAt
+      lastUsedAt
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/scim/deleteSCIMToken.gql b/frontend/graphql/mutations/scim/deleteSCIMToken.gql
new file mode 100644
index 000000000..ccef82660
--- /dev/null
+++ b/frontend/graphql/mutations/scim/deleteSCIMToken.gql
@@ -0,0 +1,5 @@
+mutation DeleteSCIMTokenOp($tokenId: ID!) {
+  deleteScimToken(tokenId: $tokenId) {
+    ok
+  }
+}
diff --git a/frontend/graphql/mutations/scim/toggleSCIM.gql b/frontend/graphql/mutations/scim/toggleSCIM.gql
new file mode 100644
index 000000000..ee38ba1e2
--- /dev/null
+++ b/frontend/graphql/mutations/scim/toggleSCIM.gql
@@ -0,0 +1,5 @@
+mutation ToggleSCIMOp($organisationId: ID!, $enabled: Boolean!) {
+  toggleScim(organisationId: $organisationId, enabled: $enabled) {
+    ok
+  }
+}
diff --git a/frontend/graphql/mutations/scim/toggleSCIMToken.gql b/frontend/graphql/mutations/scim/toggleSCIMToken.gql
new file mode 100644
index 000000000..e26502c62
--- /dev/null
+++ b/frontend/graphql/mutations/scim/toggleSCIMToken.gql
@@ -0,0 +1,5 @@
+mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {
+  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {
+    ok
+  }
+}
diff --git a/frontend/graphql/queries/getOrganisations.gql b/frontend/graphql/queries/getOrganisations.gql
index 15960df04..18b240df1 100644
--- a/frontend/graphql/queries/getOrganisations.gql
+++ b/frontend/graphql/queries/getOrganisations.gql
@@ -33,5 +33,6 @@ query GetOrganisations {
       providerType
       enabled
     }
+    scimEnabled
   }
 }
diff --git a/frontend/graphql/queries/organisation/getOrganisationMembers.gql b/frontend/graphql/queries/organisation/getOrganisationMembers.gql
index 98dc029c6..08573892f 100644
--- a/frontend/graphql/queries/organisation/getOrganisationMembers.gql
+++ b/frontend/graphql/queries/organisation/getOrganisationMembers.gql
@@ -15,5 +15,6 @@ query GetOrganisationMembers($organisationId: ID!, $role: [String]) {
     createdAt
     lastLogin
     self
+    scimManaged
   }
 }
diff --git a/frontend/graphql/queries/scim/getSCIMEvents.gql b/frontend/graphql/queries/scim/getSCIMEvents.gql
new file mode 100644
index 000000000..3c57a9730
--- /dev/null
+++ b/frontend/graphql/queries/scim/getSCIMEvents.gql
@@ -0,0 +1,40 @@
+query GetSCIMEvents(
+  $organisationId: ID!
+  $start: BigInt
+  $end: BigInt
+  $eventTypes: [String]
+  $tokenId: ID
+  $status: String
+) {
+  scimEvents(
+    organisationId: $organisationId
+    start: $start
+    end: $end
+    eventTypes: $eventTypes
+    tokenId: $tokenId
+    status: $status
+  ) {
+    events {
+      id
+      scimToken {
+        id
+        name
+      }
+      eventType
+      status
+      resourceType
+      resourceId
+      resourceName
+      detail
+      requestMethod
+      requestPath
+      requestBody
+      responseStatus
+      responseBody
+      ipAddress
+      userAgent
+      timestamp
+    }
+    count
+  }
+}
diff --git a/frontend/graphql/queries/scim/getSCIMTokens.gql b/frontend/graphql/queries/scim/getSCIMTokens.gql
new file mode 100644
index 000000000..62251b268
--- /dev/null
+++ b/frontend/graphql/queries/scim/getSCIMTokens.gql
@@ -0,0 +1,17 @@
+query GetSCIMTokens($organisationId: ID!) {
+  scimTokens(organisationId: $organisationId) {
+    id
+    name
+    tokenPrefix
+    createdBy {
+      id
+      fullName
+      email
+      avatarUrl
+    }
+    createdAt
+    expiresAt
+    lastUsedAt
+    isActive
+  }
+}
diff --git a/frontend/graphql/queries/teams/getTeams.gql b/frontend/graphql/queries/teams/getTeams.gql
index 3f4e125d5..22c736146 100644
--- a/frontend/graphql/queries/teams/getTeams.gql
+++ b/frontend/graphql/queries/teams/getTeams.gql
@@ -38,6 +38,10 @@ query GetTeams($organisationId: ID!, $teamId: ID) {
       orgMember {
         id
         identityKey
+        scimManaged
+        email
+        fullName
+        avatarUrl
         role {
           id
           name
diff --git a/frontend/graphql/queries/users/getOrganisationMemberDetail.gql b/frontend/graphql/queries/users/getOrganisationMemberDetail.gql
index b128f9895..91c44ae53 100644
--- a/frontend/graphql/queries/users/getOrganisationMemberDetail.gql
+++ b/frontend/graphql/queries/users/getOrganisationMemberDetail.gql
@@ -15,6 +15,7 @@ query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {
     createdAt
     lastLogin
     self
+    scimManaged
     appMemberships {
       id
       name

From 1b2aabaf20f4d1616ac2b48f95c693e646662d4e Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:29 +0530
Subject: [PATCH 046/118] chore: regenerate GraphQL schema and codegen types
 for SCIM

---
 frontend/apollo/gql.ts         |  96 +++++++----
 frontend/apollo/graphql.ts     | 304 +++++++++++++++++++++++++--------
 frontend/apollo/schema.graphql | 203 ++++++++++++++++++----
 3 files changed, 464 insertions(+), 139 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index a90be6d66..1c4306afd 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -70,11 +70,16 @@ type Documents = {
     "mutation BulkInviteMembers($orgId: ID!, $invites: [InviteInput!]!) {\n  bulkInviteOrganisationMembers(orgId: $orgId, invites: $invites) {\n    invites {\n      id\n      inviteeEmail\n      expiresAt\n    }\n  }\n}": typeof types.BulkInviteMembersDocument,
     "mutation DeleteOrgInvite($inviteId: ID!) {\n  deleteInvitation(inviteId: $inviteId) {\n    ok\n  }\n}": typeof types.DeleteOrgInviteDocument,
     "mutation RemoveMember($memberId: ID!) {\n  deleteOrganisationMember(memberId: $memberId) {\n    ok\n  }\n}": typeof types.RemoveMemberDocument,
+    "mutation InitAccountKeys($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.InitAccountKeysDocument,
     "mutation TransferOrgOwnership($organisationId: ID!, $newOwnerId: ID!, $billingEmail: String) {\n  transferOrganisationOwnership(\n    organisationId: $organisationId\n    newOwnerId: $newOwnerId\n    billingEmail: $billingEmail\n  ) {\n    ok\n  }\n}": typeof types.TransferOrgOwnershipDocument,
     "mutation UpdateMemberRole($memberId: ID!, $roleId: ID!) {\n  updateOrganisationMemberRole(memberId: $memberId, roleId: $roleId) {\n    orgMember {\n      id\n      role {\n        name\n      }\n    }\n  }\n}": typeof types.UpdateMemberRoleDocument,
     "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.UpdateWrappedSecretsDocument,
     "mutation RotateAppKey($id: ID!, $appToken: String!, $wrappedKeyShare: String!) {\n  rotateAppKeys(id: $id, appToken: $appToken, wrappedKeyShare: $wrappedKeyShare) {\n    app {\n      id\n    }\n  }\n}": typeof types.RotateAppKeyDocument,
-    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": typeof types.CreateServiceAccountOpDocument,
+    "mutation CreateSCIMTokenOp($organisationId: ID!, $name: String!, $expiryDays: Int) {\n  createScimToken(\n    organisationId: $organisationId\n    name: $name\n    expiryDays: $expiryDays\n  ) {\n    token\n    scimToken {\n      id\n      name\n      tokenPrefix\n      createdBy {\n        id\n        fullName\n        email\n        avatarUrl\n      }\n      createdAt\n      expiresAt\n      lastUsedAt\n    }\n  }\n}": typeof types.CreateScimTokenOpDocument,
+    "mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}": typeof types.DeleteScimTokenOpDocument,
+    "mutation ToggleSCIMOp($organisationId: ID!, $enabled: Boolean!) {\n  toggleScim(organisationId: $organisationId, enabled: $enabled) {\n    ok\n  }\n}": typeof types.ToggleScimOpDocument,
+    "mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}": typeof types.ToggleScimTokenOpDocument,
+    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": typeof types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": typeof types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": typeof types.DeleteServiceAccountOpDocument,
     "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}": typeof types.DeleteServiceAccountTokenOpDocument,
@@ -82,7 +87,6 @@ type Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": typeof types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": typeof types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOpDocument,
-    "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOwnershipOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewCfPagesSyncDocument,
@@ -109,7 +113,6 @@ type Documents = {
     "mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}": typeof types.DeleteTeamOpDocument,
     "mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}": typeof types.RemoveTeamAppOpDocument,
     "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": typeof types.RemoveTeamMemberOpDocument,
-    "mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}": typeof types.TransferTeamOwnershipOpDocument,
     "mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": typeof types.UpdateTeamOpDocument,
     "mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}": typeof types.UpdateTeamAppEnvironmentsOpDocument,
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": typeof types.CreateNewUserTokenDocument,
@@ -128,7 +131,7 @@ type Documents = {
     "query GetAppKmsLogs($appId: ID!, $start: BigInt, $end: BigInt) {\n  kmsLogs(appId: $appId, start: $start, end: $end) {\n    logs {\n      id\n      timestamp\n      phaseNode\n      eventType\n      ipAddress\n      country\n      city\n      phSize\n    }\n    count\n  }\n}": typeof types.GetAppKmsLogsDocument,
     "query GetApps($organisationId: ID!, $appId: ID) {\n  apps(organisationId: $organisationId, appId: $appId) {\n    id\n    name\n    description\n    identityKey\n    createdAt\n    updatedAt\n    sseEnabled\n    members {\n      id\n      email\n      fullName\n      avatarUrl\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      envType\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": typeof types.GetAppsDocument,
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": typeof types.GetDashboardDocument,
-    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}": typeof types.GetOrganisationsDocument,
+    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    scimEnabled\n  }\n}": typeof types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": typeof types.GetAwsStsEndpointsDocument,
     "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": typeof types.GetIdentityProvidersDocument,
     "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": typeof types.GetOrganisationIdentitiesDocument,
@@ -137,10 +140,12 @@ type Documents = {
     "query GetInvites($orgId: ID!) {\n  organisationInvites(orgId: $orgId) {\n    id\n    createdAt\n    expiresAt\n    invitedBy {\n      email\n      fullName\n      self\n    }\n    inviteeEmail\n    role {\n      id\n      name\n      description\n      color\n    }\n  }\n}": typeof types.GetInvitesDocument,
     "query GetLicenseData {\n  license {\n    id\n    customerName\n    organisationName\n    expiresAt\n    plan\n    seats\n    isActivated\n    organisationOwner {\n      fullName\n      email\n    }\n  }\n}": typeof types.GetLicenseDataDocument,
     "query GetOrgLicense($organisationId: ID!) {\n  organisationLicense(organisationId: $organisationId) {\n    id\n    customerName\n    issuedAt\n    expiresAt\n    activatedAt\n    plan\n    seats\n    tokens\n  }\n}": typeof types.GetOrgLicenseDocument,
-    "query GetOrganisationMembers($organisationId: ID!, $role: [String]) {\n  organisationMembers(organisationId: $organisationId, role: $role) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n  }\n}": typeof types.GetOrganisationMembersDocument,
+    "query GetOrganisationMembers($organisationId: ID!, $role: [String]) {\n  organisationMembers(organisationId: $organisationId, role: $role) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n  }\n}": typeof types.GetOrganisationMembersDocument,
     "query GetOrganisationPlan($organisationId: ID!) {\n  organisationPlan(organisationId: $organisationId) {\n    name\n    maxUsers\n    maxApps\n    maxEnvsPerApp\n    seatsUsed {\n      users\n      serviceAccounts\n      total\n    }\n    seatLimit\n    appCount\n  }\n}": typeof types.GetOrganisationPlanDocument,
     "query GetRoles($orgId: ID!) {\n  roles(orgId: $orgId) {\n    id\n    name\n    description\n    color\n    permissions\n    isDefault\n  }\n}": typeof types.GetRolesDocument,
     "query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}": typeof types.VerifyInviteDocument,
+    "query GetSCIMEvents($organisationId: ID!, $start: BigInt, $end: BigInt, $eventTypes: [String], $tokenId: ID, $status: String) {\n  scimEvents(\n    organisationId: $organisationId\n    start: $start\n    end: $end\n    eventTypes: $eventTypes\n    tokenId: $tokenId\n    status: $status\n  ) {\n    events {\n      id\n      scimToken {\n        id\n        name\n      }\n      eventType\n      status\n      resourceType\n      resourceId\n      resourceName\n      detail\n      requestMethod\n      requestPath\n      requestBody\n      responseStatus\n      responseBody\n      ipAddress\n      userAgent\n      timestamp\n    }\n    count\n  }\n}": typeof types.GetScimEventsDocument,
+    "query GetSCIMTokens($organisationId: ID!) {\n  scimTokens(organisationId: $organisationId) {\n    id\n    name\n    tokenPrefix\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    expiresAt\n    lastUsedAt\n    isActive\n  }\n}": typeof types.GetScimTokensDocument,
     "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": typeof types.GetDynamicSecretsDocument,
     "query GetDynamicSecretProviders {\n  dynamicSecretProviders {\n    id\n    name\n    credentials\n    configMap\n  }\n}": typeof types.GetDynamicSecretProvidersDocument,
     "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      ttl\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}": typeof types.GetDynamicSecretLeasesDocument,
@@ -156,10 +161,10 @@ type Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": typeof types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": typeof types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": typeof types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": typeof types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": typeof types.GetServiceAccountTokensDocument,
-    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
+    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": typeof types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": typeof types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": typeof types.ValidateAwsAssumeRoleAuthDocument,
@@ -181,8 +186,8 @@ type Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": typeof types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": typeof types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": typeof types.GetVercelProjectsDocument,
-    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": typeof types.GetTeamsDocument,
-    "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": typeof types.GetOrganisationMemberDetailDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": typeof types.GetTeamsDocument,
+    "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": typeof types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": typeof types.GetUserTokensDocument,
 };
 const documents: Documents = {
@@ -242,11 +247,16 @@ const documents: Documents = {
     "mutation BulkInviteMembers($orgId: ID!, $invites: [InviteInput!]!) {\n  bulkInviteOrganisationMembers(orgId: $orgId, invites: $invites) {\n    invites {\n      id\n      inviteeEmail\n      expiresAt\n    }\n  }\n}": types.BulkInviteMembersDocument,
     "mutation DeleteOrgInvite($inviteId: ID!) {\n  deleteInvitation(inviteId: $inviteId) {\n    ok\n  }\n}": types.DeleteOrgInviteDocument,
     "mutation RemoveMember($memberId: ID!) {\n  deleteOrganisationMember(memberId: $memberId) {\n    ok\n  }\n}": types.RemoveMemberDocument,
+    "mutation InitAccountKeys($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.InitAccountKeysDocument,
     "mutation TransferOrgOwnership($organisationId: ID!, $newOwnerId: ID!, $billingEmail: String) {\n  transferOrganisationOwnership(\n    organisationId: $organisationId\n    newOwnerId: $newOwnerId\n    billingEmail: $billingEmail\n  ) {\n    ok\n  }\n}": types.TransferOrgOwnershipDocument,
     "mutation UpdateMemberRole($memberId: ID!, $roleId: ID!) {\n  updateOrganisationMemberRole(memberId: $memberId, roleId: $roleId) {\n    orgMember {\n      id\n      role {\n        name\n      }\n    }\n  }\n}": types.UpdateMemberRoleDocument,
     "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.UpdateWrappedSecretsDocument,
     "mutation RotateAppKey($id: ID!, $appToken: String!, $wrappedKeyShare: String!) {\n  rotateAppKeys(id: $id, appToken: $appToken, wrappedKeyShare: $wrappedKeyShare) {\n    app {\n      id\n    }\n  }\n}": types.RotateAppKeyDocument,
-    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": types.CreateServiceAccountOpDocument,
+    "mutation CreateSCIMTokenOp($organisationId: ID!, $name: String!, $expiryDays: Int) {\n  createScimToken(\n    organisationId: $organisationId\n    name: $name\n    expiryDays: $expiryDays\n  ) {\n    token\n    scimToken {\n      id\n      name\n      tokenPrefix\n      createdBy {\n        id\n        fullName\n        email\n        avatarUrl\n      }\n      createdAt\n      expiresAt\n      lastUsedAt\n    }\n  }\n}": types.CreateScimTokenOpDocument,
+    "mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}": types.DeleteScimTokenOpDocument,
+    "mutation ToggleSCIMOp($organisationId: ID!, $enabled: Boolean!) {\n  toggleScim(organisationId: $organisationId, enabled: $enabled) {\n    ok\n  }\n}": types.ToggleScimOpDocument,
+    "mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}": types.ToggleScimTokenOpDocument,
+    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountOpDocument,
     "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountTokenOpDocument,
@@ -254,7 +264,6 @@ const documents: Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
-    "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOwnershipOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewCfPagesSyncDocument,
@@ -281,7 +290,6 @@ const documents: Documents = {
     "mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}": types.DeleteTeamOpDocument,
     "mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}": types.RemoveTeamAppOpDocument,
     "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": types.RemoveTeamMemberOpDocument,
-    "mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}": types.TransferTeamOwnershipOpDocument,
     "mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": types.UpdateTeamOpDocument,
     "mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}": types.UpdateTeamAppEnvironmentsOpDocument,
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": types.CreateNewUserTokenDocument,
@@ -300,7 +308,7 @@ const documents: Documents = {
     "query GetAppKmsLogs($appId: ID!, $start: BigInt, $end: BigInt) {\n  kmsLogs(appId: $appId, start: $start, end: $end) {\n    logs {\n      id\n      timestamp\n      phaseNode\n      eventType\n      ipAddress\n      country\n      city\n      phSize\n    }\n    count\n  }\n}": types.GetAppKmsLogsDocument,
     "query GetApps($organisationId: ID!, $appId: ID) {\n  apps(organisationId: $organisationId, appId: $appId) {\n    id\n    name\n    description\n    identityKey\n    createdAt\n    updatedAt\n    sseEnabled\n    members {\n      id\n      email\n      fullName\n      avatarUrl\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      envType\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetAppsDocument,
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": types.GetDashboardDocument,
-    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}": types.GetOrganisationsDocument,
+    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    scimEnabled\n  }\n}": types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": types.GetAwsStsEndpointsDocument,
     "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": types.GetIdentityProvidersDocument,
     "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": types.GetOrganisationIdentitiesDocument,
@@ -309,10 +317,12 @@ const documents: Documents = {
     "query GetInvites($orgId: ID!) {\n  organisationInvites(orgId: $orgId) {\n    id\n    createdAt\n    expiresAt\n    invitedBy {\n      email\n      fullName\n      self\n    }\n    inviteeEmail\n    role {\n      id\n      name\n      description\n      color\n    }\n  }\n}": types.GetInvitesDocument,
     "query GetLicenseData {\n  license {\n    id\n    customerName\n    organisationName\n    expiresAt\n    plan\n    seats\n    isActivated\n    organisationOwner {\n      fullName\n      email\n    }\n  }\n}": types.GetLicenseDataDocument,
     "query GetOrgLicense($organisationId: ID!) {\n  organisationLicense(organisationId: $organisationId) {\n    id\n    customerName\n    issuedAt\n    expiresAt\n    activatedAt\n    plan\n    seats\n    tokens\n  }\n}": types.GetOrgLicenseDocument,
-    "query GetOrganisationMembers($organisationId: ID!, $role: [String]) {\n  organisationMembers(organisationId: $organisationId, role: $role) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n  }\n}": types.GetOrganisationMembersDocument,
+    "query GetOrganisationMembers($organisationId: ID!, $role: [String]) {\n  organisationMembers(organisationId: $organisationId, role: $role) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n  }\n}": types.GetOrganisationMembersDocument,
     "query GetOrganisationPlan($organisationId: ID!) {\n  organisationPlan(organisationId: $organisationId) {\n    name\n    maxUsers\n    maxApps\n    maxEnvsPerApp\n    seatsUsed {\n      users\n      serviceAccounts\n      total\n    }\n    seatLimit\n    appCount\n  }\n}": types.GetOrganisationPlanDocument,
     "query GetRoles($orgId: ID!) {\n  roles(orgId: $orgId) {\n    id\n    name\n    description\n    color\n    permissions\n    isDefault\n  }\n}": types.GetRolesDocument,
     "query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}": types.VerifyInviteDocument,
+    "query GetSCIMEvents($organisationId: ID!, $start: BigInt, $end: BigInt, $eventTypes: [String], $tokenId: ID, $status: String) {\n  scimEvents(\n    organisationId: $organisationId\n    start: $start\n    end: $end\n    eventTypes: $eventTypes\n    tokenId: $tokenId\n    status: $status\n  ) {\n    events {\n      id\n      scimToken {\n        id\n        name\n      }\n      eventType\n      status\n      resourceType\n      resourceId\n      resourceName\n      detail\n      requestMethod\n      requestPath\n      requestBody\n      responseStatus\n      responseBody\n      ipAddress\n      userAgent\n      timestamp\n    }\n    count\n  }\n}": types.GetScimEventsDocument,
+    "query GetSCIMTokens($organisationId: ID!) {\n  scimTokens(organisationId: $organisationId) {\n    id\n    name\n    tokenPrefix\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    expiresAt\n    lastUsedAt\n    isActive\n  }\n}": types.GetScimTokensDocument,
     "query GetDynamicSecrets($orgId: ID!, $appId: ID, $envId: ID, $path: String) {\n  dynamicSecrets(orgId: $orgId, appId: $appId, envId: $envId, path: $path) {\n    id\n    name\n    environment {\n      id\n      name\n      index\n      app {\n        id\n        name\n      }\n    }\n    path\n    description\n    provider\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        iamPath\n      }\n    }\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetDynamicSecretsDocument,
     "query GetDynamicSecretProviders {\n  dynamicSecretProviders {\n    id\n    name\n    credentials\n    configMap\n  }\n}": types.GetDynamicSecretProvidersDocument,
     "query GetDynamicSecretLeases($secretId: ID!, $orgId: ID!) {\n  dynamicSecrets(secretId: $secretId, orgId: $orgId) {\n    id\n    leases {\n      id\n      name\n      ttl\n      createdAt\n      expiresAt\n      revokedAt\n      status\n      organisationMember {\n        id\n        fullName\n        email\n        avatarUrl\n        self\n      }\n      serviceAccount {\n        id\n        name\n      }\n      events {\n        id\n        eventType\n        createdAt\n        metadata\n        ipAddress\n        userAgent\n        organisationMember {\n          id\n          fullName\n          email\n          avatarUrl\n          self\n        }\n        serviceAccount {\n          id\n          name\n        }\n      }\n    }\n  }\n}": types.GetDynamicSecretLeasesDocument,
@@ -328,10 +338,10 @@ const documents: Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
-    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
+    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": types.ValidateAwsAssumeRoleAuthDocument,
@@ -353,8 +363,8 @@ const documents: Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": types.GetVercelProjectsDocument,
-    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": types.GetTeamsDocument,
-    "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetOrganisationMemberDetailDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": types.GetTeamsDocument,
+    "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": types.GetUserTokensDocument,
 };
 
@@ -596,6 +606,10 @@ export function graphql(source: "mutation DeleteOrgInvite($inviteId: ID!) {\n  d
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation RemoveMember($memberId: ID!) {\n  deleteOrganisationMember(memberId: $memberId) {\n    ok\n  }\n}"): (typeof documents)["mutation RemoveMember($memberId: ID!) {\n  deleteOrganisationMember(memberId: $memberId) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation InitAccountKeys($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"): (typeof documents)["mutation InitAccountKeys($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -615,7 +629,23 @@ export function graphql(source: "mutation RotateAppKey($id: ID!, $appToken: Stri
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"): (typeof documents)["mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"];
+export function graphql(source: "mutation CreateSCIMTokenOp($organisationId: ID!, $name: String!, $expiryDays: Int) {\n  createScimToken(\n    organisationId: $organisationId\n    name: $name\n    expiryDays: $expiryDays\n  ) {\n    token\n    scimToken {\n      id\n      name\n      tokenPrefix\n      createdBy {\n        id\n        fullName\n        email\n        avatarUrl\n      }\n      createdAt\n      expiresAt\n      lastUsedAt\n    }\n  }\n}"): (typeof documents)["mutation CreateSCIMTokenOp($organisationId: ID!, $name: String!, $expiryDays: Int) {\n  createScimToken(\n    organisationId: $organisationId\n    name: $name\n    expiryDays: $expiryDays\n  ) {\n    token\n    scimToken {\n      id\n      name\n      tokenPrefix\n      createdBy {\n        id\n        fullName\n        email\n        avatarUrl\n      }\n      createdAt\n      expiresAt\n      lastUsedAt\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}"): (typeof documents)["mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation ToggleSCIMOp($organisationId: ID!, $enabled: Boolean!) {\n  toggleScim(organisationId: $organisationId, enabled: $enabled) {\n    ok\n  }\n}"): (typeof documents)["mutation ToggleSCIMOp($organisationId: ID!, $enabled: Boolean!) {\n  toggleScim(organisationId: $organisationId, enabled: $enabled) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}"): (typeof documents)["mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"): (typeof documents)["mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -644,10 +674,6 @@ export function graphql(source: "mutation UpdateServiceAccountHandlerKeys($orgId
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -752,10 +778,6 @@ export function graphql(source: "mutation RemoveTeamAppOp($teamId: ID!, $appId:
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -831,7 +853,7 @@ export function graphql(source: "query GetDashboard($organisationId: ID!) {\n  a
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}"): (typeof documents)["query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n  }\n}"];
+export function graphql(source: "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    scimEnabled\n  }\n}"): (typeof documents)["query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    scimEnabled\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -867,7 +889,7 @@ export function graphql(source: "query GetOrgLicense($organisationId: ID!) {\n
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetOrganisationMembers($organisationId: ID!, $role: [String]) {\n  organisationMembers(organisationId: $organisationId, role: $role) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n  }\n}"): (typeof documents)["query GetOrganisationMembers($organisationId: ID!, $role: [String]) {\n  organisationMembers(organisationId: $organisationId, role: $role) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n  }\n}"];
+export function graphql(source: "query GetOrganisationMembers($organisationId: ID!, $role: [String]) {\n  organisationMembers(organisationId: $organisationId, role: $role) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n  }\n}"): (typeof documents)["query GetOrganisationMembers($organisationId: ID!, $role: [String]) {\n  organisationMembers(organisationId: $organisationId, role: $role) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -880,6 +902,14 @@ export function graphql(source: "query GetRoles($orgId: ID!) {\n  roles(orgId: $
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}"): (typeof documents)["query VerifyInvite($inviteId: ID!) {\n  validateInvite(inviteId: $inviteId) {\n    id\n    organisation {\n      id\n      name\n    }\n    inviteeEmail\n    invitedBy {\n      fullName\n      email\n    }\n    apps {\n      id\n      name\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetSCIMEvents($organisationId: ID!, $start: BigInt, $end: BigInt, $eventTypes: [String], $tokenId: ID, $status: String) {\n  scimEvents(\n    organisationId: $organisationId\n    start: $start\n    end: $end\n    eventTypes: $eventTypes\n    tokenId: $tokenId\n    status: $status\n  ) {\n    events {\n      id\n      scimToken {\n        id\n        name\n      }\n      eventType\n      status\n      resourceType\n      resourceId\n      resourceName\n      detail\n      requestMethod\n      requestPath\n      requestBody\n      responseStatus\n      responseBody\n      ipAddress\n      userAgent\n      timestamp\n    }\n    count\n  }\n}"): (typeof documents)["query GetSCIMEvents($organisationId: ID!, $start: BigInt, $end: BigInt, $eventTypes: [String], $tokenId: ID, $status: String) {\n  scimEvents(\n    organisationId: $organisationId\n    start: $start\n    end: $end\n    eventTypes: $eventTypes\n    tokenId: $tokenId\n    status: $status\n  ) {\n    events {\n      id\n      scimToken {\n        id\n        name\n      }\n      eventType\n      status\n      resourceType\n      resourceId\n      resourceName\n      detail\n      requestMethod\n      requestPath\n      requestBody\n      responseStatus\n      responseBody\n      ipAddress\n      userAgent\n      timestamp\n    }\n    count\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetSCIMTokens($organisationId: ID!) {\n  scimTokens(organisationId: $organisationId) {\n    id\n    name\n    tokenPrefix\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    expiresAt\n    lastUsedAt\n    isActive\n  }\n}"): (typeof documents)["query GetSCIMTokens($organisationId: ID!) {\n  scimTokens(organisationId: $organisationId) {\n    id\n    name\n    tokenPrefix\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    expiresAt\n    lastUsedAt\n    isActive\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -943,7 +973,7 @@ export function graphql(source: "query GetServiceTokens($appId: ID!) {\n  servic
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"];
+export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -955,7 +985,7 @@ export function graphql(source: "query GetServiceAccountTokens($orgId: ID!, $id:
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -1043,11 +1073,11 @@ export function graphql(source: "query GetVercelProjects($credentialId: ID!) {\n
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"): (typeof documents)["query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"];
+export function graphql(source: "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"): (typeof documents)["query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"): (typeof documents)["query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"];
+export function graphql(source: "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"): (typeof documents)["query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 336d22c1b..bac9c683e 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -219,6 +219,44 @@ export enum ApiOrganisationPlanChoices {
   Pr = 'PR'
 }
 
+/** An enumeration. */
+export enum ApiScimEventEventTypeChoices {
+  /** Group Created */
+  GroupCreated = 'GROUP_CREATED',
+  /** Group Deleted */
+  GroupDeleted = 'GROUP_DELETED',
+  /** Group Updated */
+  GroupUpdated = 'GROUP_UPDATED',
+  /** Member Added to Group */
+  MemberAdded = 'MEMBER_ADDED',
+  /** Member Removed from Group */
+  MemberRemoved = 'MEMBER_REMOVED',
+  /** User Created */
+  UserCreated = 'USER_CREATED',
+  /** User Deactivated */
+  UserDeactivated = 'USER_DEACTIVATED',
+  /** User Reactivated */
+  UserReactivated = 'USER_REACTIVATED',
+  /** User Updated */
+  UserUpdated = 'USER_UPDATED'
+}
+
+/** An enumeration. */
+export enum ApiScimEventResourceTypeChoices {
+  /** Group */
+  Group = 'GROUP',
+  /** User */
+  User = 'USER'
+}
+
+/** An enumeration. */
+export enum ApiScimEventStatusChoices {
+  /** Error */
+  Error = 'ERROR',
+  /** Success */
+  Success = 'SUCCESS'
+}
+
 /** An enumeration. */
 export enum ApiSecretEventEventTypeChoices {
   /** Create */
@@ -481,6 +519,12 @@ export type CreateRenderSync = {
   sync?: Maybe<EnvironmentSyncType>;
 };
 
+export type CreateScimTokenMutation = {
+  __typename?: 'CreateSCIMTokenMutation';
+  scimToken?: Maybe<ScimTokenType>;
+  token?: Maybe<Scalars['String']['output']>;
+};
+
 export type CreateSecretFolderMutation = {
   __typename?: 'CreateSecretFolderMutation';
   folder?: Maybe<SecretFolderType>;
@@ -597,6 +641,11 @@ export type DeleteProviderCredentials = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
+export type DeleteScimTokenMutation = {
+  __typename?: 'DeleteSCIMTokenMutation';
+  ok?: Maybe<Scalars['Boolean']['output']>;
+};
+
 export type DeleteSecretFolderMutation = {
   __typename?: 'DeleteSecretFolderMutation';
   ok?: Maybe<Scalars['Boolean']['output']>;
@@ -1012,6 +1061,7 @@ export type Mutation = {
   createProviderCredentials?: Maybe<CreateProviderCredentials>;
   createRailwaySync?: Maybe<CreateRailwaySync>;
   createRenderSync?: Maybe<CreateRenderSync>;
+  createScimToken?: Maybe<CreateScimTokenMutation>;
   createSecret?: Maybe<CreateSecretMutation>;
   createSecretFolder?: Maybe<CreateSecretFolderMutation>;
   createSecretTag?: Maybe<CreateSecretTagMutation>;
@@ -1036,6 +1086,7 @@ export type Mutation = {
   deleteOrganisationMember?: Maybe<DeleteOrganisationMemberMutation>;
   deletePaymentMethod?: Maybe<DeletePaymentMethodMutation>;
   deleteProviderCredentials?: Maybe<DeleteProviderCredentials>;
+  deleteScimToken?: Maybe<DeleteScimTokenMutation>;
   deleteSecret?: Maybe<DeleteSecretMutation>;
   deleteSecretFolder?: Maybe<DeleteSecretFolderMutation>;
   deleteSecrets?: Maybe<BulkDeleteSecretMutation>;
@@ -1062,13 +1113,16 @@ export type Mutation = {
   revokeDynamicSecretLease?: Maybe<RevokeLeaseMutation>;
   rotateAppKeys?: Maybe<RotateAppKeysMutation>;
   setDefaultPaymentMethod?: Maybe<SetDefaultPaymentMethodMutation>;
+  /** Master switch: enable/disable SCIM for the organisation. */
+  toggleScim?: Maybe<ToggleScimMutation>;
+  /** Per-provider toggle: enable/disable a single SCIM token. */
+  toggleScimToken?: Maybe<ToggleScimTokenMutation>;
   toggleSyncActive?: Maybe<ToggleSyncActive>;
   /**
    * Transfer organisation ownership from the current owner to another member.
    * The new owner must have global access (Admin role) to ensure they have all necessary keys.
    */
   transferOrganisationOwnership?: Maybe<TransferOrganisationOwnershipMutation>;
-  transferTeamOwnership?: Maybe<TransferTeamOwnershipMutation>;
   triggerSync?: Maybe<TriggerSync>;
   updateAccountNetworkAccessPolicies?: Maybe<UpdateAccountNetworkAccessPolicies>;
   updateAppInfo?: Maybe<UpdateAppInfoMutation>;
@@ -1083,15 +1137,6 @@ export type Mutation = {
   updateProviderCredentials?: Maybe<UpdateProviderCredentials>;
   updateServiceAccount?: Maybe<UpdateServiceAccountMutation>;
   updateServiceAccountHandlers?: Maybe<UpdateServiceAccountHandlersMutation>;
-  /**
-   * Transfer a service account between org-level and team ownership.
-   *
-   * - team_id=null: Promote team-owned SA to org-level (clears team FK).
-   * - team_id=<id>: Assign SA to a team (narrows visibility to team members).
-   *
-   * Requires global_access (Owner/Admin only).
-   */
-  updateServiceAccountOwnership?: Maybe<UpdateServiceAccountOwnershipMutation>;
   updateSyncAuthentication?: Maybe<UpdateSyncAuthentication>;
   updateTeam?: Maybe<UpdateTeamMutation>;
   updateTeamAppEnvironments?: Maybe<UpdateTeamAppEnvironmentsMutation>;
@@ -1367,6 +1412,13 @@ export type MutationCreateRenderSyncArgs = {
 };
 
 
+export type MutationCreateScimTokenArgs = {
+  expiryDays?: InputMaybe<Scalars['Int']['input']>;
+  name: Scalars['String']['input'];
+  organisationId: Scalars['ID']['input'];
+};
+
+
 export type MutationCreateSecretArgs = {
   secretData?: InputMaybe<SecretInput>;
 };
@@ -1399,7 +1451,6 @@ export type MutationCreateServiceAccountArgs = {
   roleId?: InputMaybe<Scalars['ID']['input']>;
   serverWrappedKeyring?: InputMaybe<Scalars['String']['input']>;
   serverWrappedRecovery?: InputMaybe<Scalars['String']['input']>;
-  teamId?: InputMaybe<Scalars['ID']['input']>;
 };
 
 
@@ -1533,6 +1584,11 @@ export type MutationDeleteProviderCredentialsArgs = {
 };
 
 
+export type MutationDeleteScimTokenArgs = {
+  tokenId: Scalars['ID']['input'];
+};
+
+
 export type MutationDeleteSecretArgs = {
   id: Scalars['ID']['input'];
 };
@@ -1681,6 +1737,18 @@ export type MutationSetDefaultPaymentMethodArgs = {
 };
 
 
+export type MutationToggleScimArgs = {
+  enabled: Scalars['Boolean']['input'];
+  organisationId: Scalars['ID']['input'];
+};
+
+
+export type MutationToggleScimTokenArgs = {
+  isActive: Scalars['Boolean']['input'];
+  tokenId: Scalars['ID']['input'];
+};
+
+
 export type MutationToggleSyncActiveArgs = {
   syncId?: InputMaybe<Scalars['ID']['input']>;
 };
@@ -1693,12 +1761,6 @@ export type MutationTransferOrganisationOwnershipArgs = {
 };
 
 
-export type MutationTransferTeamOwnershipArgs = {
-  newOwnerId: Scalars['ID']['input'];
-  teamId: Scalars['ID']['input'];
-};
-
-
 export type MutationTriggerSyncArgs = {
   syncId?: InputMaybe<Scalars['ID']['input']>;
 };
@@ -1809,12 +1871,6 @@ export type MutationUpdateServiceAccountHandlersArgs = {
 };
 
 
-export type MutationUpdateServiceAccountOwnershipArgs = {
-  serviceAccountId: Scalars['ID']['input'];
-  teamId?: InputMaybe<Scalars['ID']['input']>;
-};
-
-
 export type MutationUpdateSyncAuthenticationArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
   syncId?: InputMaybe<Scalars['ID']['input']>;
@@ -1893,6 +1949,7 @@ export type OrganisationMemberType = {
   lastLogin?: Maybe<Scalars['DateTime']['output']>;
   networkPolicies?: Maybe<Array<NetworkAccessPolicyType>>;
   role?: Maybe<RoleType>;
+  scimManaged?: Maybe<Scalars['Boolean']['output']>;
   self?: Maybe<Scalars['Boolean']['output']>;
   tokens?: Maybe<Array<UserTokenType>>;
   updatedAt: Scalars['DateTime']['output'];
@@ -1924,6 +1981,7 @@ export type OrganisationType = {
   pricingVersion: Scalars['Int']['output'];
   recovery?: Maybe<Scalars['String']['output']>;
   role?: Maybe<RoleType>;
+  scimEnabled: Scalars['Boolean']['output'];
 };
 
 export type PaymentMethodDetails = {
@@ -2044,6 +2102,8 @@ export type Query = {
   renderServices?: Maybe<Array<Maybe<RenderServiceType>>>;
   roles?: Maybe<Array<Maybe<RoleType>>>;
   savedCredentials?: Maybe<Array<Maybe<ProviderCredentialsType>>>;
+  scimEvents?: Maybe<ScimEventsResponseType>;
+  scimTokens?: Maybe<Array<Maybe<ScimTokenType>>>;
   secretHistory?: Maybe<Array<Maybe<SecretEventType>>>;
   secretLogs?: Maybe<SecretLogsResponseType>;
   secretTags?: Maybe<Array<Maybe<SecretTagType>>>;
@@ -2262,6 +2322,21 @@ export type QuerySavedCredentialsArgs = {
 };
 
 
+export type QueryScimEventsArgs = {
+  end?: InputMaybe<Scalars['BigInt']['input']>;
+  eventTypes?: InputMaybe<Array<InputMaybe<Scalars['String']['input']>>>;
+  organisationId?: InputMaybe<Scalars['ID']['input']>;
+  start?: InputMaybe<Scalars['BigInt']['input']>;
+  status?: InputMaybe<Scalars['String']['input']>;
+  tokenId?: InputMaybe<Scalars['ID']['input']>;
+};
+
+
+export type QueryScimTokensArgs = {
+  organisationId?: InputMaybe<Scalars['ID']['input']>;
+};
+
+
 export type QuerySecretHistoryArgs = {
   secretId?: InputMaybe<Scalars['ID']['input']>;
 };
@@ -2474,6 +2549,44 @@ export type RotateAppKeysMutation = {
   app?: Maybe<AppType>;
 };
 
+export type ScimEventType = {
+  __typename?: 'SCIMEventType';
+  detail: Scalars['JSONString']['output'];
+  eventType: ApiScimEventEventTypeChoices;
+  id: Scalars['String']['output'];
+  ipAddress?: Maybe<Scalars['String']['output']>;
+  requestBody?: Maybe<Scalars['JSONString']['output']>;
+  requestMethod: Scalars['String']['output'];
+  requestPath: Scalars['String']['output'];
+  resourceId: Scalars['String']['output'];
+  resourceName: Scalars['String']['output'];
+  resourceType: ApiScimEventResourceTypeChoices;
+  responseBody?: Maybe<Scalars['JSONString']['output']>;
+  responseStatus?: Maybe<Scalars['Int']['output']>;
+  scimToken?: Maybe<ScimTokenType>;
+  status: ApiScimEventStatusChoices;
+  timestamp: Scalars['DateTime']['output'];
+  userAgent?: Maybe<Scalars['String']['output']>;
+};
+
+export type ScimEventsResponseType = {
+  __typename?: 'SCIMEventsResponseType';
+  count?: Maybe<Scalars['Int']['output']>;
+  events?: Maybe<Array<Maybe<ScimEventType>>>;
+};
+
+export type ScimTokenType = {
+  __typename?: 'SCIMTokenType';
+  createdAt?: Maybe<Scalars['DateTime']['output']>;
+  createdBy?: Maybe<OrganisationMemberType>;
+  expiresAt?: Maybe<Scalars['DateTime']['output']>;
+  id: Scalars['String']['output'];
+  isActive: Scalars['Boolean']['output'];
+  lastUsedAt?: Maybe<Scalars['DateTime']['output']>;
+  name: Scalars['String']['output'];
+  tokenPrefix: Scalars['String']['output'];
+};
+
 export type SeatsUsed = {
   __typename?: 'SeatsUsed';
   serviceAccounts?: Maybe<Scalars['Int']['output']>;
@@ -2618,7 +2731,6 @@ export type ServiceAccountType = {
   networkPolicies?: Maybe<Array<NetworkAccessPolicyType>>;
   role?: Maybe<RoleType>;
   serverSideKeyManagementEnabled?: Maybe<Scalars['Boolean']['output']>;
-  team?: Maybe<TeamType>;
   tokens?: Maybe<Array<Maybe<ServiceAccountTokenType>>>;
   updatedAt: Scalars['DateTime']['output'];
 };
@@ -2717,7 +2829,6 @@ export type TeamType = {
   memberRole?: Maybe<RoleType>;
   members?: Maybe<Array<TeamMembershipType>>;
   name: Scalars['String']['output'];
-  owner?: Maybe<OrganisationMemberType>;
   serviceAccountRole?: Maybe<RoleType>;
   updatedAt: Scalars['DateTime']['output'];
 };
@@ -2731,6 +2842,18 @@ export enum TimeRange {
   Year = 'YEAR'
 }
 
+/** Master switch: enable/disable SCIM for the organisation. */
+export type ToggleScimMutation = {
+  __typename?: 'ToggleSCIMMutation';
+  ok?: Maybe<Scalars['Boolean']['output']>;
+};
+
+/** Per-provider toggle: enable/disable a single SCIM token. */
+export type ToggleScimTokenMutation = {
+  __typename?: 'ToggleSCIMTokenMutation';
+  ok?: Maybe<Scalars['Boolean']['output']>;
+};
+
 export type ToggleSyncActive = {
   __typename?: 'ToggleSyncActive';
   ok?: Maybe<Scalars['Boolean']['output']>;
@@ -2745,11 +2868,6 @@ export type TransferOrganisationOwnershipMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
-export type TransferTeamOwnershipMutation = {
-  __typename?: 'TransferTeamOwnershipMutation';
-  team?: Maybe<TeamType>;
-};
-
 export type TriggerSync = {
   __typename?: 'TriggerSync';
   sync?: Maybe<EnvironmentSyncType>;
@@ -2822,19 +2940,6 @@ export type UpdateServiceAccountMutation = {
   serviceAccount?: Maybe<ServiceAccountType>;
 };
 
-/**
- * Transfer a service account between org-level and team ownership.
- *
- * - team_id=null: Promote team-owned SA to org-level (clears team FK).
- * - team_id=<id>: Assign SA to a team (narrows visibility to team members).
- *
- * Requires global_access (Owner/Admin only).
- */
-export type UpdateServiceAccountOwnershipMutation = {
-  __typename?: 'UpdateServiceAccountOwnershipMutation';
-  serviceAccount?: Maybe<ServiceAccountType>;
-};
-
 export type UpdateSubscriptionResponse = {
   __typename?: 'UpdateSubscriptionResponse';
   cancelledAt?: Maybe<Scalars['String']['output']>;
@@ -3418,6 +3523,16 @@ export type RemoveMemberMutationVariables = Exact<{
 
 export type RemoveMemberMutation = { __typename?: 'Mutation', deleteOrganisationMember?: { __typename?: 'DeleteOrganisationMemberMutation', ok?: boolean | null } | null };
 
+export type InitAccountKeysMutationVariables = Exact<{
+  orgId: Scalars['ID']['input'];
+  identityKey: Scalars['String']['input'];
+  wrappedKeyring: Scalars['String']['input'];
+  wrappedRecovery: Scalars['String']['input'];
+}>;
+
+
+export type InitAccountKeysMutation = { __typename?: 'Mutation', updateMemberWrappedSecrets?: { __typename?: 'UpdateUserWrappedSecretsMutation', orgMember?: { __typename?: 'OrganisationMemberType', id: string } | null } | null };
+
 export type TransferOrgOwnershipMutationVariables = Exact<{
   organisationId: Scalars['ID']['input'];
   newOwnerId: Scalars['ID']['input'];
@@ -3453,6 +3568,38 @@ export type RotateAppKeyMutationVariables = Exact<{
 
 export type RotateAppKeyMutation = { __typename?: 'Mutation', rotateAppKeys?: { __typename?: 'RotateAppKeysMutation', app?: { __typename?: 'AppType', id: string } | null } | null };
 
+export type CreateScimTokenOpMutationVariables = Exact<{
+  organisationId: Scalars['ID']['input'];
+  name: Scalars['String']['input'];
+  expiryDays?: InputMaybe<Scalars['Int']['input']>;
+}>;
+
+
+export type CreateScimTokenOpMutation = { __typename?: 'Mutation', createScimToken?: { __typename?: 'CreateSCIMTokenMutation', token?: string | null, scimToken?: { __typename?: 'SCIMTokenType', id: string, name: string, tokenPrefix: string, createdAt?: any | null, expiresAt?: any | null, lastUsedAt?: any | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null } | null } | null };
+
+export type DeleteScimTokenOpMutationVariables = Exact<{
+  tokenId: Scalars['ID']['input'];
+}>;
+
+
+export type DeleteScimTokenOpMutation = { __typename?: 'Mutation', deleteScimToken?: { __typename?: 'DeleteSCIMTokenMutation', ok?: boolean | null } | null };
+
+export type ToggleScimOpMutationVariables = Exact<{
+  organisationId: Scalars['ID']['input'];
+  enabled: Scalars['Boolean']['input'];
+}>;
+
+
+export type ToggleScimOpMutation = { __typename?: 'Mutation', toggleScim?: { __typename?: 'ToggleSCIMMutation', ok?: boolean | null } | null };
+
+export type ToggleScimTokenOpMutationVariables = Exact<{
+  tokenId: Scalars['ID']['input'];
+  isActive: Scalars['Boolean']['input'];
+}>;
+
+
+export type ToggleScimTokenOpMutation = { __typename?: 'Mutation', toggleScimToken?: { __typename?: 'ToggleSCIMTokenMutation', ok?: boolean | null } | null };
+
 export type CreateServiceAccountOpMutationVariables = Exact<{
   name: Scalars['String']['input'];
   orgId: Scalars['ID']['input'];
@@ -3461,7 +3608,6 @@ export type CreateServiceAccountOpMutationVariables = Exact<{
   handlers?: InputMaybe<Array<InputMaybe<ServiceAccountHandlerInput>> | InputMaybe<ServiceAccountHandlerInput>>;
   serverWrappedKeyring?: InputMaybe<Scalars['String']['input']>;
   serverWrappedRecovery?: InputMaybe<Scalars['String']['input']>;
-  teamId?: InputMaybe<Scalars['ID']['input']>;
 }>;
 
 
@@ -3527,14 +3673,6 @@ export type UpdateServiceAccountOpMutationVariables = Exact<{
 
 export type UpdateServiceAccountOpMutation = { __typename?: 'Mutation', updateServiceAccount?: { __typename?: 'UpdateServiceAccountMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string }> | null } | null } | null };
 
-export type UpdateServiceAccountOwnershipOpMutationVariables = Exact<{
-  serviceAccountId: Scalars['ID']['input'];
-  teamId?: InputMaybe<Scalars['ID']['input']>;
-}>;
-
-
-export type UpdateServiceAccountOwnershipOpMutation = { __typename?: 'Mutation', updateServiceAccountOwnership?: { __typename?: 'UpdateServiceAccountOwnershipMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, team?: { __typename?: 'TeamType', id: string, name: string } | null } | null } | null };
-
 export type CreateNewAwsSecretsSyncMutationVariables = Exact<{
   envId: Scalars['ID']['input'];
   path: Scalars['String']['input'];
@@ -3798,14 +3936,6 @@ export type RemoveTeamMemberOpMutationVariables = Exact<{
 
 export type RemoveTeamMemberOpMutation = { __typename?: 'Mutation', removeTeamMember?: { __typename?: 'RemoveTeamMemberMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
 
-export type TransferTeamOwnershipOpMutationVariables = Exact<{
-  teamId: Scalars['ID']['input'];
-  newOwnerId: Scalars['ID']['input'];
-}>;
-
-
-export type TransferTeamOwnershipOpMutation = { __typename?: 'Mutation', transferTeamOwnership?: { __typename?: 'TransferTeamOwnershipMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
-
 export type UpdateTeamOpMutationVariables = Exact<{
   teamId: Scalars['ID']['input'];
   name?: InputMaybe<Scalars['String']['input']>;
@@ -3952,7 +4082,7 @@ export type GetDashboardQuery = { __typename?: 'Query', apps?: Array<{ __typenam
 export type GetOrganisationsQueryVariables = Exact<{ [key: string]: never; }>;
 
 
-export type GetOrganisationsQuery = { __typename?: 'Query', organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, identityKey: string, createdAt?: any | null, plan: ApiOrganisationPlanChoices, memberId?: string | null, keyring?: string | null, recovery?: string | null, pricingVersion: number, planDetail?: { __typename?: 'OrganisationPlanType', name?: string | null, maxUsers?: number | null, maxApps?: number | null, maxEnvsPerApp?: number | null, appCount?: number | null, seatsUsed?: { __typename?: 'SeatsUsed', users?: number | null, serviceAccounts?: number | null, total?: number | null } | null } | null, role?: { __typename?: 'RoleType', name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null> | null };
+export type GetOrganisationsQuery = { __typename?: 'Query', organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, identityKey: string, createdAt?: any | null, plan: ApiOrganisationPlanChoices, memberId?: string | null, keyring?: string | null, recovery?: string | null, pricingVersion: number, scimEnabled: boolean, planDetail?: { __typename?: 'OrganisationPlanType', name?: string | null, maxUsers?: number | null, maxApps?: number | null, maxEnvsPerApp?: number | null, appCount?: number | null, seatsUsed?: { __typename?: 'SeatsUsed', users?: number | null, serviceAccounts?: number | null, total?: number | null } | null } | null, role?: { __typename?: 'RoleType', name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null> | null };
 
 export type GetAwsStsEndpointsQueryVariables = Exact<{ [key: string]: never; }>;
 
@@ -4013,7 +4143,7 @@ export type GetOrganisationMembersQueryVariables = Exact<{
 }>;
 
 
-export type GetOrganisationMembersQuery = { __typename?: 'Query', organisationMembers?: Array<{ __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, lastLogin?: any | null, self?: boolean | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null, color?: string | null } | null } | null> | null };
+export type GetOrganisationMembersQuery = { __typename?: 'Query', organisationMembers?: Array<{ __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, lastLogin?: any | null, self?: boolean | null, scimManaged?: boolean | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null, color?: string | null } | null } | null> | null };
 
 export type GetOrganisationPlanQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
@@ -4036,6 +4166,25 @@ export type VerifyInviteQueryVariables = Exact<{
 
 export type VerifyInviteQuery = { __typename?: 'Query', validateInvite?: { __typename?: 'OrganisationMemberInviteType', id: string, inviteeEmail: string, organisation: { __typename?: 'OrganisationType', id: string, name: string }, invitedBy: { __typename?: 'OrganisationMemberType', fullName?: string | null, email?: string | null }, apps: Array<{ __typename?: 'AppMembershipType', id: string, name: string }> } | null };
 
+export type GetScimEventsQueryVariables = Exact<{
+  organisationId: Scalars['ID']['input'];
+  start?: InputMaybe<Scalars['BigInt']['input']>;
+  end?: InputMaybe<Scalars['BigInt']['input']>;
+  eventTypes?: InputMaybe<Array<InputMaybe<Scalars['String']['input']>> | InputMaybe<Scalars['String']['input']>>;
+  tokenId?: InputMaybe<Scalars['ID']['input']>;
+  status?: InputMaybe<Scalars['String']['input']>;
+}>;
+
+
+export type GetScimEventsQuery = { __typename?: 'Query', scimEvents?: { __typename?: 'SCIMEventsResponseType', count?: number | null, events?: Array<{ __typename?: 'SCIMEventType', id: string, eventType: ApiScimEventEventTypeChoices, status: ApiScimEventStatusChoices, resourceType: ApiScimEventResourceTypeChoices, resourceId: string, resourceName: string, detail: any, requestMethod: string, requestPath: string, requestBody?: any | null, responseStatus?: number | null, responseBody?: any | null, ipAddress?: string | null, userAgent?: string | null, timestamp: any, scimToken?: { __typename?: 'SCIMTokenType', id: string, name: string } | null } | null> | null } | null };
+
+export type GetScimTokensQueryVariables = Exact<{
+  organisationId: Scalars['ID']['input'];
+}>;
+
+
+export type GetScimTokensQuery = { __typename?: 'Query', scimTokens?: Array<{ __typename?: 'SCIMTokenType', id: string, name: string, tokenPrefix: string, createdAt?: any | null, expiresAt?: any | null, lastUsedAt?: any | null, isActive: boolean, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null } | null> | null };
+
 export type GetDynamicSecretsQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
   appId?: InputMaybe<Scalars['ID']['input']>;
@@ -4166,7 +4315,7 @@ export type GetServiceAccountDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, team?: { __typename?: 'TeamType', id: string, name: string } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
+export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
 
 export type GetServiceAccountHandlersQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -4189,7 +4338,7 @@ export type GetServiceAccountsQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountsQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null } | null, team?: { __typename?: 'TeamType', id: string, name: string } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null } | null> | null };
+export type GetServiceAccountsQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null } | null> | null };
 
 export type GetOrganisationSyncsQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -4341,7 +4490,7 @@ export type GetTeamsQueryVariables = Exact<{
 }>;
 
 
-export type GetTeamsQuery = { __typename?: 'Query', teams?: Array<{ __typename?: 'TeamType', id: string, name: string, description?: string | null, isScimManaged: boolean, createdAt?: any | null, updatedAt: any, memberCount?: number | null, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, serviceAccountRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, owner?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, members?: Array<{ __typename?: 'TeamMembershipType', id: string, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, orgMember?: { __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, team?: { __typename?: 'TeamType', id: string, name: string } | null } | null }> | null, apps?: Array<{ __typename?: 'AppType', id: string, name: string, sseEnabled: boolean }> | null, appEnvironments?: Array<{ __typename?: 'TeamAppEnvironmentType', id: string, createdAt?: any | null, app: { __typename?: 'AppMembershipType', id: string, name: string }, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices } }> | null } | null> | null };
+export type GetTeamsQuery = { __typename?: 'Query', teams?: Array<{ __typename?: 'TeamType', id: string, name: string, description?: string | null, isScimManaged: boolean, createdAt?: any | null, updatedAt: any, memberCount?: number | null, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, serviceAccountRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, members?: Array<{ __typename?: 'TeamMembershipType', id: string, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, orgMember?: { __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, scimManaged?: boolean | null, email?: string | null, fullName?: string | null, avatarUrl?: string | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null }> | null, apps?: Array<{ __typename?: 'AppType', id: string, name: string, sseEnabled: boolean }> | null, appEnvironments?: Array<{ __typename?: 'TeamAppEnvironmentType', id: string, createdAt?: any | null, app: { __typename?: 'AppMembershipType', id: string, name: string }, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices } }> | null } | null> | null };
 
 export type GetOrganisationMemberDetailQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
@@ -4349,7 +4498,7 @@ export type GetOrganisationMemberDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetOrganisationMemberDetailQuery = { __typename?: 'Query', organisationMembers?: Array<{ __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, lastLogin?: any | null, self?: boolean | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null, color?: string | null } | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, tokens?: Array<{ __typename?: 'UserTokenType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null } | null> | null };
+export type GetOrganisationMemberDetailQuery = { __typename?: 'Query', organisationMembers?: Array<{ __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, lastLogin?: any | null, self?: boolean | null, scimManaged?: boolean | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null, color?: string | null } | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, tokens?: Array<{ __typename?: 'UserTokenType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null } | null> | null };
 
 export type GetUserTokensQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
@@ -4415,11 +4564,16 @@ export const AcceptOrganisationInviteDocument = {"kind":"Document","definitions"
 export const BulkInviteMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"BulkInviteMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"invites"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"InviteInput"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"bulkInviteOrganisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"invites"},"value":{"kind":"Variable","name":{"kind":"Name","value":"invites"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"invites"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<BulkInviteMembersMutation, BulkInviteMembersMutationVariables>;
 export const DeleteOrgInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteOrgInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteInvitation"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteOrgInviteMutation, DeleteOrgInviteMutationVariables>;
 export const RemoveMemberDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveMember"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteOrganisationMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<RemoveMemberMutation, RemoveMemberMutationVariables>;
+export const InitAccountKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"InitAccountKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberWrappedSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<InitAccountKeysMutation, InitAccountKeysMutationVariables>;
 export const TransferOrgOwnershipDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"TransferOrgOwnership"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"billingEmail"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"transferOrganisationOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"newOwnerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}}},{"kind":"Argument","name":{"kind":"Name","value":"billingEmail"},"value":{"kind":"Variable","name":{"kind":"Name","value":"billingEmail"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<TransferOrgOwnershipMutation, TransferOrgOwnershipMutationVariables>;
 export const UpdateMemberRoleDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateMemberRole"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateOrganisationMemberRole"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateMemberRoleMutation, UpdateMemberRoleMutationVariables>;
 export const UpdateWrappedSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateWrappedSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberWrappedSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateWrappedSecretsMutation, UpdateWrappedSecretsMutationVariables>;
 export const RotateAppKeyDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RotateAppKey"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appToken"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"rotateAppKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"appToken"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appToken"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RotateAppKeyMutation, RotateAppKeyMutationVariables>;
-export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateServiceAccountOpMutation, CreateServiceAccountOpMutationVariables>;
+export const CreateScimTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSCIMTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiryDays"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createScimToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiryDays"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiryDays"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"}},{"kind":"Field","name":{"kind":"Name","value":"scimToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"tokenPrefix"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastUsedAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateScimTokenOpMutation, CreateScimTokenOpMutationVariables>;
+export const DeleteScimTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteSCIMTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteScimToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteScimTokenOpMutation, DeleteScimTokenOpMutationVariables>;
+export const ToggleScimOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"ToggleSCIMOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"toggleScim"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"enabled"},"value":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<ToggleScimOpMutation, ToggleScimOpMutationVariables>;
+export const ToggleScimTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"ToggleSCIMTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"isActive"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"toggleScimToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}},{"kind":"Argument","name":{"kind":"Name","value":"isActive"},"value":{"kind":"Variable","name":{"kind":"Name","value":"isActive"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<ToggleScimTokenOpMutation, ToggleScimTokenOpMutationVariables>;
+export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateServiceAccountOpMutation, CreateServiceAccountOpMutationVariables>;
 export const CreateSaTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSAToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSaTokenMutation, CreateSaTokenMutationVariables>;
 export const DeleteServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountOpMutation, DeleteServiceAccountOpMutationVariables>;
 export const DeleteServiceAccountTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountTokenOpMutation, DeleteServiceAccountTokenOpMutationVariables>;
@@ -4427,7 +4581,6 @@ export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitio
 export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
 export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}},"type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
-export const UpdateServiceAccountOwnershipOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOwnershipOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOwnershipOpMutation, UpdateServiceAccountOwnershipOpMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
 export const CreateNewAzureKeyVaultSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAzureKeyVaultSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAzureKeyVaultSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"vaultUri"},"value":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}}},{"kind":"Argument","name":{"kind":"Name","value":"syncMode"},"value":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAzureKeyVaultSyncMutation, CreateNewAzureKeyVaultSyncMutationVariables>;
 export const CreateNewCfPagesSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewCfPagesSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createCloudflarePagesSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}}},{"kind":"Argument","name":{"kind":"Name","value":"deploymentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectEnv"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewCfPagesSyncMutation, CreateNewCfPagesSyncMutationVariables>;
@@ -4454,7 +4607,6 @@ export const CreateTeamOpDocument = {"kind":"Document","definitions":[{"kind":"O
 export const DeleteTeamOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteTeamOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteTeam"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteTeamOpMutation, DeleteTeamOpMutationVariables>;
 export const RemoveTeamAppOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveTeamAppOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeTeamApp"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveTeamAppOpMutation, RemoveTeamAppOpMutationVariables>;
 export const RemoveTeamMemberOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveTeamMemberOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeTeamMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveTeamMemberOpMutation, RemoveTeamMemberOpMutationVariables>;
-export const TransferTeamOwnershipOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"TransferTeamOwnershipOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"transferTeamOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"newOwnerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<TransferTeamOwnershipOpMutation, TransferTeamOwnershipOpMutationVariables>;
 export const UpdateTeamOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateTeamOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateTeam"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateTeamOpMutation, UpdateTeamOpMutationVariables>;
 export const UpdateTeamAppEnvironmentsOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateTeamAppEnvironmentsOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envIds"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateTeamAppEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateTeamAppEnvironmentsOpMutation, UpdateTeamAppEnvironmentsOpMutationVariables>;
 export const CreateNewUserTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewUserToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createUserToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<CreateNewUserTokenMutation, CreateNewUserTokenMutationVariables>;
@@ -4473,7 +4625,7 @@ export const GetAppDetailDocument = {"kind":"Document","definitions":[{"kind":"O
 export const GetAppKmsLogsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppKmsLogs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"kmsLogs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"logs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"phaseNode"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"country"}},{"kind":"Field","name":{"kind":"Name","value":"city"}},{"kind":"Field","name":{"kind":"Name","value":"phSize"}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}}]}}]} as unknown as DocumentNode<GetAppKmsLogsQuery, GetAppKmsLogsQueryVariables>;
 export const GetAppsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetApps"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetAppsQuery, GetAppsQueryVariables>;
 export const GetDashboardDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDashboard"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"role"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]} as unknown as DocumentNode<GetDashboardQuery, GetDashboardQueryVariables>;
-export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}},{"kind":"Field","name":{"kind":"Name","value":"pricingVersion"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
+export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}},{"kind":"Field","name":{"kind":"Name","value":"pricingVersion"}},{"kind":"Field","name":{"kind":"Name","value":"scimEnabled"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
 export const GetAwsStsEndpointsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsStsEndpoints"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsStsEndpoints"}}]}}]} as unknown as DocumentNode<GetAwsStsEndpointsQuery, GetAwsStsEndpointsQueryVariables>;
 export const GetIdentityProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIdentityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"iconId"}}]}}]}}]} as unknown as DocumentNode<GetIdentityProvidersQuery, GetIdentityProvidersQueryVariables>;
 export const GetOrganisationIdentitiesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationIdentities"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identities"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}},{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AzureEntraConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tenantId"}},{"kind":"Field","name":{"kind":"Name","value":"resource"}},{"kind":"Field","name":{"kind":"Name","value":"allowedServicePrincipalIds"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationIdentitiesQuery, GetOrganisationIdentitiesQueryVariables>;
@@ -4482,10 +4634,12 @@ export const GetGlobalAccessUsersDocument = {"kind":"Document","definitions":[{"
 export const GetInvitesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetInvites"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"invitedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]}}]} as unknown as DocumentNode<GetInvitesQuery, GetInvitesQueryVariables>;
 export const GetLicenseDataDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetLicenseData"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"license"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"customerName"}},{"kind":"Field","name":{"kind":"Name","value":"organisationName"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"seats"}},{"kind":"Field","name":{"kind":"Name","value":"isActivated"}},{"kind":"Field","name":{"kind":"Name","value":"organisationOwner"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}}]}}]}}]} as unknown as DocumentNode<GetLicenseDataQuery, GetLicenseDataQueryVariables>;
 export const GetOrgLicenseDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrgLicense"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationLicense"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"customerName"}},{"kind":"Field","name":{"kind":"Name","value":"issuedAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"activatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"seats"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"}}]}}]}}]} as unknown as DocumentNode<GetOrgLicenseQuery, GetOrgLicenseQueryVariables>;
-export const GetOrganisationMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"role"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"role"},"value":{"kind":"Variable","name":{"kind":"Name","value":"role"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastLogin"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationMembersQuery, GetOrganisationMembersQueryVariables>;
+export const GetOrganisationMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"role"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"role"},"value":{"kind":"Variable","name":{"kind":"Name","value":"role"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastLogin"}},{"kind":"Field","name":{"kind":"Name","value":"self"}},{"kind":"Field","name":{"kind":"Name","value":"scimManaged"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationMembersQuery, GetOrganisationMembersQueryVariables>;
 export const GetOrganisationPlanDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationPlan"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationPlan"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"seatLimit"}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationPlanQuery, GetOrganisationPlanQueryVariables>;
 export const GetRolesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetRoles"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"roles"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"isDefault"}}]}}]}}]} as unknown as DocumentNode<GetRolesQuery, GetRolesQueryVariables>;
 export const VerifyInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"VerifyInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateInvite"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"organisation"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"invitedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<VerifyInviteQuery, VerifyInviteQueryVariables>;
+export const GetScimEventsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSCIMEvents"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"status"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"scimEvents"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}},{"kind":"Argument","name":{"kind":"Name","value":"eventTypes"},"value":{"kind":"Variable","name":{"kind":"Name","value":"eventTypes"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}},{"kind":"Argument","name":{"kind":"Name","value":"status"},"value":{"kind":"Variable","name":{"kind":"Name","value":"status"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"events"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"scimToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"resourceType"}},{"kind":"Field","name":{"kind":"Name","value":"resourceId"}},{"kind":"Field","name":{"kind":"Name","value":"resourceName"}},{"kind":"Field","name":{"kind":"Name","value":"detail"}},{"kind":"Field","name":{"kind":"Name","value":"requestMethod"}},{"kind":"Field","name":{"kind":"Name","value":"requestPath"}},{"kind":"Field","name":{"kind":"Name","value":"requestBody"}},{"kind":"Field","name":{"kind":"Name","value":"responseStatus"}},{"kind":"Field","name":{"kind":"Name","value":"responseBody"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}}]}}]} as unknown as DocumentNode<GetScimEventsQuery, GetScimEventsQueryVariables>;
+export const GetScimTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSCIMTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"scimTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"tokenPrefix"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastUsedAt"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}}]}}]} as unknown as DocumentNode<GetScimTokensQuery, GetScimTokensQueryVariables>;
 export const GetDynamicSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"index"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretsQuery, GetDynamicSecretsQueryVariables>;
 export const GetDynamicSecretProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecretProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"configMap"}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretProvidersQuery, GetDynamicSecretProvidersQueryVariables>;
 export const GetDynamicSecretLeasesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDynamicSecretLeases"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"secretId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretId"}}},{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"leases"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"ttl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"revokedAt"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"events"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"metadata"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"userAgent"}},{"kind":"Field","name":{"kind":"Name","value":"organisationMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetDynamicSecretLeasesQuery, GetDynamicSecretLeasesQueryVariables>;
@@ -4501,10 +4655,10 @@ export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind"
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
 export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"type"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
-export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
+export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
-export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
+export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
 export const GetOrganisationSyncsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationSyncs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"completedAt"}},{"kind":"Field","name":{"kind":"Name","value":"meta"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"expectedCredentials"}},{"kind":"Field","name":{"kind":"Name","value":"optionalCredentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationSyncsQuery, GetOrganisationSyncsQueryVariables>;
 export const GetAwsSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"arn"}}]}}]}}]} as unknown as DocumentNode<GetAwsSecretsQuery, GetAwsSecretsQueryVariables>;
 export const ValidateAwsAssumeRoleAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"ValidateAWSAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateAwsAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"valid"}},{"kind":"Field","name":{"kind":"Name","value":"message"}},{"kind":"Field","name":{"kind":"Name","value":"method"}},{"kind":"Field","name":{"kind":"Name","value":"error"}}]}}]}}]} as unknown as DocumentNode<ValidateAwsAssumeRoleAuthQuery, ValidateAwsAssumeRoleAuthQueryVariables>;
@@ -4526,6 +4680,6 @@ export const GetRailwayProjectsDocument = {"kind":"Document","definitions":[{"ki
 export const GetRenderResourcesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetRenderResources"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"renderServices"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}},{"kind":"Field","name":{"kind":"Name","value":"renderEnvgroups"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]} as unknown as DocumentNode<GetRenderResourcesQuery, GetRenderResourcesQueryVariables>;
 export const TestVaultAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"TestVaultAuth"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"testVaultCreds"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}]}]}}]} as unknown as DocumentNode<TestVaultAuthQuery, TestVaultAuthQueryVariables>;
 export const GetVercelProjectsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetVercelProjects"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"vercelProjects"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"teamName"}},{"kind":"Field","name":{"kind":"Name","value":"projects"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"slug"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetVercelProjectsQuery, GetVercelProjectsQueryVariables>;
-export const GetTeamsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetTeams"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"teams"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"owner"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"memberCount"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<GetTeamsQuery, GetTeamsQueryVariables>;
-export const GetOrganisationMemberDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationMemberDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastLogin"}},{"kind":"Field","name":{"kind":"Name","value":"self"}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationMemberDetailQuery, GetOrganisationMemberDetailQueryVariables>;
+export const GetTeamsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetTeams"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"teams"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"memberCount"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"scimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<GetTeamsQuery, GetTeamsQueryVariables>;
+export const GetOrganisationMemberDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationMemberDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastLogin"}},{"kind":"Field","name":{"kind":"Name","value":"self"}},{"kind":"Field","name":{"kind":"Name","value":"scimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationMemberDetailQuery, GetOrganisationMemberDetailQueryVariables>;
 export const GetUserTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetUserTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyShare"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]} as unknown as DocumentNode<GetUserTokensQuery, GetUserTokensQueryVariables>;
\ No newline at end of file
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index e59d2c536..f39044e65 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -5,6 +5,8 @@ type Query {
   networkAccessPolicies(organisationId: ID): [NetworkAccessPolicyType]
   identities(organisationId: ID): [IdentityType]
   teams(organisationId: ID, teamId: ID): [TeamType]
+  scimTokens(organisationId: ID): [SCIMTokenType]
+  scimEvents(organisationId: ID, start: BigInt, end: BigInt, eventTypes: [String], tokenId: ID, status: String): SCIMEventsResponseType
   organisationNameAvailable(name: String): Boolean
   license: PhaseLicenseType
   organisationLicense(organisationId: ID): ActivatedPhaseLicenseType
@@ -72,6 +74,7 @@ type OrganisationType {
   createdAt: DateTime
   plan: ApiOrganisationPlanChoices!
   pricingVersion: Int!
+  scimEnabled: Boolean!
   role: RoleType
   memberId: ID
   keyring: String
@@ -163,6 +166,7 @@ type OrganisationMemberType {
   avatarUrl: String
   self: Boolean
   lastLogin: DateTime
+  scimManaged: Boolean
   appMemberships: [AppMembershipType!]
   tokens: [UserTokenType!]
   networkPolicies: [NetworkAccessPolicyType!]
@@ -304,7 +308,6 @@ type ServiceAccountType {
   id: String!
   name: String!
   role: RoleType
-  team: TeamType
   identityKey: String
   createdAt: DateTime
   updatedAt: DateTime!
@@ -665,6 +668,146 @@ type UserTokenType {
   createdBy: OrganisationMemberType
 }
 
+type TeamType {
+  id: String!
+  name: String!
+  description: String
+  memberRole: RoleType
+  serviceAccountRole: RoleType
+  isScimManaged: Boolean!
+  createdBy: OrganisationMemberType
+  createdAt: DateTime
+  updatedAt: DateTime!
+  members: [TeamMembershipType!]
+  apps: [AppType!]
+  appEnvironments: [TeamAppEnvironmentType!]
+  memberCount: Int
+}
+
+type TeamMembershipType {
+  id: String!
+  orgMember: OrganisationMemberType
+  serviceAccount: ServiceAccountType
+  createdAt: DateTime
+  email: String
+  fullName: String
+  avatarUrl: String
+}
+
+type AppType {
+  id: String!
+  name: String!
+  description: String
+  identityKey: String!
+  appVersion: Int!
+  appToken: String!
+  appSeed: String!
+  wrappedKeyShare: String!
+  createdAt: DateTime
+  updatedAt: DateTime!
+  sseEnabled: Boolean!
+  serviceAccounts: [ServiceAccountType]!
+  environments: [EnvironmentType]!
+  members: [OrganisationMemberType]!
+}
+
+type TeamAppEnvironmentType {
+  id: String!
+  app: AppMembershipType!
+  environment: EnvironmentType!
+  createdAt: DateTime
+}
+
+type SCIMTokenType {
+  id: String!
+  name: String!
+  tokenPrefix: String!
+  createdBy: OrganisationMemberType
+  createdAt: DateTime
+  expiresAt: DateTime
+  lastUsedAt: DateTime
+  isActive: Boolean!
+}
+
+type SCIMEventsResponseType {
+  events: [SCIMEventType]
+  count: Int
+}
+
+type SCIMEventType {
+  id: String!
+  scimToken: SCIMTokenType
+  eventType: ApiSCIMEventEventTypeChoices!
+  status: ApiSCIMEventStatusChoices!
+  resourceType: ApiSCIMEventResourceTypeChoices!
+  resourceId: String!
+  resourceName: String!
+  detail: JSONString!
+  requestMethod: String!
+  requestPath: String!
+  requestBody: JSONString
+  responseStatus: Int
+  responseBody: JSONString
+  ipAddress: String
+  userAgent: String
+  timestamp: DateTime!
+}
+
+"""An enumeration."""
+enum ApiSCIMEventEventTypeChoices {
+  """User Created"""
+  USER_CREATED
+
+  """User Updated"""
+  USER_UPDATED
+
+  """User Deactivated"""
+  USER_DEACTIVATED
+
+  """User Reactivated"""
+  USER_REACTIVATED
+
+  """Group Created"""
+  GROUP_CREATED
+
+  """Group Updated"""
+  GROUP_UPDATED
+
+  """Group Deleted"""
+  GROUP_DELETED
+
+  """Member Added to Group"""
+  MEMBER_ADDED
+
+  """Member Removed from Group"""
+  MEMBER_REMOVED
+}
+
+"""An enumeration."""
+enum ApiSCIMEventStatusChoices {
+  """Success"""
+  SUCCESS
+
+  """Error"""
+  ERROR
+}
+
+"""An enumeration."""
+enum ApiSCIMEventResourceTypeChoices {
+  """User"""
+  USER
+
+  """Group"""
+  GROUP
+}
+
+"""
+The `BigInt` scalar type represents non-fractional whole numeric values.
+`BigInt` is not constrained to 32-bit like the `Int` type and thus is a less
+compatible type.
+"""
+scalar BigInt
+
 type PhaseLicenseType {
   id: String
   customerName: String
@@ -764,13 +907,6 @@ interface Node {
   id: ID!
 }
 
-"""
-The `BigInt` scalar type represents non-fractional whole numeric values.
-`BigInt` is not constrained to 32-bit like the `Int` type and thus is a less
-compatible type.
-"""
-scalar BigInt
-
 type SecretLogsResponseType {
   logs: [SecretEventType]
   count: Int
@@ -1079,7 +1215,15 @@ type Mutation {
   addTeamApps(appEnvs: [AppEnvironmentInput!]!, teamId: ID!): AddTeamAppsMutation
   removeTeamApp(appId: ID!, teamId: ID!): RemoveTeamAppMutation
   updateTeamAppEnvironments(appId: ID!, envIds: [ID!]!, teamId: ID!): UpdateTeamAppEnvironmentsMutation
-  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String, teamId: ID): CreateServiceAccountMutation
+  createScimToken(expiryDays: Int, name: String!, organisationId: ID!): CreateSCIMTokenMutation
+  deleteScimToken(tokenId: ID!): DeleteSCIMTokenMutation
+
+  """Master switch: enable/disable SCIM for the organisation."""
+  toggleScim(enabled: Boolean!, organisationId: ID!): ToggleSCIMMutation
+
+  """Per-provider toggle: enable/disable a single SCIM token."""
+  toggleScimToken(isActive: Boolean!, tokenId: ID!): ToggleSCIMTokenMutation
+  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
   enableServiceAccountServerSideKeyManagement(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountServerSideKeyManagementMutation
   enableServiceAccountClientSideKeyManagement(serviceAccountId: ID): EnableServiceAccountClientSideKeyManagementMutation
   updateServiceAccountHandlers(handlers: [ServiceAccountHandlerInput], organisationId: ID): UpdateServiceAccountHandlersMutation
@@ -1087,16 +1231,6 @@ type Mutation {
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
   createServiceAccountToken(expiry: BigInt, identityKey: String!, name: String!, serviceAccountId: ID, token: String!, wrappedKeyShare: String!): CreateServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
-
-  """
-  Transfer a service account between org-level and team ownership.
-  
-  - team_id=null: Promote team-owned SA to org-level (clears team FK).
-  - team_id=<id>: Assign SA to a team (narrows visibility to team members).
-  
-  Requires global_access (Owner/Admin only).
-  """
-  updateServiceAccountOwnership(serviceAccountId: ID!, teamId: ID): UpdateServiceAccountOwnershipMutation
   initEnvSync(appId: ID, envKeys: [EnvironmentKeyInput]): InitEnvSync
   deleteEnvSync(syncId: ID): DeleteSync
   triggerSync(syncId: ID): TriggerSync
@@ -1375,6 +1509,25 @@ type UpdateTeamAppEnvironmentsMutation {
   team: TeamType
 }
 
+type CreateSCIMTokenMutation {
+  token: String
+  scimToken: SCIMTokenType
+}
+
+type DeleteSCIMTokenMutation {
+  ok: Boolean
+}
+
+"""Master switch: enable/disable SCIM for the organisation."""
+type ToggleSCIMMutation {
+  ok: Boolean
+}
+
+"""Per-provider toggle: enable/disable a single SCIM token."""
+type ToggleSCIMTokenMutation {
+  ok: Boolean
+}
+
 type CreateServiceAccountMutation {
   serviceAccount: ServiceAccountType
 }
@@ -1414,18 +1567,6 @@ type DeleteServiceAccountTokenMutation {
   ok: Boolean
 }
 
-"""
-Transfer a service account between org-level and team ownership.
-
-- team_id=null: Promote team-owned SA to org-level (clears team FK).
-- team_id=<id>: Assign SA to a team (narrows visibility to team members).
-
-Requires global_access (Owner/Admin only).
-"""
-type UpdateServiceAccountOwnershipMutation {
-  serviceAccount: ServiceAccountType
-}
-
 type InitEnvSync {
   app: AppType
 }

From 86a48c59664e65883c06264b8f6fe4c906d095d2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:37 +0530
Subject: [PATCH 047/118] feat: add SCIM and Pending badges to ProfileCard with
 3xs font size

---
 frontend/components/common/ProfileCard.tsx | 69 ++++++++++++++--------
 frontend/tailwind.config.js                |  1 +
 2 files changed, 47 insertions(+), 23 deletions(-)

diff --git a/frontend/components/common/ProfileCard.tsx b/frontend/components/common/ProfileCard.tsx
index 84f98304c..31a65c5da 100644
--- a/frontend/components/common/ProfileCard.tsx
+++ b/frontend/components/common/ProfileCard.tsx
@@ -17,6 +17,21 @@ const textSizeMap: Record<ProfileCardSize, { name: string; subtitle: string }> =
   lg: { name: 'text-sm', subtitle: 'text-xs' },
 }
 
+const MemberBadges = ({ member }: { member: OrganisationMemberType }) => (
+  <>
+    {member.scimManaged && (
+      <span className="inline-flex items-center shrink-0 px-1 py-px rounded text-3xs font-medium bg-blue-500/10 text-blue-500 ring-1 ring-inset ring-blue-500/20">
+        SCIM
+      </span>
+    )}
+    {!member.identityKey && (
+      <span className="inline-flex items-center shrink-0 px-1 py-px rounded text-3xs font-medium bg-amber-500/10 text-amber-500 ring-1 ring-inset ring-amber-500/20">
+        Pending
+      </span>
+    )}
+  </>
+)
+
 export const ProfileCard = ({
   member,
   serviceAccount,
@@ -34,13 +49,15 @@ export const ProfileCard = ({
 
   if (serviceAccount) {
     return (
-      <div className="flex items-center gap-2">
-        <Avatar serviceAccount={serviceAccount} size={avatarSizeMap[size]} />
-        <div>
-          <div className={`${textStyles.name} font-medium text-zinc-900 dark:text-zinc-100`}>
+      <div className="flex items-center gap-2 min-w-0">
+        <div className="shrink-0">
+          <Avatar serviceAccount={serviceAccount} size={avatarSizeMap[size]} />
+        </div>
+        <div className="min-w-0">
+          <div className={`${textStyles.name} font-medium text-zinc-900 dark:text-zinc-100 truncate`}>
             {serviceAccount.name}
           </div>
-          <div className={`${textStyles.subtitle} text-neutral-500 font-mono`}>
+          <div className={`${textStyles.subtitle} text-neutral-500 font-mono truncate`}>
             {subtitle || serviceAccount.id}
           </div>
         </div>
@@ -50,15 +67,19 @@ export const ProfileCard = ({
 
   if (member) {
     const displayName = member.fullName || member.email
+    const hasBadges = member.scimManaged || !member.identityKey
     return (
-      <div className="flex items-center gap-2">
-        <Avatar member={member} size={avatarSizeMap[size]} />
-        <div>
-          <div className={`${textStyles.name} font-medium text-zinc-900 dark:text-zinc-100`}>
-            {displayName}
+      <div className="flex items-center gap-2 min-w-0">
+        <div className="shrink-0">
+          <Avatar member={member} size={avatarSizeMap[size]} />
+        </div>
+        <div className="min-w-0">
+          <div className={`${textStyles.name} font-medium text-zinc-900 dark:text-zinc-100 flex items-center gap-1.5`}>
+            <span className="truncate">{displayName}</span>
+            {hasBadges && <MemberBadges member={member} />}
           </div>
           {member.fullName && (
-            <div className={`${textStyles.subtitle} text-neutral-500`}>{member.email}</div>
+            <div className={`${textStyles.subtitle} text-neutral-500 truncate`}>{member.email}</div>
           )}
         </div>
       </div>
@@ -68,21 +89,23 @@ export const ProfileCard = ({
   if (user) {
     const displayName = user.name || user.email
     return (
-      <div className="flex items-center gap-2">
-        <Avatar
-          user={{
-            name: user.name,
-            email: user.email,
-            image: user.image,
-          }}
-          size={avatarSizeMap[size]}
-        />
-        <div>
-          <div className={`${textStyles.name} font-medium text-zinc-900 dark:text-zinc-100`}>
+      <div className="flex items-center gap-2 min-w-0">
+        <div className="shrink-0">
+          <Avatar
+            user={{
+              name: user.name,
+              email: user.email,
+              image: user.image,
+            }}
+            size={avatarSizeMap[size]}
+          />
+        </div>
+        <div className="min-w-0">
+          <div className={`${textStyles.name} font-medium text-zinc-900 dark:text-zinc-100 truncate`}>
             {displayName}
           </div>
           {user.name && user.email && (
-            <div className={`${textStyles.subtitle} text-neutral-500`}>{user.email}</div>
+            <div className={`${textStyles.subtitle} text-neutral-500 truncate`}>{user.email}</div>
           )}
         </div>
       </div>
diff --git a/frontend/tailwind.config.js b/frontend/tailwind.config.js
index bbe389bb0..aff2965df 100644
--- a/frontend/tailwind.config.js
+++ b/frontend/tailwind.config.js
@@ -13,6 +13,7 @@ module.exports = {
   darkMode: 'class',
   theme: {
     fontSize: {
+      '3xs': ['0.625rem', { lineHeight: '1rem' }],
       '2xs': ['0.75rem', { lineHeight: '1.25rem' }],
       xs: ['0.8125rem', { lineHeight: '1.5rem' }],
       sm: ['0.875rem', { lineHeight: '1.5rem' }],

From 375c0bae60ae7972913cb74627c42fd514c7b7ed Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:45 +0530
Subject: [PATCH 048/118] feat: add SCIM tab and integrate SCIM badges, guards,
 and ProfileCard across access pages

---
 frontend/app/[team]/access/layout.tsx         |  4 ++++
 .../[team]/access/members/[memberId]/page.tsx | 22 ++++++++++++++-----
 .../_components/DeleteMemberConfirmDialog.tsx | 14 +++++++++++-
 frontend/app/[team]/access/members/page.tsx   | 16 +++++---------
 .../app/[team]/access/teams/[teamId]/page.tsx |  9 ++------
 frontend/app/[team]/access/teams/page.tsx     |  3 +--
 6 files changed, 42 insertions(+), 26 deletions(-)

diff --git a/frontend/app/[team]/access/layout.tsx b/frontend/app/[team]/access/layout.tsx
index 3a3d077fb..4c4c74ee9 100644
--- a/frontend/app/[team]/access/layout.tsx
+++ b/frontend/app/[team]/access/layout.tsx
@@ -47,6 +47,10 @@ export default function AccessLayout({
         name: 'Authentication',
         link: 'authentication',
       },
+      {
+        name: 'SCIM',
+        link: 'scim',
+      },
       {
         name: 'Network',
         link: 'network',
diff --git a/frontend/app/[team]/access/members/[memberId]/page.tsx b/frontend/app/[team]/access/members/[memberId]/page.tsx
index bea69d197..1bca722a9 100644
--- a/frontend/app/[team]/access/members/[memberId]/page.tsx
+++ b/frontend/app/[team]/access/members/[memberId]/page.tsx
@@ -8,7 +8,7 @@ import { userHasPermission } from '@/utils/access/permissions'
 import { useQuery } from '@apollo/client'
 import Link from 'next/link'
 import { useContext, useMemo } from 'react'
-import { FaBan, FaChevronLeft, FaClock, FaCog, FaKey, FaNetworkWired } from 'react-icons/fa'
+import { FaBan, FaChevronLeft, FaClock, FaCog, FaExclamationTriangle, FaKey, FaNetworkWired } from 'react-icons/fa'
 import { Avatar } from '@/components/common/Avatar'
 import { EmptyState } from '@/components/common/EmptyState'
 import {
@@ -175,10 +175,22 @@ export default function MemberDetail({ params }: { params: { team: string; membe
           <div className="flex items-center gap-3">
             <Avatar member={member} size="xl" />
             <div className="flex flex-col gap-0.5">
-              <h3 className="text-base font-medium">
-                {member.fullName || 'User'} {member.self && ' (You)'}{' '}
-              </h3>
+              <div className="flex items-center gap-2">
+                <h3 className="text-base font-medium">
+                  {member.fullName || 'User'} {member.self && ' (You)'}
+                </h3>
+                {member.scimManaged && (
+                  <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded text-2xs font-medium bg-blue-500/10 text-blue-500 ring-1 ring-inset ring-blue-500/20">
+                    SCIM
+                  </span>
+                )}
+              </div>
               <span className="text-neutral-500 text-xs">{member.email}</span>
+              {!member.identityKey && (
+                <span className="text-amber-500 text-xs flex items-center gap-1">
+                  <FaExclamationTriangle /> Key ceremony pending — user has not logged in yet
+                </span>
+              )}
               {member.lastLogin ? (
                 <span
                   className="text-neutral-500 text-xs flex items-center gap-1 cursor-help"
@@ -288,7 +300,7 @@ export default function MemberDetail({ params }: { params: { team: string; membe
                   Apps and Environments this member has direct access to
                 </div>
               </div>
-              {userCanWriteAppMemberships && !member.self && (
+              {userCanWriteAppMemberships && !member.self && member.identityKey && (
                 <AddAppToMemberButton
                   member={member}
                   organisationId={organisation.id}
diff --git a/frontend/app/[team]/access/members/_components/DeleteMemberConfirmDialog.tsx b/frontend/app/[team]/access/members/_components/DeleteMemberConfirmDialog.tsx
index bfd1d341a..f87fe6177 100644
--- a/frontend/app/[team]/access/members/_components/DeleteMemberConfirmDialog.tsx
+++ b/frontend/app/[team]/access/members/_components/DeleteMemberConfirmDialog.tsx
@@ -54,7 +54,19 @@ export const DeleteMemberConfirmDialog = (props: {
     : false
 
   const allowDelete =
-    !member.self! && activeUserCanDeleteUsers && member.role!.name!.toLowerCase() !== 'owner'
+    !member.self! &&
+    activeUserCanDeleteUsers &&
+    member.role!.name!.toLowerCase() !== 'owner' &&
+    !member.scimManaged
+
+  if (member.scimManaged) {
+    return (
+      <p className="text-xs text-neutral-500 italic">
+        This member is managed by SCIM and cannot be removed from the console. Deprovision them
+        from your identity provider.
+      </p>
+    )
+  }
 
   if (!allowDelete) return <></>
 
diff --git a/frontend/app/[team]/access/members/page.tsx b/frontend/app/[team]/access/members/page.tsx
index 225890c5d..ed319e6a5 100644
--- a/frontend/app/[team]/access/members/page.tsx
+++ b/frontend/app/[team]/access/members/page.tsx
@@ -12,6 +12,7 @@ import { FaBan, FaChevronRight, FaSearch, FaTimesCircle, FaCopy } from 'react-ic
 import clsx from 'clsx'
 import Link from 'next/link'
 import { Avatar } from '@/components/common/Avatar'
+import { ProfileCard } from '@/components/common/ProfileCard'
 import { RoleLabel } from '@/components/users/RoleLabel'
 import { getInviteLink } from '@/utils/crypto'
 import { userHasPermission } from '@/utils/access/permissions'
@@ -57,7 +58,8 @@ export default function Members({ params }: { params: { team: string } }) {
     ? searchQuery !== ''
       ? membersData?.organisationMembers.filter(
           (member: OrganisationMemberType) =>
-            member.fullName?.includes(searchQuery) || member.email?.includes(searchQuery)
+            member.fullName?.toLowerCase().includes(searchQuery.toLowerCase()) ||
+            member.email?.toLowerCase().includes(searchQuery.toLowerCase())
         )
       : membersData?.organisationMembers
     : []
@@ -142,16 +144,8 @@ export default function Members({ params }: { params: { team: string } }) {
                 <tbody className="divide-y divide-zinc-500/20">
                   {filteredMembers.map((member: OrganisationMemberType) => (
                     <tr key={member.id} className="group">
-                      <td className="py-2 flex items-center gap-2">
-                        <Avatar member={member} size="md" />
-                        <div>
-                          <div className="font-medium">
-                            {member.fullName || member.email} {member.self && ' (You)'}
-                          </div>
-                          {member.fullName && (
-                            <div className="text-sm text-neutral-500">{member.email}</div>
-                          )}
-                        </div>
+                      <td className="py-2">
+                        <ProfileCard member={member} size="lg" />
                       </td>
                       <td className="px-6 py-2 text-sm">
                         <RoleLabel role={member.role!} />
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index ad755b99d..340fd867b 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -168,8 +168,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
               <h3 className="text-lg font-medium flex items-center gap-2">
                 {team.name}
                 {team.isScimManaged && (
-                  <span className="text-2xs px-1 rounded ring-1 ring-inset ring-purple-500/40 bg-purple-500/20 text-purple-400 uppercase font-medium">
-                    <FaRobot className="inline mr-0.5" />
+                  <span className="inline-flex items-center shrink-0 px-1 py-px rounded text-3xs font-medium bg-blue-500/10 text-blue-500 ring-1 ring-inset ring-blue-500/20">
                     SCIM
                   </span>
                 )}
@@ -232,11 +231,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                       className="grid grid-cols-1 md:grid-cols-4 gap-4 items-center py-1.5 px-2 group"
                     >
                       <ProfileCard
-                        user={{
-                          name: membership.fullName,
-                          email: membership.email,
-                          image: membership.avatarUrl,
-                        }}
+                        member={membership.orgMember!}
                         size="md"
                       />
 
diff --git a/frontend/app/[team]/access/teams/page.tsx b/frontend/app/[team]/access/teams/page.tsx
index b0850b255..60b46bdee 100644
--- a/frontend/app/[team]/access/teams/page.tsx
+++ b/frontend/app/[team]/access/teams/page.tsx
@@ -158,8 +158,7 @@ export default function Teams({ params }: { params: { team: string } }) {
                             <div className="font-medium flex items-center gap-2">
                               {team.name}
                               {team.isScimManaged && (
-                                <span className="text-2xs px-1 rounded ring-1 ring-inset ring-purple-500/40 bg-purple-500/20 text-purple-400 uppercase font-medium">
-                                  <FaRobot className="inline mr-0.5" />
+                                <span className="inline-flex items-center shrink-0 px-1 py-px rounded text-3xs font-medium bg-blue-500/10 text-blue-500 ring-1 ring-inset ring-blue-500/20">
                                   SCIM
                                 </span>
                               )}

From 7757aa0c0422240c8da7e264e8d4a911a5c24e4d Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:50 +0530
Subject: [PATCH 049/118] feat: add SCIM settings page with token management,
 audit logs, and provider connections

---
 .../access/scim/_components/SCIMEventRow.tsx  | 145 ++++++++
 .../scim/_components/SCIMEventsTable.tsx      |  35 ++
 .../scim/_components/SCIMTokenDialogs.tsx     | 176 ++++++++++
 .../scim/_components/SCIMTokensTable.tsx      | 128 +++++++
 .../[team]/access/scim/_components/shared.tsx |  99 ++++++
 .../[team]/access/scim/connections/page.tsx   | 113 ++++++
 frontend/app/[team]/access/scim/layout.tsx    |  47 +++
 frontend/app/[team]/access/scim/logs/page.tsx | 327 ++++++++++++++++++
 frontend/app/[team]/access/scim/page.tsx      | 260 ++++++++++++++
 9 files changed, 1330 insertions(+)
 create mode 100644 frontend/app/[team]/access/scim/_components/SCIMEventRow.tsx
 create mode 100644 frontend/app/[team]/access/scim/_components/SCIMEventsTable.tsx
 create mode 100644 frontend/app/[team]/access/scim/_components/SCIMTokenDialogs.tsx
 create mode 100644 frontend/app/[team]/access/scim/_components/SCIMTokensTable.tsx
 create mode 100644 frontend/app/[team]/access/scim/_components/shared.tsx
 create mode 100644 frontend/app/[team]/access/scim/connections/page.tsx
 create mode 100644 frontend/app/[team]/access/scim/layout.tsx
 create mode 100644 frontend/app/[team]/access/scim/logs/page.tsx
 create mode 100644 frontend/app/[team]/access/scim/page.tsx

diff --git a/frontend/app/[team]/access/scim/_components/SCIMEventRow.tsx b/frontend/app/[team]/access/scim/_components/SCIMEventRow.tsx
new file mode 100644
index 000000000..b23faa004
--- /dev/null
+++ b/frontend/app/[team]/access/scim/_components/SCIMEventRow.tsx
@@ -0,0 +1,145 @@
+'use client'
+
+import { Disclosure, Transition } from '@headlessui/react'
+import { FaChevronRight } from 'react-icons/fa'
+import clsx from 'clsx'
+import { relativeTimeFromDates } from '@/utils/time'
+import { EVENT_TYPE_LABELS, LogField, JsonBlock, ProviderLogo } from './shared'
+
+export function SCIMEventRow({ event }: { event: any }) {
+  const eventMeta = EVENT_TYPE_LABELS[event.eventType] || {
+    label: event.eventType,
+    color: 'text-neutral-500 bg-neutral-500/10 ring-neutral-500/20',
+  }
+
+  const isError = event.status === 'ERROR'
+
+  return (
+    <Disclosure>
+      {({ open }) => (
+        <>
+          <Disclosure.Button
+            as="tr"
+            className={clsx(
+              'py-4 border-neutral-500/20 transition duration-300 ease-in-out cursor-pointer',
+              open
+                ? 'bg-neutral-100 dark:bg-neutral-800 border-r'
+                : 'border-b hover:bg-neutral-100 dark:hover:bg-neutral-800'
+            )}
+          >
+            <td
+              className={clsx(
+                'px-6 py-2 border-l',
+                open ? 'border-l-emerald-500' : 'border-l-transparent'
+              )}
+            >
+              <FaChevronRight
+                className={clsx(
+                  'transform transition-all duration-300 text-xs',
+                  open && 'rotate-90 text-emerald-500'
+                )}
+              />
+            </td>
+            <td className="whitespace-nowrap px-6 py-2 text-xs font-medium capitalize">
+              {relativeTimeFromDates(new Date(event.timestamp))}
+            </td>
+            <td className="whitespace-nowrap px-6 py-2">
+              <span
+                className={clsx(
+                  'text-2xs font-medium',
+                  isError ? 'text-red-500' : 'text-emerald-500'
+                )}
+              >
+                {isError ? 'Error' : 'OK'}
+              </span>
+            </td>
+            <td className="whitespace-nowrap px-6 py-2">
+              <span
+                className={clsx(
+                  'inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium ring-1 ring-inset',
+                  eventMeta.color
+                )}
+              >
+                {eventMeta.label}
+              </span>
+            </td>
+            <td className="whitespace-nowrap px-6 py-2 text-xs text-neutral-500">
+              {event.scimToken ? (
+                <div className="flex items-center gap-1.5">
+                  <ProviderLogo name={event.scimToken.name} size="sm" />
+                  {event.scimToken.name}
+                </div>
+              ) : (
+                '-'
+              )}
+            </td>
+            <td className="whitespace-nowrap px-6 py-2 text-xs">
+              <span className="text-zinc-900 dark:text-zinc-100">{event.resourceName || '-'}</span>
+            </td>
+          </Disclosure.Button>
+          <Transition
+            as="tr"
+            enter="transition duration-100 ease-out"
+            enterFrom="transform scale-95 opacity-0"
+            enterTo="transform scale-100 opacity-100"
+            leave="transition duration-75 ease-out"
+            leaveFrom="transform scale-100 opacity-100"
+            leaveTo="transform scale-95 opacity-0"
+          >
+            <td colSpan={6}>
+              <Disclosure.Panel
+                className={clsx(
+                  'p-4 w-full space-y-4 bg-neutral-100 dark:bg-neutral-800 border-neutral-500/20 border-l -ml-px',
+                  open
+                    ? 'border-b border-l-emerald-500 border-r shadow-xl'
+                    : 'border-l-transparent'
+                )}
+              >
+                <div className="grid grid-cols-1 md:grid-cols-3 w-full gap-3 text-xs">
+                  <LogField label="Timestamp">{new Date(event.timestamp).toISOString()}</LogField>
+                  <LogField label="Event ID">{event.id}</LogField>
+                  <LogField label="IP address">{event.ipAddress || '-'}</LogField>
+                  <LogField label="Method">{event.requestMethod}</LogField>
+                  <LogField label="Path">{event.requestPath}</LogField>
+                  <LogField label="Response status">
+                    <span
+                      className={clsx(
+                        event.responseStatus >= 400 ? 'text-red-500' : 'text-emerald-500'
+                      )}
+                    >
+                      {event.responseStatus}
+                    </span>
+                  </LogField>
+                  <div className="md:col-span-3">
+                    <LogField label="User agent">
+                      <span className="font-normal truncate max-w-lg inline-block align-bottom">
+                        {event.userAgent || '-'}
+                      </span>
+                    </LogField>
+                  </div>
+                </div>
+
+                <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+                  {event.requestBody && (
+                    <div>
+                      <div className="text-neutral-500 text-2xs font-medium mb-1">Request Body</div>
+                      <JsonBlock data={event.requestBody} />
+                    </div>
+                  )}
+                  {event.responseBody && (
+                    <div>
+                      <div className="text-neutral-500 text-2xs font-medium mb-1">
+                        Response Body
+                      </div>
+                      <JsonBlock data={event.responseBody} />
+                    </div>
+                  )}
+                </div>
+              </Disclosure.Panel>
+            </td>
+          </Transition>
+        </>
+      )}
+    </Disclosure>
+  )
+}
diff --git a/frontend/app/[team]/access/scim/_components/SCIMEventsTable.tsx b/frontend/app/[team]/access/scim/_components/SCIMEventsTable.tsx
new file mode 100644
index 000000000..9c9e6cb80
--- /dev/null
+++ b/frontend/app/[team]/access/scim/_components/SCIMEventsTable.tsx
@@ -0,0 +1,35 @@
+'use client'
+
+import { SCIMEventRow } from './SCIMEventRow'
+
+export function SCIMEventsTable({ events }: { events: any[] }) {
+  return (
+    <table className="table-auto min-w-full">
+      <thead>
+        <tr className="border-b border-neutral-500/20">
+          <th className="py-2 w-6"></th>
+          <th className="py-2 px-6 text-left text-2xs font-medium text-gray-500 uppercase tracking-wider">
+            Time
+          </th>
+          <th className="py-2 px-6 text-left text-2xs font-medium text-gray-500 uppercase tracking-wider">
+            Status
+          </th>
+          <th className="py-2 px-6 text-left text-2xs font-medium text-gray-500 uppercase tracking-wider">
+            Event
+          </th>
+          <th className="py-2 px-6 text-left text-2xs font-medium text-gray-500 uppercase tracking-wider">
+            Provider
+          </th>
+          <th className="py-2 px-6 text-left text-2xs font-medium text-gray-500 uppercase tracking-wider">
+            Resource
+          </th>
+        </tr>
+      </thead>
+      <tbody>
+        {events.map((event: any) => (
+          <SCIMEventRow key={event.id} event={event} />
+        ))}
+      </tbody>
+    </table>
+  )
+}
diff --git a/frontend/app/[team]/access/scim/_components/SCIMTokenDialogs.tsx b/frontend/app/[team]/access/scim/_components/SCIMTokenDialogs.tsx
new file mode 100644
index 000000000..afdbf9748
--- /dev/null
+++ b/frontend/app/[team]/access/scim/_components/SCIMTokenDialogs.tsx
@@ -0,0 +1,176 @@
+'use client'
+
+import { useRef, useState } from 'react'
+import { useMutation } from '@apollo/client'
+import { toast } from 'react-toastify'
+import clsx from 'clsx'
+import { FaExclamationTriangle, FaPlus, FaTrash } from 'react-icons/fa'
+import { Button } from '@/components/common/Button'
+import CopyButton from '@/components/common/CopyButton'
+import GenericDialog from '@/components/common/GenericDialog'
+import { Input } from '@/components/common/Input'
+import { GetSCIMTokens } from '@/graphql/queries/scim/getSCIMTokens.gql'
+import { CreateSCIMTokenOp } from '@/graphql/mutations/scim/createSCIMToken.gql'
+import { DeleteSCIMTokenOp } from '@/graphql/mutations/scim/deleteSCIMToken.gql'
+import { EXPIRY_OPTIONS } from './shared'
+
+export function CreateSCIMTokenDialog({ organisationId }: { organisationId: string }) {
+  const [name, setName] = useState('')
+  const [expiryDays, setExpiryDays] = useState<number | null>(90)
+  const [createdToken, setCreatedToken] = useState<string | null>(null)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const [createToken, { loading }] = useMutation(CreateSCIMTokenOp, {
+    refetchQueries: [{ query: GetSCIMTokens, variables: { organisationId } }],
+  })
+
+  const handleCreate = async () => {
+    if (!name.trim()) return
+
+    try {
+      const { data } = await createToken({
+        variables: {
+          organisationId,
+          name: name.trim(),
+          expiryDays,
+        },
+      })
+      setCreatedToken(data.createScimToken.token)
+      toast.success('SCIM token created')
+    } catch (err: any) {
+      toast.error(err.message || 'Failed to create SCIM token')
+    }
+  }
+
+  const handleClose = () => {
+    setName('')
+    setExpiryDays(90)
+    setCreatedToken(null)
+  }
+
+  return (
+    <GenericDialog
+      title="Create SCIM token"
+      buttonContent={
+        <>
+          <FaPlus /> Create token
+        </>
+      }
+      buttonVariant="primary"
+      ref={dialogRef}
+      onClose={handleClose}
+    >
+      <div className="pt-4 space-y-4">
+        {createdToken ? (
+          <>
+            <div className="flex items-start gap-2 p-3 rounded-lg bg-amber-500/10 ring-1 ring-inset ring-amber-500/30 text-amber-500">
+              <FaExclamationTriangle className="shrink-0 mt-0.5" />
+              <p className="text-sm">Copy this token now. It will not be shown again.</p>
+            </div>
+            <div className="flex items-center gap-2">
+              <code className="flex-1 text-xs bg-zinc-100 dark:bg-zinc-800 rounded px-3 py-2 overflow-x-auto font-mono text-zinc-900 dark:text-zinc-100 break-all">
+                {createdToken}
+              </code>
+              <CopyButton value={createdToken} />
+            </div>
+          </>
+        ) : (
+          <>
+            <div>
+              <label className="block text-sm font-medium text-zinc-900 dark:text-zinc-100 mb-1">
+                Token name
+              </label>
+              <Input
+                value={name}
+                setValue={setName}
+                placeholder="e.g. Azure Entra ID"
+                required
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-zinc-900 dark:text-zinc-100 mb-1">
+                Expiration
+              </label>
+              <div className="flex gap-2 flex-wrap">
+                {EXPIRY_OPTIONS.map((opt) => (
+                  <button
+                    key={opt.label}
+                    type="button"
+                    onClick={() => setExpiryDays(opt.value)}
+                    className={clsx(
+                      'px-3 py-1.5 rounded-md text-xs font-medium border transition',
+                      expiryDays === opt.value
+                        ? 'border-emerald-500 bg-emerald-500/10 text-emerald-500'
+                        : 'border-zinc-500/20 text-zinc-600 dark:text-zinc-400 hover:border-zinc-500/40'
+                    )}
+                  >
+                    {opt.label}
+                  </button>
+                ))}
+              </div>
+            </div>
+            <div className="flex justify-end">
+              <Button
+                variant="primary"
+                onClick={handleCreate}
+                isLoading={loading}
+                disabled={!name.trim()}
+              >
+                Create
+              </Button>
+            </div>
+          </>
+        )}
+      </div>
+    </GenericDialog>
+  )
+}
+
+export function DeleteSCIMTokenDialog({
+  tokenId,
+  tokenName,
+  organisationId,
+}: {
+  tokenId: string
+  tokenName: string
+  organisationId: string
+}) {
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const [deleteToken, { loading }] = useMutation(DeleteSCIMTokenOp, {
+    refetchQueries: [{ query: GetSCIMTokens, variables: { organisationId } }],
+  })
+
+  const handleDelete = async () => {
+    try {
+      await deleteToken({ variables: { tokenId } })
+      toast.success('SCIM token deleted')
+      dialogRef.current?.closeModal()
+    } catch (err: any) {
+      toast.error(err.message || 'Failed to delete SCIM token')
+    }
+  }
+
+  return (
+    <GenericDialog
+      title={`Delete ${tokenName}`}
+      buttonContent={<FaTrash />}
+      buttonVariant="danger"
+      ref={dialogRef}
+    >
+      <div className="pt-4 space-y-4">
+        <p className="text-sm text-neutral-500">
+          Are you sure you want to delete the token{' '}
+          <span className="font-medium text-zinc-900 dark:text-zinc-100">{tokenName}</span>? Any
+          identity provider using this token will lose access.
+        </p>
+        <div className="flex justify-end gap-2">
+          <Button variant="danger" onClick={handleDelete} isLoading={loading}>
+            Delete
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/app/[team]/access/scim/_components/SCIMTokensTable.tsx b/frontend/app/[team]/access/scim/_components/SCIMTokensTable.tsx
new file mode 100644
index 000000000..c85b7cd2f
--- /dev/null
+++ b/frontend/app/[team]/access/scim/_components/SCIMTokensTable.tsx
@@ -0,0 +1,128 @@
+'use client'
+
+import clsx from 'clsx'
+import { relativeTimeFromDates } from '@/utils/time'
+import { ProfileCard } from '@/components/common/ProfileCard'
+import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { ProviderLogo } from './shared'
+import { DeleteSCIMTokenDialog } from './SCIMTokenDialogs'
+
+export function SCIMTokensTable({
+  tokens,
+  organisationId,
+  userCanManageSCIM,
+  onToggleToken,
+}: {
+  tokens: any[]
+  organisationId: string
+  userCanManageSCIM: boolean
+  onToggleToken: (tokenId: string, currentActive: boolean) => void
+}) {
+  return (
+    <table className="table-auto min-w-full divide-y divide-zinc-500/40">
+      <thead>
+        <tr>
+          <th className="py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+            Provider
+          </th>
+          <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+            Created
+          </th>
+          <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+            Expires
+          </th>
+          <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+            Last Used
+          </th>
+          <th className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+            Active
+          </th>
+          <th className="px-6 py-3"></th>
+        </tr>
+      </thead>
+      <tbody className="divide-y divide-zinc-500/20">
+        {tokens.map((token: any) => (
+          <tr key={token.id} className="group">
+            <td className="py-2">
+              <div className="flex items-center gap-3">
+                <ProviderLogo name={token.name} />
+                <div>
+                  <div className="font-medium text-sm flex items-center gap-2">
+                    {token.name}
+                    {!token.isActive && (
+                      <span className="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-neutral-500/10 text-neutral-500 ring-1 ring-inset ring-neutral-500/20">
+                        Disabled
+                      </span>
+                    )}
+                  </div>
+                  <code className="text-2xs text-neutral-500 font-mono">{token.id}</code>
+                </div>
+              </div>
+            </td>
+            <td className="px-6 py-2">
+              <div className="space-y-1">
+                <div className="text-2xs text-neutral-500">
+                  {relativeTimeFromDates(new Date(token.createdAt))}
+                  {token.createdBy && ' by'}
+                </div>
+                {token.createdBy && (
+                  <ProfileCard
+                    user={{
+                      name: token.createdBy.fullName,
+                      email: token.createdBy.email,
+                      image: token.createdBy.avatarUrl,
+                    }}
+                    size="sm"
+                  />
+                )}
+              </div>
+            </td>
+            <td className="px-6 py-2 text-sm">
+              {token.expiresAt ? (
+                <span
+                  className={clsx(
+                    'text-2xs',
+                    new Date(token.expiresAt) < new Date() ? 'text-red-400' : 'text-neutral-500'
+                  )}
+                >
+                  {new Date(token.expiresAt) < new Date()
+                    ? 'Expired'
+                    : relativeTimeFromDates(new Date(token.expiresAt))}
+                </span>
+              ) : (
+                <span className="text-2xs text-neutral-500">Never</span>
+              )}
+            </td>
+            <td className="px-6 py-2">
+              <span className="text-2xs text-neutral-500">
+                {token.lastUsedAt
+                  ? relativeTimeFromDates(new Date(token.lastUsedAt))
+                  : 'Never'}
+              </span>
+            </td>
+            <td className="px-6 py-2">
+              {userCanManageSCIM && (
+                <ToggleSwitch
+                  value={token.isActive}
+                  onToggle={() => onToggleToken(token.id, token.isActive)}
+                  size="sm"
+                />
+              )}
+            </td>
+            <td className="px-6 py-2 text-right">
+              {userCanManageSCIM && (
+                <div className="opacity-0 group-hover:opacity-100 transition ease">
+                  <DeleteSCIMTokenDialog
+                    tokenId={token.id}
+                    tokenName={token.name}
+                    organisationId={organisationId}
+                  />
+                </div>
+              )}
+            </td>
+          </tr>
+        ))}
+      </tbody>
+    </table>
+  )
+}
diff --git a/frontend/app/[team]/access/scim/_components/shared.tsx b/frontend/app/[team]/access/scim/_components/shared.tsx
new file mode 100644
index 000000000..b2a1d7c9f
--- /dev/null
+++ b/frontend/app/[team]/access/scim/_components/shared.tsx
@@ -0,0 +1,99 @@
+'use client'
+
+import React from 'react'
+import { FaKey } from 'react-icons/fa'
+import { EntraIDLogo, OktaLogo, JumpCloudLogo } from '@/components/common/logos'
+
+export const PROVIDER_PATTERNS: {
+  keywords: string[]
+  logo: React.FC<{ className?: string }>
+  label: string
+}[] = [
+  { keywords: ['entra', 'azure', 'microsoft'], logo: EntraIDLogo, label: 'Microsoft Entra ID' },
+  { keywords: ['okta'], logo: OktaLogo, label: 'Okta' },
+  { keywords: ['jumpcloud'], logo: JumpCloudLogo, label: 'JumpCloud' },
+]
+
+const logoSizeMap = {
+  sm: 'h-4 w-4',
+  md: 'h-5 w-5',
+}
+
+export function getProviderIcon(name: string): React.FC<{ className?: string }> {
+  const lower = name.toLowerCase()
+  const match = PROVIDER_PATTERNS.find((p) => p.keywords.some((k) => lower.includes(k)))
+  return match ? match.logo : FaKey
+}
+
+export function ProviderLogo({ name, size = 'md' }: { name: string; size?: 'sm' | 'md' }) {
+  const lower = name.toLowerCase()
+  const match = PROVIDER_PATTERNS.find((p) => p.keywords.some((k) => lower.includes(k)))
+  const sizeClass = logoSizeMap[size]
+  if (match) {
+    const Logo = match.logo
+    return <Logo className={`${sizeClass} shrink-0`} />
+  }
+  return <FaKey className={`${sizeClass} text-neutral-400 shrink-0`} />
+}
+
+export const EXPIRY_OPTIONS = [
+  { label: '30 days', value: 30 },
+  { label: '90 days', value: 90 },
+  { label: '1 year', value: 365 },
+  { label: 'No expiration', value: null },
+]
+
+export const EVENT_TYPE_LABELS: Record<string, { label: string; color: string }> = {
+  USER_CREATED: {
+    label: 'User Created',
+    color: 'text-emerald-500 bg-emerald-500/10 ring-emerald-500/20',
+  },
+  USER_UPDATED: { label: 'User Updated', color: 'text-blue-500 bg-blue-500/10 ring-blue-500/20' },
+  USER_DEACTIVATED: {
+    label: 'User Deactivated',
+    color: 'text-red-500 bg-red-500/10 ring-red-500/20',
+  },
+  USER_REACTIVATED: {
+    label: 'User Reactivated',
+    color: 'text-emerald-500 bg-emerald-500/10 ring-emerald-500/20',
+  },
+  GROUP_CREATED: {
+    label: 'Group Created',
+    color: 'text-emerald-500 bg-emerald-500/10 ring-emerald-500/20',
+  },
+  GROUP_UPDATED: {
+    label: 'Group Updated',
+    color: 'text-blue-500 bg-blue-500/10 ring-blue-500/20',
+  },
+  GROUP_DELETED: {
+    label: 'Group Deleted',
+    color: 'text-red-500 bg-red-500/10 ring-red-500/20',
+  },
+  MEMBER_ADDED: {
+    label: 'Member Added',
+    color: 'text-emerald-500 bg-emerald-500/10 ring-emerald-500/20',
+  },
+  MEMBER_REMOVED: {
+    label: 'Member Removed',
+    color: 'text-red-500 bg-red-500/10 ring-red-500/20',
+  },
+}
+
+export function LogField({ label, children }: { label: string; children: React.ReactNode }) {
+  return (
+    <div className="flex items-center gap-2 text-xs">
+      <span className="text-neutral-500 font-medium">{label}: </span>
+      <span className="font-medium font-mono">{children}</span>
+    </div>
+  )
+}
+
+export function JsonBlock({ data }: { data: any }) {
+  if (!data) return null
+  const parsed = typeof data === 'string' ? JSON.parse(data) : data
+  return (
+    <pre className="mt-1 text-2xs font-mono bg-zinc-100 dark:bg-zinc-900 rounded p-3 overflow-auto max-h-64 whitespace-pre-wrap break-words text-zinc-800 dark:text-zinc-200">
+      {JSON.stringify(parsed, null, 2)}
+    </pre>
+  )
+}
diff --git a/frontend/app/[team]/access/scim/connections/page.tsx b/frontend/app/[team]/access/scim/connections/page.tsx
new file mode 100644
index 000000000..863ba8869
--- /dev/null
+++ b/frontend/app/[team]/access/scim/connections/page.tsx
@@ -0,0 +1,113 @@
+'use client'
+
+import { useContext } from 'react'
+import { useMutation, useQuery } from '@apollo/client'
+import { toast } from 'react-toastify'
+import { FaBan, FaKey } from 'react-icons/fa'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetSCIMTokens } from '@/graphql/queries/scim/getSCIMTokens.gql'
+import { ToggleSCIMTokenOp } from '@/graphql/mutations/scim/toggleSCIMToken.gql'
+import { userHasPermission } from '@/utils/access/permissions'
+import Spinner from '@/components/common/Spinner'
+import { EmptyState } from '@/components/common/EmptyState'
+import { CreateSCIMTokenDialog } from '../_components/SCIMTokenDialogs'
+import { SCIMTokensTable } from '../_components/SCIMTokensTable'
+
+export default function SCIMConnectionsPage({ params }: { params: { team: string } }) {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const userCanManageSCIM = organisation
+    ? userHasPermission(organisation.role!.permissions, 'SCIM', 'update')
+    : false
+
+  const userCanReadSCIM = organisation
+    ? userHasPermission(organisation.role!.permissions, 'SCIM', 'read')
+    : false
+
+  const { data, loading } = useQuery(GetSCIMTokens, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadSCIM,
+  })
+
+  const [toggleSCIMToken] = useMutation(ToggleSCIMTokenOp, {
+    refetchQueries: [{ query: GetSCIMTokens, variables: { organisationId: organisation?.id } }],
+  })
+
+  const tokens = data?.scimTokens || []
+
+  const handleToggleToken = async (tokenId: string, currentActive: boolean) => {
+    try {
+      await toggleSCIMToken({
+        variables: { tokenId, isActive: !currentActive },
+      })
+      toast.success(currentActive ? 'Token disabled' : 'Token enabled')
+    } catch (err: any) {
+      toast.error(err.message || 'Failed to toggle token')
+    }
+  }
+
+  if (!organisation)
+    return (
+      <div className="flex items-center justify-center p-10">
+        <Spinner size="md" />
+      </div>
+    )
+
+  if (!userCanReadSCIM)
+    return (
+      <section className="px-3 sm:px-4 lg:px-6">
+        <EmptyState
+          title="Access restricted"
+          subtitle="You don't have the permissions required to manage SCIM provisioning."
+          graphic={
+            <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+              <FaBan />
+            </div>
+          }
+        >
+          <></>
+        </EmptyState>
+      </section>
+    )
+
+  return (
+    <section className="px-3 sm:px-4 lg:px-6">
+      <div className="w-full space-y-6 text-zinc-900 dark:text-zinc-100">
+        <div className="flex items-center justify-between">
+          <div>
+            <h2 className="text-base font-medium">Provider Connections</h2>
+            <p className="text-neutral-500 text-sm">
+              Manage SCIM tokens for identity provider connections.
+            </p>
+          </div>
+          {userCanManageSCIM && <CreateSCIMTokenDialog organisationId={organisation.id} />}
+        </div>
+
+        {loading && !data ? (
+          <div className="flex items-center justify-center p-10">
+            <Spinner size="md" />
+          </div>
+        ) : tokens.length === 0 ? (
+          <EmptyState
+            title="No provider connections"
+            subtitle="Create a token to connect your identity provider."
+            graphic={
+              <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                <FaKey />
+              </div>
+            }
+          >
+            {userCanManageSCIM && <CreateSCIMTokenDialog organisationId={organisation.id} />}
+          </EmptyState>
+        ) : (
+          <SCIMTokensTable
+            tokens={tokens}
+            organisationId={organisation.id}
+            userCanManageSCIM={userCanManageSCIM}
+            onToggleToken={handleToggleToken}
+          />
+        )}
+      </div>
+    </section>
+  )
+}
diff --git a/frontend/app/[team]/access/scim/layout.tsx b/frontend/app/[team]/access/scim/layout.tsx
new file mode 100644
index 000000000..9d498b294
--- /dev/null
+++ b/frontend/app/[team]/access/scim/layout.tsx
@@ -0,0 +1,47 @@
+'use client'
+
+import Link from 'next/link'
+import { usePathname } from 'next/navigation'
+import clsx from 'clsx'
+
+const tabs = [
+  { name: 'Home', segment: '' },
+  { name: 'Connections', segment: 'connections' },
+  { name: 'Logs', segment: 'logs' },
+]
+
+export default function SCIMLayout({ children, params }: { children: React.ReactNode; params: { team: string } }) {
+  const pathname = usePathname()
+  // pathname: /<team>/access/scim or /<team>/access/scim/connections or /<team>/access/scim/logs
+  const segments = pathname?.split('/') || []
+  // segments[4] is the sub-segment after "scim"
+  const activeSegment = segments[4] || ''
+
+  return (
+    <div className="w-full">
+      <nav className="flex gap-2 border-b border-neutral-500/20 px-3 sm:px-4 lg:px-6 mb-4">
+        {tabs.map((tab) => {
+          const isActive = activeSegment === tab.segment
+          const href = tab.segment
+            ? `/${params.team}/access/scim/${tab.segment}`
+            : `/${params.team}/access/scim`
+          return (
+            <Link
+              key={tab.name}
+              href={href}
+              className={clsx(
+                'p-2 text-xs font-medium border-b -mb-px focus:outline-none transition ease',
+                isActive
+                  ? 'border-emerald-500 font-semibold text-zinc-900 dark:text-zinc-100'
+                  : 'border-transparent text-zinc-600 dark:text-zinc-400 hover:text-zinc-900 dark:hover:text-zinc-100'
+              )}
+            >
+              {tab.name}
+            </Link>
+          )
+        })}
+      </nav>
+      {children}
+    </div>
+  )
+}
diff --git a/frontend/app/[team]/access/scim/logs/page.tsx b/frontend/app/[team]/access/scim/logs/page.tsx
new file mode 100644
index 000000000..d1280ef3e
--- /dev/null
+++ b/frontend/app/[team]/access/scim/logs/page.tsx
@@ -0,0 +1,327 @@
+'use client'
+
+import { Fragment, useContext, useState } from 'react'
+import { NetworkStatus, useQuery } from '@apollo/client'
+import { FaBan, FaCheckCircle, FaCircle, FaFilter } from 'react-icons/fa'
+import { FiRefreshCw, FiChevronsDown } from 'react-icons/fi'
+import { FaArrowRotateLeft } from 'react-icons/fa6'
+import { Menu, Transition } from '@headlessui/react'
+import clsx from 'clsx'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetSCIMEvents } from '@/graphql/queries/scim/getSCIMEvents.gql'
+import { GetSCIMTokens } from '@/graphql/queries/scim/getSCIMTokens.gql'
+import { userHasPermission } from '@/utils/access/permissions'
+import { dateToUnixTimestamp } from '@/utils/time'
+import Spinner from '@/components/common/Spinner'
+import { EmptyState } from '@/components/common/EmptyState'
+import { Button } from '@/components/common/Button'
+import { SCIMEventsTable } from '../_components/SCIMEventsTable'
+import { EVENT_TYPE_LABELS, getProviderIcon } from '../_components/shared'
+
+const PAGE_SIZE = 25
+
+const STATUS_OPTIONS = [
+  { code: 'SUCCESS', label: 'Success', color: 'emerald' },
+  { code: 'ERROR', label: 'Error', color: 'red' },
+] as const
+
+const filterCategoryTitleStyle =
+  'text-[11px] font-semibold text-neutral-500 tracking-widest uppercase'
+
+export default function SCIMLogsPage({ params }: { params: { team: string } }) {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const [eventTypes, setEventTypes] = useState<string[]>([])
+  const [selectedTokenId, setSelectedTokenId] = useState<string | null>(null)
+  const [selectedStatus, setSelectedStatus] = useState<string | null>(null)
+
+  const userCanReadSCIM = organisation
+    ? userHasPermission(organisation.role!.permissions, 'SCIM', 'read')
+    : false
+
+  const { data: tokensData } = useQuery(GetSCIMTokens, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadSCIM,
+  })
+
+  const { data, loading, fetchMore, refetch, networkStatus } = useQuery(GetSCIMEvents, {
+    variables: {
+      organisationId: organisation?.id,
+      eventTypes: eventTypes.length > 0 ? eventTypes : undefined,
+      tokenId: selectedTokenId || undefined,
+      status: selectedStatus || undefined,
+    },
+    skip: !organisation || !userCanReadSCIM,
+    fetchPolicy: 'network-only',
+    notifyOnNetworkStatusChange: true,
+  })
+
+  const isRefetching = networkStatus === NetworkStatus.refetch || loading
+  const isFetchingMore = networkStatus === NetworkStatus.fetchMore
+
+  const tokens = tokensData?.scimTokens || []
+  const events = data?.scimEvents?.events || []
+  const totalCount = data?.scimEvents?.count || 0
+  const endOfList = events.length >= totalCount
+
+  const hasActiveFilters =
+    eventTypes.length > 0 || selectedTokenId !== null || selectedStatus !== null
+
+  const clearFilters = () => {
+    setEventTypes([])
+    setSelectedTokenId(null)
+    setSelectedStatus(null)
+  }
+
+  const getLastEventTimestamp = () =>
+    events.length > 0 ? dateToUnixTimestamp(events[events.length - 1].timestamp) : Date.now()
+
+  const loadMore = () => {
+    if (loading || isFetchingMore) return
+
+    const lastTs = getLastEventTimestamp()
+
+    fetchMore({
+      variables: { end: lastTs },
+      updateQuery: (prev: any, { fetchMoreResult }: any) => {
+        if (!fetchMoreResult?.scimEvents?.events?.length) {
+          return prev
+        }
+
+        return {
+          ...prev,
+          scimEvents: {
+            ...prev.scimEvents,
+            events: [...prev.scimEvents.events, ...fetchMoreResult.scimEvents.events],
+            count: prev.scimEvents.count,
+          },
+        }
+      },
+    })
+  }
+
+  const handleRefetch = async () => {
+    await refetch({
+      organisationId: organisation?.id,
+      eventTypes: eventTypes.length > 0 ? eventTypes : undefined,
+      tokenId: selectedTokenId || undefined,
+      status: selectedStatus || undefined,
+    })
+  }
+
+  if (!organisation)
+    return (
+      <div className="flex items-center justify-center p-10">
+        <Spinner size="md" />
+      </div>
+    )
+
+  if (!userCanReadSCIM)
+    return (
+      <section className="px-3 sm:px-4 lg:px-6">
+        <EmptyState
+          title="Access restricted"
+          subtitle="You don't have the permissions required to view SCIM logs."
+          graphic={
+            <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+              <FaBan />
+            </div>
+          }
+        >
+          <></>
+        </EmptyState>
+      </section>
+    )
+
+  return (
+    <section className="px-3 sm:px-4 lg:px-6">
+      <div className="w-full space-y-4 text-zinc-900 dark:text-zinc-100">
+        <div className="flex items-center justify-between">
+          <div>
+            <h2 className="text-base font-medium">Provisioning Logs</h2>
+            <p className="text-neutral-500 text-sm">{totalCount} Events</p>
+          </div>
+
+          <div className="flex items-center gap-2">
+            {/* Filter popover */}
+            <Menu as="div" className="relative inline-block text-left">
+              {({ open }) => (
+                <>
+                  <div className="relative">
+                    <Menu.Button as={Fragment}>
+                      <div className="relative">
+                        <Button variant="secondary" title="Filter logs">
+                          <FaFilter /> Filter
+                        </Button>
+                        {hasActiveFilters && (
+                          <span className="absolute -top-0 -right-0 h-2 w-2 rounded-full bg-emerald-500" />
+                        )}
+                      </div>
+                    </Menu.Button>
+                  </div>
+
+                  <Transition
+                    as={Fragment}
+                    enter="transition duration-100 ease-out"
+                    enterFrom="transform scale-95 opacity-0"
+                    enterTo="transform scale-100 opacity-100"
+                    leave="transition duration-75 ease-out"
+                    leaveFrom="transform scale-100 opacity-100"
+                    leaveTo="transform scale-95 opacity-0"
+                  >
+                    <Menu.Items
+                      static
+                      className="absolute right-0 mt-2 z-30 w-96 p-4 rounded-md shadow-xl bg-neutral-300/50 dark:bg-neutral-900/60 backdrop-blur-lg ring-1 ring-neutral-500/20 space-y-6"
+                    >
+                      {/* Status */}
+                      <div className="space-y-2">
+                        <div className={filterCategoryTitleStyle}>Status</div>
+                        <div className="flex flex-wrap gap-2">
+                          {STATUS_OPTIONS.map((opt) => (
+                            <Button
+                              key={opt.code}
+                              type="button"
+                              variant={selectedStatus === opt.code ? 'primary' : 'secondary'}
+                              onClick={() =>
+                                setSelectedStatus((prev) =>
+                                  prev === opt.code ? null : opt.code
+                                )
+                              }
+                            >
+                              <span
+                                className={clsx(
+                                  'text-2xs',
+                                  {
+                                    emerald: 'text-emerald-500',
+                                    red: 'text-red-500',
+                                  }[opt.color]
+                                )}
+                              >
+                                {selectedStatus === opt.code ? (
+                                  <FaCheckCircle />
+                                ) : (
+                                  <FaCircle />
+                                )}
+                              </span>{' '}
+                              <span className="text-xs">{opt.label}</span>
+                            </Button>
+                          ))}
+                        </div>
+                      </div>
+
+                      {/* Event types */}
+                      <div className="space-y-2">
+                        <div className={filterCategoryTitleStyle}>Event Type</div>
+                        <div className="flex flex-wrap gap-2">
+                          {Object.entries(EVENT_TYPE_LABELS).map(([key, meta]) => (
+                            <Button
+                              key={key}
+                              type="button"
+                              variant={eventTypes.includes(key) ? 'primary' : 'secondary'}
+                              onClick={() =>
+                                setEventTypes((prev) =>
+                                  prev.includes(key)
+                                    ? prev.filter((t) => t !== key)
+                                    : [...prev, key]
+                                )
+                              }
+                            >
+                              <span
+                                className={clsx(
+                                  'text-2xs',
+                                  meta.color.split(' ')[0] // e.g. "text-emerald-500"
+                                )}
+                              >
+                                {eventTypes.includes(key) ? <FaCheckCircle /> : <FaCircle />}
+                              </span>{' '}
+                              <span className="text-xs">{meta.label}</span>
+                            </Button>
+                          ))}
+                        </div>
+                      </div>
+
+                      {/* Provider */}
+                      {tokens.length > 0 && (
+                        <div className="space-y-2">
+                          <div className={filterCategoryTitleStyle}>Provider</div>
+                          <div className="flex flex-wrap gap-2">
+                            {tokens.map((token: any) => (
+                              <Button
+                                key={token.id}
+                                type="button"
+                                variant={
+                                  selectedTokenId === token.id ? 'primary' : 'secondary'
+                                }
+                                icon={getProviderIcon(token.name)}
+                                onClick={() =>
+                                  setSelectedTokenId((prev) =>
+                                    prev === token.id ? null : token.id
+                                  )
+                                }
+                              >
+                                <span className="text-xs">{token.name}</span>
+                              </Button>
+                            ))}
+                          </div>
+                        </div>
+                      )}
+
+                      <div className="flex justify-end pt-2">
+                        <Button
+                          variant="outline"
+                          disabled={!hasActiveFilters}
+                          onClick={clearFilters}
+                        >
+                          <FaArrowRotateLeft /> Reset filter
+                        </Button>
+                      </div>
+                    </Menu.Items>
+                  </Transition>
+                </>
+              )}
+            </Menu>
+
+            {/* Refresh */}
+            <Button variant="secondary" onClick={handleRefetch} disabled={isRefetching}>
+              <FiRefreshCw
+                size={20}
+                className={clsx('mr-1', isRefetching ? 'animate-spin' : '')}
+              />{' '}
+              Refresh
+            </Button>
+          </div>
+        </div>
+
+        {loading && events.length === 0 ? (
+          <div className="flex items-center justify-center p-10">
+            <Spinner size="md" />
+          </div>
+        ) : events.length === 0 ? (
+          <div className="text-center py-8 text-neutral-500 text-sm">
+            No provisioning events found.
+          </div>
+        ) : (
+          <>
+            <SCIMEventsTable events={events} />
+
+            <div className="flex justify-center px-6 py-4 text-neutral-500 font-medium">
+              {!endOfList ? (
+                <Button
+                  variant="secondary"
+                  onClick={loadMore}
+                  disabled={isFetchingMore || endOfList}
+                >
+                  <FiChevronsDown /> Load more
+                </Button>
+              ) : (
+                <span className="text-sm">
+                  {events.length ? 'No more' : 'No'} events to show
+                </span>
+              )}
+            </div>
+          </>
+        )}
+      </div>
+    </section>
+  )
+}
diff --git a/frontend/app/[team]/access/scim/page.tsx b/frontend/app/[team]/access/scim/page.tsx
new file mode 100644
index 000000000..03a5dfeb4
--- /dev/null
+++ b/frontend/app/[team]/access/scim/page.tsx
@@ -0,0 +1,260 @@
+'use client'
+
+import { useContext } from 'react'
+import { useMutation, useQuery } from '@apollo/client'
+import { toast } from 'react-toastify'
+import Link from 'next/link'
+import { FaBan, FaChevronRight, FaKey } from 'react-icons/fa'
+import CopyButton from '@/components/common/CopyButton'
+import { EmptyState } from '@/components/common/EmptyState'
+import Spinner from '@/components/common/Spinner'
+import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { organisationContext } from '@/contexts/organisationContext'
+import { GetSCIMTokens } from '@/graphql/queries/scim/getSCIMTokens.gql'
+import { GetSCIMEvents } from '@/graphql/queries/scim/getSCIMEvents.gql'
+import GetOrganisations from '@/graphql/queries/getOrganisations.gql'
+import { ToggleSCIMOp } from '@/graphql/mutations/scim/toggleSCIM.gql'
+import { ToggleSCIMTokenOp } from '@/graphql/mutations/scim/toggleSCIMToken.gql'
+import { userHasPermission } from '@/utils/access/permissions'
+import { CreateSCIMTokenDialog } from './_components/SCIMTokenDialogs'
+import { SCIMTokensTable } from './_components/SCIMTokensTable'
+import { SCIMEventsTable } from './_components/SCIMEventsTable'
+
+export default function SCIMPage({ params }: { params: { team: string } }) {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const userCanManageSCIM = organisation
+    ? userHasPermission(organisation.role!.permissions, 'SCIM', 'update')
+    : false
+
+  const userCanReadSCIM = organisation
+    ? userHasPermission(organisation.role!.permissions, 'SCIM', 'read')
+    : false
+
+  const { data, loading } = useQuery(GetSCIMTokens, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadSCIM,
+  })
+
+  const { data: eventsData, loading: eventsLoading } = useQuery(GetSCIMEvents, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadSCIM,
+    pollInterval: 10000,
+  })
+
+  const [toggleSCIM] = useMutation(ToggleSCIMOp, {
+    refetchQueries: [{ query: GetOrganisations }],
+  })
+
+  const [toggleSCIMToken] = useMutation(ToggleSCIMTokenOp, {
+    refetchQueries: [{ query: GetSCIMTokens, variables: { organisationId: organisation?.id } }],
+  })
+
+  const tokens = data?.scimTokens || []
+  const previewTokens = tokens.slice(0, 3)
+  const allEvents = eventsData?.scimEvents?.events || []
+  const previewEvents = allEvents.slice(0, 10)
+  const totalEvents = eventsData?.scimEvents?.count || 0
+  const scimEnabled = organisation?.scimEnabled ?? false
+
+  const handleToggleSCIM = async () => {
+    try {
+      await toggleSCIM({
+        variables: {
+          organisationId: organisation!.id,
+          enabled: !scimEnabled,
+        },
+      })
+      toast.success(scimEnabled ? 'SCIM disabled' : 'SCIM enabled')
+    } catch (err: any) {
+      toast.error(err.message || 'Failed to toggle SCIM')
+    }
+  }
+
+  const handleToggleToken = async (tokenId: string, currentActive: boolean) => {
+    try {
+      await toggleSCIMToken({
+        variables: { tokenId, isActive: !currentActive },
+      })
+      toast.success(currentActive ? 'Token disabled' : 'Token enabled')
+    } catch (err: any) {
+      toast.error(err.message || 'Failed to toggle token')
+    }
+  }
+
+  if (!organisation)
+    return (
+      <div className="flex items-center justify-center p-10">
+        <Spinner size="md" />
+      </div>
+    )
+
+  if (!userCanReadSCIM)
+    return (
+      <section className="px-3 sm:px-4 lg:px-6">
+        <EmptyState
+          title="Access restricted"
+          subtitle="You don't have the permissions required to manage SCIM provisioning."
+          graphic={
+            <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+              <FaBan />
+            </div>
+          }
+        >
+          <></>
+        </EmptyState>
+      </section>
+    )
+
+  return (
+    <section className="px-3 sm:px-4 lg:px-6">
+      <div className="w-full space-y-6 text-zinc-900 dark:text-zinc-100">
+        <div>
+          <h2 className="text-base font-medium">SCIM Provisioning</h2>
+          <p className="text-neutral-500 text-sm">
+            Manage SCIM tokens for automatic user and group provisioning from your identity
+            provider.
+          </p>
+        </div>
+
+        {/* Master Toggle */}
+        <div className="flex items-center justify-between px-3 py-2 rounded-lg bg-zinc-100 dark:bg-zinc-800">
+          <div>
+            <div className="text-sm font-medium">Enable SCIM</div>
+            <div className="text-neutral-500 text-xs">
+              {scimEnabled
+                ? 'SCIM is enabled. Identity providers can sync users and groups.'
+                : 'Enable SCIM to allow identity providers to sync users and groups.'}
+            </div>
+          </div>
+          {userCanManageSCIM && (
+            <ToggleSwitch value={scimEnabled} onToggle={handleToggleSCIM} />
+          )}
+        </div>
+
+        {scimEnabled && (
+          <>
+            {/* SCIM Base URL */}
+            <div className="flex items-center gap-3 px-3 py-2 rounded-lg bg-zinc-100 dark:bg-zinc-800">
+              <div className="flex-1 min-w-0">
+                <div className="text-xs text-neutral-500 mb-0.5">SCIM Base URL</div>
+                <code className="text-sm font-mono text-zinc-900 dark:text-zinc-100">
+                  {typeof window !== 'undefined'
+                    ? `${window.location.origin}/service/scim/v2/`
+                    : '/service/scim/v2/'}
+                </code>
+              </div>
+              <CopyButton
+                value={
+                  typeof window !== 'undefined'
+                    ? `${window.location.origin}/service/scim/v2/`
+                    : '/service/scim/v2/'
+                }
+              />
+            </div>
+
+            {/* Provider Connections Preview */}
+            <div className="space-y-4">
+              <div className="flex items-center justify-between">
+                <div>
+                  <div className="text-sm font-medium">Provider Connections</div>
+                  <div className="text-neutral-500 text-xs">
+                    Identity provider connections via SCIM tokens.
+                  </div>
+                </div>
+                <div className="flex items-center gap-3">
+                  {userCanManageSCIM && (
+                    <CreateSCIMTokenDialog organisationId={organisation.id} />
+                  )}
+                </div>
+              </div>
+
+              {loading && !data ? (
+                <div className="flex items-center justify-center p-10">
+                  <Spinner size="md" />
+                </div>
+              ) : tokens.length === 0 ? (
+                <EmptyState
+                  title="No provider connections"
+                  subtitle="Create a token to connect your identity provider."
+                  graphic={
+                    <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                      <FaKey />
+                    </div>
+                  }
+                >
+                  {userCanManageSCIM && (
+                    <CreateSCIMTokenDialog organisationId={organisation.id} />
+                  )}
+                </EmptyState>
+              ) : (
+                <>
+                  <SCIMTokensTable
+                    tokens={previewTokens}
+                    organisationId={organisation.id}
+                    userCanManageSCIM={userCanManageSCIM}
+                    onToggleToken={handleToggleToken}
+                  />
+                  {tokens.length > 3 && (
+                    <Link
+                      href={`/${params.team}/access/scim/connections`}
+                      className="flex items-center justify-center gap-1.5 text-xs text-neutral-500 hover:text-zinc-900 dark:hover:text-zinc-100 transition py-2"
+                    >
+                      View all {tokens.length} connections
+                      <FaChevronRight className="text-2xs" />
+                    </Link>
+                  )}
+                </>
+              )}
+            </div>
+
+            {/* Provisioning Logs Preview */}
+            <div className="space-y-4">
+              <div className="flex items-center justify-between">
+                <div>
+                  <div className="text-sm font-medium">Provisioning Logs</div>
+                  <div className="text-neutral-500 text-xs">
+                    Recent SCIM provisioning activity from your identity providers.
+                  </div>
+                </div>
+                {allEvents.length > 0 && (
+                  <Link
+                    href={`/${params.team}/access/scim/logs`}
+                    className="flex items-center gap-1.5 text-xs text-neutral-500 hover:text-zinc-900 dark:hover:text-zinc-100 transition"
+                  >
+                    View all
+                    <FaChevronRight className="text-2xs" />
+                  </Link>
+                )}
+              </div>
+
+              {eventsLoading && allEvents.length === 0 ? (
+                <div className="flex items-center justify-center p-10">
+                  <Spinner size="md" />
+                </div>
+              ) : allEvents.length === 0 ? (
+                <div className="text-center py-8 text-neutral-500 text-sm">
+                  No provisioning events yet. Events will appear here when your identity provider
+                  syncs users or groups.
+                </div>
+              ) : (
+                <>
+                  <SCIMEventsTable events={previewEvents} />
+                  {totalEvents > 10 && (
+                    <Link
+                      href={`/${params.team}/access/scim/logs`}
+                      className="flex items-center justify-center gap-1.5 text-xs text-neutral-500 hover:text-zinc-900 dark:hover:text-zinc-100 transition py-2"
+                    >
+                      View all {totalEvents} events
+                      <FaChevronRight className="text-2xs" />
+                    </Link>
+                  )}
+                </>
+              )}
+            </div>
+          </>
+        )}
+      </div>
+    </section>
+  )
+}

From fdae663efa70c5c9d8477673e7e1ee75c8422286 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 17:31:55 +0530
Subject: [PATCH 050/118] feat: add account-init redirect for SCIM-provisioned
 users without keyring

---
 frontend/app/[team]/account-init/page.tsx | 285 ++++++++++++++++++++++
 frontend/app/[team]/layout.tsx            |  44 +++-
 2 files changed, 322 insertions(+), 7 deletions(-)
 create mode 100644 frontend/app/[team]/account-init/page.tsx

diff --git a/frontend/app/[team]/account-init/page.tsx b/frontend/app/[team]/account-init/page.tsx
new file mode 100644
index 000000000..e6ca3c558
--- /dev/null
+++ b/frontend/app/[team]/account-init/page.tsx
@@ -0,0 +1,285 @@
+'use client'
+
+import { HeroPattern } from '@/components/common/HeroPattern'
+import { Button } from '@/components/common/Button'
+import { Step, Stepper } from '@/components/onboarding/Stepper'
+import { AccountPassword } from '@/components/onboarding/AccountPassword'
+import { AccountRecovery } from '@/components/onboarding/AccountRecovery'
+import { LogoMark } from '@/components/common/LogoMark'
+import { organisationContext } from '@/contexts/organisationContext'
+import { useContext, useEffect, useState } from 'react'
+import { useSession } from 'next-auth/react'
+import { useRouter } from 'next/navigation'
+import { useMutation } from '@apollo/client'
+import { MdKey, MdOutlinePassword } from 'react-icons/md'
+import { FaArrowRight } from 'react-icons/fa'
+import { toast } from 'react-toastify'
+import { setDevicePassword } from '@/utils/localStorage'
+import { copyRecoveryKit, generateRecoveryPdf } from '@/utils/recovery'
+import {
+  organisationSeed,
+  organisationKeyring,
+  deviceVaultKey,
+  encryptAccountKeyring,
+  encryptAccountRecovery,
+} from '@/utils/crypto'
+import { InitAccountKeys } from '@/graphql/mutations/organisation/initAccountKeys.gql'
+import GetOrganisations from '@/graphql/queries/getOrganisations.gql'
+
+const bip39 = require('bip39')
+
+export default function AccountInit() {
+  const { activeOrganisation } = useContext(organisationContext)
+  const { data: session } = useSession()
+  const router = useRouter()
+
+  const [initAccountKeys, { loading: mutationLoading }] = useMutation(InitAccountKeys)
+
+  const [step, setStep] = useState(0)
+  const [pw, setPw] = useState('')
+  const [pw2, setPw2] = useState('')
+  const [savePassword, setSavePassword] = useState(true)
+  const [mnemonic, setMnemonic] = useState('')
+  const [recoveryDownloaded, setRecoveryDownloaded] = useState(false)
+  const [isLoading, setIsLoading] = useState(false)
+  const [success, setSuccess] = useState(false)
+
+  useEffect(() => {
+    setMnemonic(bip39.generateMnemonic(256))
+  }, [])
+
+  // If the user already has a keyring, redirect them away
+  useEffect(() => {
+    if (activeOrganisation && activeOrganisation.keyring) {
+      router.push(`/${activeOrganisation.name}`)
+    }
+  }, [activeOrganisation, router])
+
+  const steps: Step[] = [
+    {
+      index: 0,
+      name: 'Sudo Password',
+      icon: <MdOutlinePassword />,
+      title: 'Set a sudo password',
+      description:
+        'This will be used to encrypt your account keys. You may need to enter this password to unlock your workspace when logging in.',
+    },
+    {
+      index: 1,
+      name: 'Account recovery',
+      icon: <MdKey />,
+      title: 'Account Recovery',
+      description:
+        'If you forget your sudo password, you will need to use a recovery kit to regain access to your account.',
+    },
+  ]
+
+  const computeAccountKeys = () => {
+    return new Promise<{ publicKey: string; encryptedKeyring: string; encryptedMnemonic: string }>(
+      (resolve) => {
+        setTimeout(async () => {
+          const accountSeed = await organisationSeed(mnemonic, activeOrganisation!.id)
+          const accountKeyRing = await organisationKeyring(accountSeed)
+          const deviceKey = await deviceVaultKey(pw, session?.user?.email!)
+          const encryptedKeyring = await encryptAccountKeyring(accountKeyRing, deviceKey)
+          const encryptedMnemonic = await encryptAccountRecovery(mnemonic, deviceKey)
+
+          resolve({
+            publicKey: accountKeyRing.publicKey,
+            encryptedKeyring,
+            encryptedMnemonic,
+          })
+        }, 1000)
+      }
+    )
+  }
+
+  const handleAccountInit = async () => {
+    return new Promise<boolean>(async (resolve, reject) => {
+      setIsLoading(true)
+      try {
+        const { publicKey, encryptedKeyring, encryptedMnemonic } = await computeAccountKeys()
+
+        const { data } = await initAccountKeys({
+          variables: {
+            orgId: activeOrganisation!.id,
+            identityKey: publicKey,
+            wrappedKeyring: encryptedKeyring,
+            wrappedRecovery: encryptedMnemonic,
+          },
+          refetchQueries: [{ query: GetOrganisations }],
+        })
+
+        const memberId = data?.updateMemberWrappedSecrets?.orgMember?.id
+        if (memberId && savePassword) {
+          setDevicePassword(memberId, pw)
+        }
+
+        setIsLoading(false)
+        setSuccess(true)
+        resolve(true)
+      } catch (e) {
+        setIsLoading(false)
+        reject(e)
+      }
+    })
+  }
+
+  const validateCurrentStep = () => {
+    if (step === 0) {
+      if (pw !== pw2) {
+        toast.error("Passwords don't match")
+        return false
+      }
+    } else if (step === 1 && !recoveryDownloaded) {
+      toast.error('Please download your account recovery kit!')
+      return false
+    }
+    return true
+  }
+
+  const incrementStep = async (event: { preventDefault: () => void }) => {
+    event.preventDefault()
+    const isFormValid = validateCurrentStep()
+    if (step !== steps.length - 1 && isFormValid) setStep(step + 1)
+    if (step === steps.length - 1 && isFormValid) {
+      toast
+        .promise(handleAccountInit, {
+          pending: 'Setting up your account keys',
+          success: 'Account setup complete!',
+        })
+        .then(() => {
+          router.push(`/${activeOrganisation!.name}`)
+        })
+    }
+  }
+
+  const decrementStep = () => {
+    if (step !== 0) setStep(step - 1)
+  }
+
+  const handleDownloadRecoveryKit = async () => {
+    toast
+      .promise(
+        generateRecoveryPdf(
+          mnemonic,
+          session?.user?.email!,
+          activeOrganisation!.name,
+          session?.user?.name || undefined
+        ),
+        {
+          pending: 'Generating recovery kit',
+          success: 'Downloaded recovery kit',
+        }
+      )
+      .then(() => setRecoveryDownloaded(true))
+  }
+
+  const handleCopyRecoveryKit = () => {
+    copyRecoveryKit(
+      mnemonic,
+      session?.user?.email!,
+      activeOrganisation!.name,
+      session?.user?.name || undefined
+    )
+    setRecoveryDownloaded(true)
+  }
+
+  if (!activeOrganisation) return null
+
+  if (success) {
+    return (
+      <main className="w-full flex flex-col justify-between h-screen">
+        <HeroPattern />
+        <div className="mx-auto my-auto max-w-2xl space-y-8 p-16 bg-zinc-100 dark:bg-zinc-800 text-black dark:text-white rounded-md shadow-2xl text-center">
+          <div className="flex flex-col gap-y-2 items-center">
+            <h1 className="text-4xl text-black dark:text-white text-center font-bold">
+              You&apos;re All Set
+            </h1>
+            <p className="text-black/30 dark:text-white/40 text-center">
+              Your account keys have been set up. You can now access the console.
+            </p>
+            <div className="mx-auto pt-8">
+              <Button
+                variant="primary"
+                iconPosition="right"
+                icon={FaArrowRight}
+                onClick={() => (window.location.href = `/${activeOrganisation.name}`)}
+              >
+                Go to Console
+              </Button>
+            </div>
+          </div>
+        </div>
+      </main>
+    )
+  }
+
+  return (
+    <main className="w-full flex flex-col justify-between h-screen">
+      <HeroPattern />
+      <div className="mx-auto my-auto w-full max-w-4xl flex flex-col gap-y-16 py-40">
+        <form
+          onSubmit={incrementStep}
+          className="space-y-8 p-4 border border-violet-200/10 rounded-lg bg-zinc-100 dark:bg-black/30 backdrop-blur-lg w-full mx-auto shadow-lg"
+        >
+          <div className="flex flex-col w-full">
+            <div className="text-black dark:text-white font-semibold text-2xl text-center">
+              <div className="flex justify-center pb-4">
+                <LogoMark className="w-20 fill-black dark:fill-white" />
+              </div>
+              Set up your account
+            </div>
+            <p className="text-neutral-500 text-center text-sm mt-2">
+              You&apos;ve been provisioned into{' '}
+              <span className="font-medium text-neutral-800 dark:text-neutral-200">
+                {activeOrganisation.name}
+              </span>
+              . Complete these steps to secure your account.
+            </p>
+            <Stepper steps={steps} activeStep={step} />
+          </div>
+
+          {step === 0 && (
+            <AccountPassword
+              pw={pw}
+              setPw={setPw}
+              pw2={pw2}
+              setPw2={setPw2}
+              savePassword={savePassword}
+              setSavePassword={setSavePassword}
+            />
+          )}
+
+          {step === 1 && (
+            <AccountRecovery
+              mnemonic={mnemonic}
+              onDownload={handleDownloadRecoveryKit}
+              onCopy={handleCopyRecoveryKit}
+            />
+          )}
+
+          <div className="flex justify-between w-full">
+            <div>
+              {step !== 0 && (
+                <Button variant="secondary" onClick={decrementStep} type="button">
+                  Previous
+                </Button>
+              )}
+            </div>
+            <div className="flex items-center gap-2">
+              <Button
+                variant="primary"
+                type="submit"
+                isLoading={isLoading || mutationLoading}
+                disabled={step === steps.length - 1 && !recoveryDownloaded}
+              >
+                {step === steps.length - 1 ? 'Finish' : 'Next'}
+              </Button>
+            </div>
+          </div>
+        </form>
+      </div>
+    </main>
+  )
+}
diff --git a/frontend/app/[team]/layout.tsx b/frontend/app/[team]/layout.tsx
index bee7cb4e7..1383f2a54 100644
--- a/frontend/app/[team]/layout.tsx
+++ b/frontend/app/[team]/layout.tsx
@@ -6,7 +6,7 @@ import Sidebar from '@/components/layout/Sidebar'
 import { organisationContext } from '@/contexts/organisationContext'
 import clsx from 'clsx'
 import { usePathname, useRouter } from 'next/navigation'
-import { useContext, useEffect } from 'react'
+import { useContext, useEffect, useMemo } from 'react'
 import UnlockKeyringDialog from '@/components/auth/UnlockKeyringDialog'
 
 export default function RootLayout({
@@ -21,6 +21,9 @@ export default function RootLayout({
 
   const router = useRouter()
 
+  const path = usePathname()
+  const isAccountInit = path?.split('/').includes('account-init')
+
   useEffect(() => {
     if (!loading && organisations !== null) {
       // if there are no organisations for this user, send to onboarding
@@ -32,17 +35,44 @@ export default function RootLayout({
       const org = organisations.find((org) => org.name === params.team)
 
       // update active organisation if it exists
-      if (org) setActiveOrganisation(org)
+      if (org) {
+        setActiveOrganisation(org)
+
+        // SCIM-provisioned users with no keyring need to complete key ceremony
+        if (!org.keyring && !isAccountInit) {
+          router.push(`/${org.name}/account-init`)
+        }
+      }
       // if there's only one available organisation
-      else if (organisations.length === 1) setActiveOrganisation(organisations[0])
+      else if (organisations.length === 1) {
+        const singleOrg = organisations[0]
+        setActiveOrganisation(singleOrg)
+
+        if (!singleOrg.keyring && !isAccountInit) {
+          router.push(`/${singleOrg.name}/account-init`)
+        }
+      }
       // else send to home
       else router.push(`/`)
     }
-  }, [organisations, params.team, router, loading, setActiveOrganisation])
+  }, [organisations, params.team, router, loading, setActiveOrganisation, isAccountInit])
 
-  const path = usePathname()
+  // Detect if we need to redirect to account-init (SCIM user with no keyring)
+  const needsKeyringInit = useMemo(() => {
+    if (!organisations || loading) return false
+    const org = organisations.find((o) => o.name === params.team) || (organisations.length === 1 ? organisations[0] : null)
+    return org ? !org.keyring && !isAccountInit : false
+  }, [organisations, loading, params.team, isAccountInit])
+
+  const showNav = !path?.split('/').includes('recovery') && !isAccountInit
+
+  // Don't show the unlock keyring dialog during account-init or if user has no keyring
+  const showUnlockDialog = activeOrganisation && !isAccountInit && !!activeOrganisation.keyring
 
-  const showNav = !path?.split('/').includes('recovery')
+  // Suppress rendering while redirecting to account-init to prevent flash of content
+  if (needsKeyringInit) {
+    return null
+  }
 
   return (
     <div
@@ -51,7 +81,7 @@ export default function RootLayout({
         showNav && 'grid-cols-[max-content_1fr]'
       )}
     >
-      {activeOrganisation && <UnlockKeyringDialog organisation={activeOrganisation} />}
+      {showUnlockDialog && <UnlockKeyringDialog organisation={activeOrganisation} />}
       {showNav && <NavBar />}
       {showNav && <Sidebar />}
       <div className="grid h-screen">

From b4843c08bc145cfdd24343982c15d37c90fb2fda Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Apr 2026 18:58:43 +0530
Subject: [PATCH 051/118] fix: team settings for scim managed teams

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/graphene/mutations/teams.py         |  4 ++--
 .../teams/[teamId]/_components/UpdateTeamDialog.tsx | 13 +++++++++----
 frontend/app/[team]/access/teams/[teamId]/page.tsx  |  2 +-
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index 681a89d68..b6b24d8a5 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -147,9 +147,9 @@ def mutate(
 
         _check_team_membership(user, team)
 
-        if team.is_scim_managed:
+        if team.is_scim_managed and (name is not None or description is not None):
             raise GraphQLError(
-                "This team is managed by SCIM and cannot be manually updated"
+                "Name and description of SCIM-managed teams cannot be changed from the console"
             )
 
         if name is not None:
diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx
index 07b77fc1b..462c81f32 100644
--- a/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/UpdateTeamDialog.tsx
@@ -133,8 +133,7 @@ export const UpdateTeamDialog = ({ team }: { team: TeamType }) => {
       await updateTeam({
         variables: {
           teamId: team.id,
-          name,
-          description: description || null,
+          ...(team.isScimManaged ? {} : { name, description: description || null }),
           memberRoleId: memberRole?.id || '',
           serviceAccountRoleId: saRole?.id || '',
         },
@@ -170,9 +169,11 @@ export const UpdateTeamDialog = ({ team }: { team: TeamType }) => {
       }}
     >
       <form onSubmit={handleSubmit} className="space-y-6 pt-4">
-        <Input value={name} setValue={setName} label="Team name" required maxLength={64} />
+        <div className={clsx(team.isScimManaged && 'opacity-60 pointer-events-none')}>
+          <Input value={name} setValue={setName} label="Team name" required maxLength={64} disabled={team.isScimManaged ?? false} />
+        </div>
 
-        <div className="space-y-2 w-full">
+        <div className={clsx('space-y-2 w-full', team.isScimManaged && 'opacity-60 pointer-events-none')}>
           <label className="block text-neutral-500 text-xs">Description</label>
           <textarea
             value={description}
@@ -180,7 +181,11 @@ export const UpdateTeamDialog = ({ team }: { team: TeamType }) => {
             className="w-full rounded-md bg-zinc-100 dark:bg-zinc-800 text-zinc-900 dark:text-zinc-100 p-2 text-sm resize-none"
             rows={3}
             placeholder="Optional team description"
+            disabled={team.isScimManaged ?? false}
           />
+          {team.isScimManaged && (
+            <p className="text-2xs text-neutral-500">Name and description are managed by your identity provider via SCIM.</p>
+          )}
         </div>
 
         <div className="space-y-4">
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index 340fd867b..10e17eb73 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -186,7 +186,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
               </span>
             </div>
             <div className="flex flex-col items-end gap-2">
-              {canUpdateTeam && !team.isScimManaged && <UpdateTeamDialog team={team} />}
+              {canUpdateTeam && <UpdateTeamDialog team={team} />}
               <span
                 className="text-neutral-500 text-2xs flex items-center gap-1 cursor-help"
                 title={new Date(team.createdAt).toLocaleString()}

From 47cd26df760055964d66eaff0ce4f75cb1e50f8f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 4 Apr 2026 15:09:37 +0530
Subject: [PATCH 052/118] fix: group description sync

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../ee/authentication/scim/views/discovery.py | 10 ++++++++
 .../ee/authentication/scim/views/groups.py    | 24 ++++++++++++-------
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/backend/ee/authentication/scim/views/discovery.py b/backend/ee/authentication/scim/views/discovery.py
index 5a51d78c2..57c2769f7 100644
--- a/backend/ee/authentication/scim/views/discovery.py
+++ b/backend/ee/authentication/scim/views/discovery.py
@@ -177,6 +177,16 @@ def schemas(request):
                             "returned": "default",
                             "uniqueness": "none",
                         },
+                        {
+                            "name": "description",
+                            "type": "string",
+                            "multiValued": False,
+                            "required": False,
+                            "caseExact": False,
+                            "mutability": "readWrite",
+                            "returned": "default",
+                            "uniqueness": "none",
+                        },
                         {
                             "name": "members",
                             "type": "complex",
diff --git a/backend/ee/authentication/scim/views/groups.py b/backend/ee/authentication/scim/views/groups.py
index 8ba224100..e4b179720 100644
--- a/backend/ee/authentication/scim/views/groups.py
+++ b/backend/ee/authentication/scim/views/groups.py
@@ -167,6 +167,7 @@ def _create_group(request, org):
 
     display_name = data.get("displayName", "").strip()
     external_id = data.get("externalId", "")
+    description = (data.get("description") or "").strip() or None
 
     if not display_name:
         return scim_bad_request("displayName is required")
@@ -177,6 +178,7 @@ def _create_group(request, org):
     try:
         team = Team.objects.create(
             name=display_name[:64],
+            description=description,
             organisation=org,
             is_scim_managed=True,
             created_by=None,
@@ -233,12 +235,14 @@ def _replace_group(request, scim_group):
     org = scim_group.organisation
     display_name = data.get("displayName", "").strip()
     external_id = data.get("externalId", scim_group.external_id)
+    description = (data.get("description") or "").strip() or None
 
     if display_name:
         scim_group.display_name = display_name
         if scim_group.team:
             scim_group.team.name = display_name[:64]
-            scim_group.team.save(update_fields=["name", "updated_at"])
+            scim_group.team.description = description
+            scim_group.team.save(update_fields=["name", "description", "updated_at"])
 
     scim_group.external_id = external_id
     scim_group.scim_data = data
@@ -296,13 +300,17 @@ def _patch_group(request, scim_group):
         path = op.get("path", "")
         value = op.get("value")
 
-        if op_type == "replace":
-            if path.lower() == "displayname":
-                scim_group.display_name = value
-                scim_group.save(update_fields=["display_name"])
-                if scim_group.team:
-                    scim_group.team.name = str(value)[:64]
-                    scim_group.team.save(update_fields=["name", "updated_at"])
+        if op_type in ("replace", "add") and path.lower() == "displayname":
+            scim_group.display_name = value
+            scim_group.save(update_fields=["display_name"])
+            if scim_group.team:
+                scim_group.team.name = str(value)[:64]
+                scim_group.team.save(update_fields=["name", "updated_at"])
+
+        elif op_type in ("replace", "add") and path.lower() == "description":
+            if scim_group.team:
+                scim_group.team.description = (str(value).strip() if value else None)
+                scim_group.team.save(update_fields=["description", "updated_at"])
 
         elif op_type == "add" and path.lower() == "members":
             members = value if isinstance(value, list) else [value]

From 1f21a2821445cfca2816f97004b498592ac4d398 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 4 Apr 2026 15:09:56 +0530
Subject: [PATCH 053/118] feat: misc improvements to provisioning logs

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../access/scim/_components/SCIMEventRow.tsx  |  7 ----
 .../scim/_components/SCIMEventsTable.tsx      | 24 +++++++++--
 .../[team]/access/scim/_components/shared.tsx | 40 +++++++++++++++++--
 frontend/app/[team]/access/scim/logs/page.tsx |  2 +-
 4 files changed, 58 insertions(+), 15 deletions(-)

diff --git a/frontend/app/[team]/access/scim/_components/SCIMEventRow.tsx b/frontend/app/[team]/access/scim/_components/SCIMEventRow.tsx
index b23faa004..c20d902a5 100644
--- a/frontend/app/[team]/access/scim/_components/SCIMEventRow.tsx
+++ b/frontend/app/[team]/access/scim/_components/SCIMEventRow.tsx
@@ -110,13 +110,6 @@ export function SCIMEventRow({ event }: { event: any }) {
                       {event.responseStatus}
                     </span>
                   </LogField>
-                  <div className="md:col-span-3">
-                    <LogField label="User agent">
-                      <span className="font-normal truncate max-w-lg inline-block align-bottom">
-                        {event.userAgent || '-'}
-                      </span>
-                    </LogField>
-                  </div>
                 </div>
 
                 <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
diff --git a/frontend/app/[team]/access/scim/_components/SCIMEventsTable.tsx b/frontend/app/[team]/access/scim/_components/SCIMEventsTable.tsx
index 9c9e6cb80..84a895044 100644
--- a/frontend/app/[team]/access/scim/_components/SCIMEventsTable.tsx
+++ b/frontend/app/[team]/access/scim/_components/SCIMEventsTable.tsx
@@ -1,8 +1,15 @@
 'use client'
 
+import { Fragment } from 'react'
 import { SCIMEventRow } from './SCIMEventRow'
 
-export function SCIMEventsTable({ events }: { events: any[] }) {
+export function SCIMEventsTable({
+  events,
+  pageSize,
+}: {
+  events: any[]
+  pageSize?: number
+}) {
   return (
     <table className="table-auto min-w-full">
       <thead>
@@ -26,8 +33,19 @@ export function SCIMEventsTable({ events }: { events: any[] }) {
         </tr>
       </thead>
       <tbody>
-        {events.map((event: any) => (
-          <SCIMEventRow key={event.id} event={event} />
+        {events.map((event: any, n: number) => (
+          <Fragment key={event.id}>
+            {pageSize && n !== 0 && n % pageSize === 0 && (
+              <tr>
+                <td colSpan={6}>
+                  <div className="flex items-center justify-center bg-zinc-300 dark:bg-zinc-800 py-px text-neutral-500 text-xs">
+                    Page {n / pageSize + 1}
+                  </div>
+                </td>
+              </tr>
+            )}
+            <SCIMEventRow event={event} />
+          </Fragment>
         ))}
       </tbody>
     </table>
diff --git a/frontend/app/[team]/access/scim/_components/shared.tsx b/frontend/app/[team]/access/scim/_components/shared.tsx
index b2a1d7c9f..21e0ff678 100644
--- a/frontend/app/[team]/access/scim/_components/shared.tsx
+++ b/frontend/app/[team]/access/scim/_components/shared.tsx
@@ -1,7 +1,11 @@
 'use client'
 
-import React from 'react'
+import React, { useContext } from 'react'
 import { FaKey } from 'react-icons/fa'
+import { Prism as SyntaxHighlighter } from 'react-syntax-highlighter'
+import { vscDarkPlus, coldarkCold } from 'react-syntax-highlighter/dist/cjs/styles/prism'
+import { ThemeContext } from '@/contexts/themeContext'
+import CopyButton from '@/components/common/CopyButton'
 import { EntraIDLogo, OktaLogo, JumpCloudLogo } from '@/components/common/logos'
 
 export const PROVIDER_PATTERNS: {
@@ -89,11 +93,39 @@ export function LogField({ label, children }: { label: string; children: React.R
 }
 
 export function JsonBlock({ data }: { data: any }) {
+  const { theme } = useContext(ThemeContext)
+
   if (!data) return null
   const parsed = typeof data === 'string' ? JSON.parse(data) : data
+  const formatted = JSON.stringify(parsed, null, 2)
+
   return (
-    <pre className="mt-1 text-2xs font-mono bg-zinc-100 dark:bg-zinc-900 rounded p-3 overflow-auto max-h-64 whitespace-pre-wrap break-words text-zinc-800 dark:text-zinc-200">
-      {JSON.stringify(parsed, null, 2)}
-    </pre>
+    <div className="relative group/json mt-1">
+      <div className="absolute right-2 top-2 opacity-0 group-hover/json:opacity-100 transition-opacity z-10">
+        <CopyButton value={formatted} buttonVariant="secondary" />
+      </div>
+      <SyntaxHighlighter
+        language="json"
+        style={theme === 'dark' ? vscDarkPlus : coldarkCold}
+        customStyle={{
+          fontSize: '0.65rem',
+          fontFamily: 'var(--font-jetbrains-mono)',
+          lineHeight: '1.5',
+          margin: 0,
+          borderRadius: '0.375rem',
+          maxHeight: '16rem',
+          overflow: 'auto',
+          background: theme === 'dark' ? '#171717' : '#e4e4e7',
+        }}
+        codeTagProps={{
+          style: {
+            fontSize: '0.65rem',
+            fontFamily: 'var(--font-jetbrains-mono)',
+          },
+        }}
+      >
+        {formatted}
+      </SyntaxHighlighter>
+    </div>
   )
 }
diff --git a/frontend/app/[team]/access/scim/logs/page.tsx b/frontend/app/[team]/access/scim/logs/page.tsx
index d1280ef3e..76cedfa97 100644
--- a/frontend/app/[team]/access/scim/logs/page.tsx
+++ b/frontend/app/[team]/access/scim/logs/page.tsx
@@ -302,7 +302,7 @@ export default function SCIMLogsPage({ params }: { params: { team: string } }) {
           </div>
         ) : (
           <>
-            <SCIMEventsTable events={events} />
+            <SCIMEventsTable events={events} pageSize={PAGE_SIZE} />
 
             <div className="flex justify-center px-6 py-4 text-neutral-500 font-medium">
               {!endOfList ? (

From 723caeb4f221a4438829a7df8443ff7b64bfadd8 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 4 Apr 2026 16:02:58 +0530
Subject: [PATCH 054/118] fix: misc fixes to support okta scim

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/authentication/scim/negotiation.py | 14 ++++++++
 .../ee/authentication/scim/views/discovery.py | 13 +++++++-
 .../ee/authentication/scim/views/groups.py    | 33 +++++++++++++++++--
 backend/ee/authentication/scim/views/users.py | 10 ++++++
 4 files changed, 66 insertions(+), 4 deletions(-)
 create mode 100644 backend/ee/authentication/scim/negotiation.py

diff --git a/backend/ee/authentication/scim/negotiation.py b/backend/ee/authentication/scim/negotiation.py
new file mode 100644
index 000000000..c7c164445
--- /dev/null
+++ b/backend/ee/authentication/scim/negotiation.py
@@ -0,0 +1,14 @@
+from rest_framework.parsers import JSONParser
+from rest_framework.renderers import JSONRenderer
+
+
+class SCIMJSONRenderer(JSONRenderer):
+    """Renderer that accepts both application/scim+json and application/json."""
+
+    media_type = "application/scim+json"
+
+
+class SCIMJSONParser(JSONParser):
+    """Parser that accepts both application/scim+json and application/json."""
+
+    media_type = "application/scim+json"
diff --git a/backend/ee/authentication/scim/views/discovery.py b/backend/ee/authentication/scim/views/discovery.py
index 57c2769f7..e0363f048 100644
--- a/backend/ee/authentication/scim/views/discovery.py
+++ b/backend/ee/authentication/scim/views/discovery.py
@@ -1,5 +1,13 @@
 from django.http import JsonResponse
-from rest_framework.decorators import api_view, authentication_classes, permission_classes
+from rest_framework.decorators import (
+    api_view,
+    authentication_classes,
+    permission_classes,
+    renderer_classes,
+)
+from rest_framework.renderers import JSONRenderer
+
+from ee.authentication.scim.negotiation import SCIMJSONRenderer
 
 from ee.authentication.scim.constants import (
     SCIM_GROUP_SCHEMA,
@@ -13,6 +21,7 @@
 @api_view(["GET"])
 @authentication_classes([])
 @permission_classes([])
+@renderer_classes([SCIMJSONRenderer, JSONRenderer])
 def service_provider_config(request):
     """GET /scim/v2/ServiceProviderConfig — RFC 7643 Section 5."""
     return JsonResponse(
@@ -48,6 +57,7 @@ def service_provider_config(request):
 @api_view(["GET"])
 @authentication_classes([])
 @permission_classes([])
+@renderer_classes([SCIMJSONRenderer, JSONRenderer])
 def schemas(request):
     """GET /scim/v2/Schemas — RFC 7643 Section 7."""
     return JsonResponse(
@@ -235,6 +245,7 @@ def schemas(request):
 @api_view(["GET"])
 @authentication_classes([])
 @permission_classes([])
+@renderer_classes([SCIMJSONRenderer, JSONRenderer])
 def resource_types(request):
     """GET /scim/v2/ResourceTypes — RFC 7643 Section 6."""
     return JsonResponse(
diff --git a/backend/ee/authentication/scim/views/groups.py b/backend/ee/authentication/scim/views/groups.py
index e4b179720..fc578fb02 100644
--- a/backend/ee/authentication/scim/views/groups.py
+++ b/backend/ee/authentication/scim/views/groups.py
@@ -6,9 +6,15 @@
 from rest_framework.decorators import (
     api_view,
     authentication_classes,
+    parser_classes,
     permission_classes,
+    renderer_classes,
 )
+from rest_framework.parsers import JSONParser
 from rest_framework.permissions import IsAuthenticated
+from rest_framework.renderers import JSONRenderer
+
+from ee.authentication.scim.negotiation import SCIMJSONParser, SCIMJSONRenderer
 
 from api.models import (
     SCIMGroup,
@@ -97,6 +103,8 @@ def _remove_member_from_team(team, scim_user):
 @api_view(["GET", "POST"])
 @authentication_classes([SCIMTokenAuthentication])
 @permission_classes([IsAuthenticated])
+@renderer_classes([SCIMJSONRenderer, JSONRenderer])
+@parser_classes([SCIMJSONParser, JSONParser])
 def groups_list(request):
     """
     GET  /scim/v2/Groups — List/filter groups
@@ -113,6 +121,8 @@ def groups_list(request):
 @api_view(["GET", "PUT", "PATCH", "DELETE"])
 @authentication_classes([SCIMTokenAuthentication])
 @permission_classes([IsAuthenticated])
+@renderer_classes([SCIMJSONRenderer, JSONRenderer])
+@parser_classes([SCIMJSONParser, JSONParser])
 def groups_detail(request, scim_group_id):
     """
     GET    /scim/v2/Groups/:id — Get group
@@ -172,7 +182,8 @@ def _create_group(request, org):
     if not display_name:
         return scim_bad_request("displayName is required")
     if not external_id:
-        return scim_bad_request("externalId is required")
+        import uuid
+        external_id = str(uuid.uuid4())
 
     # Create Team
     try:
@@ -330,9 +341,25 @@ def _patch_group(request, scim_group):
                         )
 
         elif op_type == "remove":
+            if not scim_group.team:
+                continue
+
+            member_ids = []
+
             # Azure Entra format: members[value eq "abc-123"]
-            member_id = parse_patch_path_filter(path)
-            if member_id and scim_group.team:
+            filtered_id = parse_patch_path_filter(path)
+            if filtered_id:
+                member_ids.append(filtered_id)
+
+            # Okta format: path="members", value=[{"value": "id"}]
+            if path.lower() == "members" and value:
+                refs = value if isinstance(value, list) else [value]
+                for ref in refs:
+                    mid = ref.get("value") if isinstance(ref, dict) else ref
+                    if mid:
+                        member_ids.append(mid)
+
+            for member_id in member_ids:
                 scim_user = SCIMUser.objects.filter(
                     id=member_id, organisation=org
                 ).first()
diff --git a/backend/ee/authentication/scim/views/users.py b/backend/ee/authentication/scim/views/users.py
index 3fd7ea030..6c517e298 100644
--- a/backend/ee/authentication/scim/views/users.py
+++ b/backend/ee/authentication/scim/views/users.py
@@ -7,9 +7,15 @@
 from rest_framework.decorators import (
     api_view,
     authentication_classes,
+    parser_classes,
     permission_classes,
+    renderer_classes,
 )
+from rest_framework.parsers import JSONParser
 from rest_framework.permissions import IsAuthenticated
+from rest_framework.renderers import JSONRenderer
+
+from ee.authentication.scim.negotiation import SCIMJSONParser, SCIMJSONRenderer
 
 from api.models import SCIMUser
 from backend.quotas import can_add_account
@@ -71,6 +77,8 @@ def _extract_user_fields(data):
 @api_view(["GET", "POST"])
 @authentication_classes([SCIMTokenAuthentication])
 @permission_classes([IsAuthenticated])
+@renderer_classes([SCIMJSONRenderer, JSONRenderer])
+@parser_classes([SCIMJSONParser, JSONParser])
 def users_list(request):
     """
     GET  /scim/v2/Users — List/filter users
@@ -87,6 +95,8 @@ def users_list(request):
 @api_view(["GET", "PUT", "PATCH", "DELETE"])
 @authentication_classes([SCIMTokenAuthentication])
 @permission_classes([IsAuthenticated])
+@renderer_classes([SCIMJSONRenderer, JSONRenderer])
+@parser_classes([SCIMJSONParser, JSONParser])
 def users_detail(request, scim_user_id):
     """
     GET    /scim/v2/Users/:id — Get user

From e686a2735a067663ec441d0ab5e4b53bb06e0469 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Mon, 6 Apr 2026 23:09:26 +0530
Subject: [PATCH 055/118] feat: misc code organisation and cleanup

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/schema.py                     | 92 ++++++++++++-------
 backend/backend/urls.py                       | 13 ++-
 .../authentication/scim/graphene/__init__.py  |  0
 .../scim/graphene/mutations.py}               |  0
 .../authentication/scim/graphene/queries.py}  |  0
 frontend/app/[team]/access/scim/page.tsx      | 45 ++++++---
 6 files changed, 101 insertions(+), 49 deletions(-)
 create mode 100644 backend/ee/authentication/scim/graphene/__init__.py
 rename backend/{backend/graphene/mutations/scim.py => ee/authentication/scim/graphene/mutations.py} (100%)
 rename backend/{backend/graphene/queries/scim.py => ee/authentication/scim/graphene/queries.py} (100%)

diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index a36c836b6..025f278ca 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -40,7 +40,11 @@
 from .graphene.queries.syncing import (
     resolve_vercel_projects,
 )
-from .graphene.mutations.syncing import CreateAzureKeyVaultSync, CreateRenderSync, CreateVercelSync
+from .graphene.mutations.syncing import (
+    CreateAzureKeyVaultSync,
+    CreateRenderSync,
+    CreateVercelSync,
+)
 from .graphene.mutations.access import (
     CreateCustomRoleMutation,
     CreateNetworkAccessPolicyMutation,
@@ -126,13 +130,24 @@
 from .graphene.queries.license import resolve_license, resolve_organisation_license
 from .graphene.queries.auth import resolve_verify_password
 from .graphene.queries.teams import resolve_teams
-from .graphene.queries.scim import resolve_scim_tokens, resolve_scim_events
-from .graphene.mutations.scim import (
-    CreateSCIMTokenMutation,
-    DeleteSCIMTokenMutation,
-    ToggleSCIMMutation,
-    ToggleSCIMTokenMutation,
-)
+
+
+_SCIM_AVAILABLE = False
+try:
+    from ee.authentication.scim.graphene.queries import (
+        resolve_scim_tokens,
+        resolve_scim_events,
+    )
+    from ee.authentication.scim.graphene.mutations import (
+        CreateSCIMTokenMutation,
+        DeleteSCIMTokenMutation,
+        ToggleSCIMMutation,
+        ToggleSCIMTokenMutation,
+    )
+
+    _SCIM_AVAILABLE = True
+except ImportError:
+    pass
 from .graphene.mutations.teams import (
     AddTeamAppsMutation,
     AddTeamMembersMutation,
@@ -306,20 +321,22 @@ class Query(graphene.ObjectType):
         team_id=graphene.ID(required=False),
     )
 
-    scim_tokens = graphene.List(
-        SCIMTokenType,
-        organisation_id=graphene.ID(),
-    )
+    # SCIM (Enterprise)
+    if _SCIM_AVAILABLE:
+        scim_tokens = graphene.List(
+            SCIMTokenType,
+            organisation_id=graphene.ID(),
+        )
 
-    scim_events = graphene.Field(
-        SCIMEventsResponseType,
-        organisation_id=graphene.ID(),
-        start=graphene.BigInt(required=False),
-        end=graphene.BigInt(required=False),
-        event_types=graphene.List(graphene.String, required=False),
-        token_id=graphene.ID(required=False),
-        status=graphene.String(required=False),
-    )
+        scim_events = graphene.Field(
+            SCIMEventsResponseType,
+            organisation_id=graphene.ID(),
+            start=graphene.BigInt(required=False),
+            end=graphene.BigInt(required=False),
+            event_types=graphene.List(graphene.String, required=False),
+            token_id=graphene.ID(required=False),
+            status=graphene.String(required=False),
+        )
 
     organisation_name_available = graphene.Boolean(name=graphene.String())
 
@@ -605,8 +622,11 @@ def resolve_organisations(root, info):
 
     # Teams
     resolve_teams = resolve_teams
-    resolve_scim_tokens = resolve_scim_tokens
-    resolve_scim_events = resolve_scim_events
+
+    # SCIM (Enterprise)
+    if _SCIM_AVAILABLE:
+        resolve_scim_tokens = resolve_scim_tokens
+        resolve_scim_events = resolve_scim_events
 
     resolve_organisation_plan = resolve_organisation_plan
 
@@ -741,9 +761,7 @@ def resolve_app_environments(
         )
 
         return [
-            app_env
-            for app_env in app_environments
-            if app_env.id in accessible_env_ids
+            app_env for app_env in app_environments if app_env.id in accessible_env_ids
         ]
 
     def resolve_app_users(root, info, app_id):
@@ -806,7 +824,12 @@ def resolve_secret_history(root, info, secret_id):
 
         # compute permission once and store it on the request context
         can_view_members = user_has_permission(
-            user, "read", "Members", secret.environment.app.organisation, True, app=secret.environment.app
+            user,
+            "read",
+            "Members",
+            secret.environment.app.organisation,
+            True,
+            app=secret.environment.app,
         ) or user_has_permission(
             user, "read", "Members", secret.environment.app.organisation, False
         )
@@ -980,7 +1003,9 @@ def resolve_secret_logs(
         ) or user_has_permission(user, "read", "Members", app.organisation, False)
         setattr(info.context, "can_view_members", can_see_members)
 
-        if not user_has_permission(user, "read", "Logs", app.organisation, True, app=app):
+        if not user_has_permission(
+            user, "read", "Logs", app.organisation, True, app=app
+        ):
             return SecretLogsResponseType(logs=[], count=0)
 
         # Base filter
@@ -1190,11 +1215,12 @@ class Mutation(graphene.ObjectType):
     remove_team_app = RemoveTeamAppMutation.Field()
     update_team_app_environments = UpdateTeamAppEnvironmentsMutation.Field()
 
-    # SCIM
-    create_scim_token = CreateSCIMTokenMutation.Field()
-    delete_scim_token = DeleteSCIMTokenMutation.Field()
-    toggle_scim = ToggleSCIMMutation.Field()
-    toggle_scim_token = ToggleSCIMTokenMutation.Field()
+    # SCIM (Enterprise)
+    if _SCIM_AVAILABLE:
+        create_scim_token = CreateSCIMTokenMutation.Field()
+        delete_scim_token = DeleteSCIMTokenMutation.Field()
+        toggle_scim = ToggleSCIMMutation.Field()
+        toggle_scim_token = ToggleSCIMTokenMutation.Field()
 
     # Service Accounts
     create_service_account = CreateServiceAccountMutation.Field()
diff --git a/backend/backend/urls.py b/backend/backend/urls.py
index 43eb80ba7..2f3877da8 100644
--- a/backend/backend/urls.py
+++ b/backend/backend/urls.py
@@ -76,11 +76,14 @@
     path("public/identities/external/v1/azure/entra/auth/", azure_entra_auth),
 ]
 
-# SCIM v2 Provisioning API (Enterprise)
-scim_urls = [
-    path("scim/v2/", include("ee.authentication.scim.urls")),
-]
-urlpatterns.extend(scim_urls)
+# SCIM v2 Provisioning API
+try:
+    scim_urls = [
+        path("scim/v2/", include("ee.authentication.scim.urls")),
+    ]
+    urlpatterns.extend(scim_urls)
+except ImportError:
+    pass
 
 # Add public URLs to main urlpatterns
 urlpatterns.extend(public_urls)
diff --git a/backend/ee/authentication/scim/graphene/__init__.py b/backend/ee/authentication/scim/graphene/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/backend/graphene/mutations/scim.py b/backend/ee/authentication/scim/graphene/mutations.py
similarity index 100%
rename from backend/backend/graphene/mutations/scim.py
rename to backend/ee/authentication/scim/graphene/mutations.py
diff --git a/backend/backend/graphene/queries/scim.py b/backend/ee/authentication/scim/graphene/queries.py
similarity index 100%
rename from backend/backend/graphene/queries/scim.py
rename to backend/ee/authentication/scim/graphene/queries.py
diff --git a/frontend/app/[team]/access/scim/page.tsx b/frontend/app/[team]/access/scim/page.tsx
index 03a5dfeb4..184b8d622 100644
--- a/frontend/app/[team]/access/scim/page.tsx
+++ b/frontend/app/[team]/access/scim/page.tsx
@@ -5,10 +5,13 @@ import { useMutation, useQuery } from '@apollo/client'
 import { toast } from 'react-toastify'
 import Link from 'next/link'
 import { FaBan, FaChevronRight, FaKey } from 'react-icons/fa'
+import { ApiOrganisationPlanChoices } from '@/apollo/graphql'
 import CopyButton from '@/components/common/CopyButton'
 import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
 import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { UpsellDialog } from '@/components/settings/organisation/UpsellDialog'
+import { PlanLabel } from '@/components/settings/organisation/PlanLabel'
 import { organisationContext } from '@/contexts/organisationContext'
 import { GetSCIMTokens } from '@/graphql/queries/scim/getSCIMTokens.gql'
 import { GetSCIMEvents } from '@/graphql/queries/scim/getSCIMEvents.gql'
@@ -118,19 +121,39 @@ export default function SCIMPage({ params }: { params: { team: string } }) {
         </div>
 
         {/* Master Toggle */}
-        <div className="flex items-center justify-between px-3 py-2 rounded-lg bg-zinc-100 dark:bg-zinc-800">
-          <div>
-            <div className="text-sm font-medium">Enable SCIM</div>
-            <div className="text-neutral-500 text-xs">
-              {scimEnabled
-                ? 'SCIM is enabled. Identity providers can sync users and groups.'
-                : 'Enable SCIM to allow identity providers to sync users and groups.'}
+        {organisation.plan !== ApiOrganisationPlanChoices.En ? (
+          <div className="flex items-center justify-between px-3 py-2 rounded-lg bg-zinc-100 dark:bg-zinc-800">
+            <div>
+              <div className="text-sm font-medium">Enable SCIM</div>
+              <div className="text-neutral-500 text-xs">
+                Upgrade to Enterprise to enable SCIM provisioning.
+              </div>
             </div>
+            <UpsellDialog
+              title="Upgrade to Enterprise to enable SCIM provisioning"
+              buttonLabel={
+                <>
+                  Enable SCIM <PlanLabel plan={ApiOrganisationPlanChoices.En} />
+                </>
+              }
+              buttonVariant="primary"
+            />
           </div>
-          {userCanManageSCIM && (
-            <ToggleSwitch value={scimEnabled} onToggle={handleToggleSCIM} />
-          )}
-        </div>
+        ) : (
+          <div className="flex items-center justify-between px-3 py-2 rounded-lg bg-zinc-100 dark:bg-zinc-800">
+            <div>
+              <div className="text-sm font-medium">Enable SCIM</div>
+              <div className="text-neutral-500 text-xs">
+                {scimEnabled
+                  ? 'SCIM is enabled. Identity providers can sync users and groups.'
+                  : 'Enable SCIM to allow identity providers to sync users and groups.'}
+              </div>
+            </div>
+            {userCanManageSCIM && (
+              <ToggleSwitch value={scimEnabled} onToggle={handleToggleSCIM} />
+            )}
+          </div>
+        )}
 
         {scimEnabled && (
           <>

From a480f5f0c8123bb3481163775661f71cd2caf75a Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 7 Apr 2026 23:49:40 +0530
Subject: [PATCH 056/118] fix: clear team memberships when an scim user is
 deactivated

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/authentication/scim/utils.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/backend/ee/authentication/scim/utils.py b/backend/ee/authentication/scim/utils.py
index cb84583a2..f6c189e6f 100644
--- a/backend/ee/authentication/scim/utils.py
+++ b/backend/ee/authentication/scim/utils.py
@@ -95,6 +95,10 @@ def deactivate_scim_user(scim_user):
         for tm in team_memberships:
             revoke_team_environment_keys(tm.team, member=scim_user.org_member)
 
+        # Remove team memberships so reactivation doesn't restore stale teams.
+        # The IdP's group push will re-add the user to the correct teams.
+        team_memberships.delete()
+
         # Wipe crypto material so user must redo key ceremony if reactivated
         scim_user.org_member.identity_key = ""
         scim_user.org_member.wrapped_keyring = ""

From 7a21c2716eeac147609ba7c20b54d58b19776d35 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 7 Apr 2026 23:49:56 +0530
Subject: [PATCH 057/118] fix: discovery base url for users and groups

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/ee/authentication/scim/views/groups.py | 2 +-
 backend/ee/authentication/scim/views/users.py  | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/backend/ee/authentication/scim/views/groups.py b/backend/ee/authentication/scim/views/groups.py
index fc578fb02..1e6927334 100644
--- a/backend/ee/authentication/scim/views/groups.py
+++ b/backend/ee/authentication/scim/views/groups.py
@@ -47,7 +47,7 @@
 
 
 def _get_base_url(request):
-    return f"{request.scheme}://{request.get_host()}"
+    return f"https://{request.get_host()}/service"
 
 
 def _provision_keys_for_membership(team, membership):
diff --git a/backend/ee/authentication/scim/views/users.py b/backend/ee/authentication/scim/views/users.py
index 6c517e298..e2c7faf10 100644
--- a/backend/ee/authentication/scim/views/users.py
+++ b/backend/ee/authentication/scim/views/users.py
@@ -47,7 +47,7 @@
 
 
 def _get_base_url(request):
-    return f"{request.scheme}://{request.get_host()}"
+    return f"https://{request.get_host()}/service"
 
 
 def _extract_user_fields(data):
@@ -222,14 +222,17 @@ def _replace_user(request, scim_user):
     scim_user.save()
 
     # Handle activation state change
+    event_type = "user_updated"
     if active and not scim_user.active:
         reactivate_scim_user(scim_user)
+        event_type = "user_reactivated"
     elif not active and scim_user.active:
         deactivate_scim_user(scim_user)
+        event_type = "user_deactivated"
 
     response_data = serialize_scim_user(scim_user, _get_base_url(request))
     log_scim_event(
-        request, "user_updated", "user", scim_user.id, scim_user.email,
+        request, event_type, "user", scim_user.id, scim_user.email,
         response_status=200, response_body=response_data,
     )
     return JsonResponse(response_data)

From bf3fe2f9ba10f5b6aae71ece4930ffddc7035f35 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 8 Apr 2026 12:17:52 +0530
Subject: [PATCH 058/118] feat: add unit tests for scim utils, handlers, auth,
 lifecycle

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/pytest.ini                            |   1 +
 backend/tests/ee/__init__.py                  |   0
 backend/tests/ee/authentication/__init__.py   |   0
 .../tests/ee/authentication/scim/__init__.py  |   0
 .../tests/ee/authentication/scim/conftest.py  | 256 ++++++
 .../tests/ee/authentication/scim/test_auth.py | 160 ++++
 .../ee/authentication/scim/test_filters.py    | 100 +++
 .../ee/authentication/scim/test_groups.py     | 724 +++++++++++++++++
 .../ee/authentication/scim/test_lifecycle.py  | 627 +++++++++++++++
 .../ee/authentication/scim/test_users.py      | 726 ++++++++++++++++++
 .../ee/authentication/scim/test_utils.py      | 228 ++++++
 11 files changed, 2822 insertions(+)
 create mode 100644 backend/tests/ee/__init__.py
 create mode 100644 backend/tests/ee/authentication/__init__.py
 create mode 100644 backend/tests/ee/authentication/scim/__init__.py
 create mode 100644 backend/tests/ee/authentication/scim/conftest.py
 create mode 100644 backend/tests/ee/authentication/scim/test_auth.py
 create mode 100644 backend/tests/ee/authentication/scim/test_filters.py
 create mode 100644 backend/tests/ee/authentication/scim/test_groups.py
 create mode 100644 backend/tests/ee/authentication/scim/test_lifecycle.py
 create mode 100644 backend/tests/ee/authentication/scim/test_users.py
 create mode 100644 backend/tests/ee/authentication/scim/test_utils.py

diff --git a/backend/pytest.ini b/backend/pytest.ini
index f912902b3..f15010964 100644
--- a/backend/pytest.ini
+++ b/backend/pytest.ini
@@ -1,2 +1,3 @@
 [pytest]
+DJANGO_SETTINGS_MODULE = backend.settings
 python_files = tests.py test_*.py *_tests.py
\ No newline at end of file
diff --git a/backend/tests/ee/__init__.py b/backend/tests/ee/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/tests/ee/authentication/__init__.py b/backend/tests/ee/authentication/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/tests/ee/authentication/scim/__init__.py b/backend/tests/ee/authentication/scim/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/tests/ee/authentication/scim/conftest.py b/backend/tests/ee/authentication/scim/conftest.py
new file mode 100644
index 000000000..8a44fba3a
--- /dev/null
+++ b/backend/tests/ee/authentication/scim/conftest.py
@@ -0,0 +1,256 @@
+import hashlib
+import json
+
+import pytest
+from django.test import RequestFactory
+from rest_framework.test import APIClient
+
+from api.models import (
+    CustomUser,
+    Organisation,
+    OrganisationMember,
+    Role,
+    SCIMEvent,
+    SCIMGroup,
+    SCIMToken,
+    SCIMUser,
+    Team,
+    TeamMembership,
+)
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+SCIM_CONTENT_TYPE = "application/scim+json"
+
+TOKEN_RAW = "ph_scim:v1:testpfx:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"
+TOKEN_HASH = hashlib.sha256(TOKEN_RAW.encode()).hexdigest()
+TOKEN_PREFIX = "testpfx"
+
+
+def scim_auth_header(token=TOKEN_RAW):
+    return f"Bearer {token}"
+
+
+def make_scim_user_payload(
+    username,
+    external_id,
+    display_name=None,
+    given_name=None,
+    family_name=None,
+    active=True,
+):
+    """Build a SCIM User resource payload matching what IdPs send."""
+    given = given_name or username.split("@")[0].title()
+    family = family_name or "Test"
+    display = display_name or f"{given} {family}"
+
+    return {
+        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+        "externalId": external_id,
+        "userName": username,
+        "displayName": display,
+        "name": {
+            "givenName": given,
+            "familyName": family,
+            "formatted": display,
+        },
+        "emails": [{"value": username, "type": "work", "primary": True}],
+        "active": active,
+    }
+
+
+def make_scim_group_payload(display_name, external_id, members=None, description=None):
+    """Build a SCIM Group resource payload."""
+    payload = {
+        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+        "externalId": external_id,
+        "displayName": display_name,
+        "members": members or [],
+    }
+    if description:
+        payload["description"] = description
+    return payload
+
+
+def make_patch_op(operations):
+    """Build a SCIM PatchOp payload."""
+    return {
+        "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+        "Operations": operations,
+    }
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+def organisation(db):
+    """Create an Enterprise org with scim_enabled=True."""
+    return Organisation.objects.create(
+        name="TestOrg-SCIM",
+        identity_key="test-org-identity-key",
+        plan="EN",
+        scim_enabled=True,
+    )
+
+
+@pytest.fixture
+def developer_role(organisation):
+    """Create the default Developer role needed for SCIM provisioning."""
+    return Role.objects.create(
+        name="Developer",
+        organisation=organisation,
+        description="Default role for SCIM users",
+        is_default=True,
+        permissions={},
+    )
+
+
+@pytest.fixture
+def owner_role(organisation):
+    """Create the Owner role."""
+    return Role.objects.create(
+        name="Owner",
+        organisation=organisation,
+        description="Owner role",
+        is_default=True,
+        permissions={},
+    )
+
+
+@pytest.fixture
+def admin_user(db):
+    """A non-SCIM admin user (the org owner)."""
+    user = CustomUser.objects.create(
+        username="admin@testorg.com",
+        email="admin@testorg.com",
+    )
+    user.set_unusable_password()
+    user.save()
+    return user
+
+
+@pytest.fixture
+def admin_member(organisation, admin_user, owner_role):
+    """OrganisationMember for the admin user."""
+    return OrganisationMember.objects.create(
+        user=admin_user,
+        organisation=organisation,
+        role=owner_role,
+        identity_key="admin-identity-key",
+        wrapped_keyring="admin-wrapped-keyring",
+        wrapped_recovery="admin-wrapped-recovery",
+    )
+
+
+@pytest.fixture
+def scim_token(organisation, admin_member):
+    """Create a valid, active SCIM token."""
+    return SCIMToken.objects.create(
+        organisation=organisation,
+        name="Test IdP",
+        token_hash=TOKEN_HASH,
+        token_prefix=TOKEN_PREFIX,
+        created_by=admin_member,
+        is_active=True,
+    )
+
+
+@pytest.fixture
+def scim_client(scim_token):
+    """DRF APIClient pre-configured with a valid SCIM Bearer token."""
+    client = APIClient()
+    client.credentials(HTTP_AUTHORIZATION=scim_auth_header())
+    return client
+
+
+@pytest.fixture
+def scim_user_alice(organisation, developer_role):
+    """A pre-provisioned SCIM user (Alice)."""
+    user = CustomUser.objects.create(
+        username="alice@example.com",
+        email="alice@example.com",
+    )
+    user.set_unusable_password()
+    user.save()
+
+    org_member = OrganisationMember.objects.create(
+        user=user,
+        organisation=organisation,
+        role=developer_role,
+        identity_key="",
+        wrapped_keyring="",
+        wrapped_recovery="",
+    )
+
+    return SCIMUser.objects.create(
+        external_id="alice-ext-id",
+        organisation=organisation,
+        user=user,
+        org_member=org_member,
+        email="alice@example.com",
+        display_name="Alice Test",
+        active=True,
+        scim_data=make_scim_user_payload("alice@example.com", "alice-ext-id"),
+    )
+
+
+@pytest.fixture
+def scim_user_bob(organisation, developer_role):
+    """A second pre-provisioned SCIM user (Bob)."""
+    user = CustomUser.objects.create(
+        username="bob@example.com",
+        email="bob@example.com",
+    )
+    user.set_unusable_password()
+    user.save()
+
+    org_member = OrganisationMember.objects.create(
+        user=user,
+        organisation=organisation,
+        role=developer_role,
+        identity_key="",
+        wrapped_keyring="",
+        wrapped_recovery="",
+    )
+
+    return SCIMUser.objects.create(
+        external_id="bob-ext-id",
+        organisation=organisation,
+        user=user,
+        org_member=org_member,
+        email="bob@example.com",
+        display_name="Bob Test",
+        active=True,
+        scim_data=make_scim_user_payload("bob@example.com", "bob-ext-id"),
+    )
+
+
+@pytest.fixture
+def scim_group_engineering(organisation, scim_user_alice, scim_user_bob):
+    """A SCIM-managed group (Team) with Alice and Bob as members."""
+    team = Team.objects.create(
+        name="Engineering",
+        organisation=organisation,
+        is_scim_managed=True,
+    )
+    TeamMembership.objects.create(team=team, org_member=scim_user_alice.org_member)
+    TeamMembership.objects.create(team=team, org_member=scim_user_bob.org_member)
+
+    return SCIMGroup.objects.create(
+        external_id="eng-ext-id",
+        organisation=organisation,
+        team=team,
+        display_name="Engineering",
+        scim_data=make_scim_group_payload("Engineering", "eng-ext-id"),
+    )
+
+
+@pytest.fixture
+def request_factory():
+    return RequestFactory()
diff --git a/backend/tests/ee/authentication/scim/test_auth.py b/backend/tests/ee/authentication/scim/test_auth.py
new file mode 100644
index 000000000..de8f7c3e2
--- /dev/null
+++ b/backend/tests/ee/authentication/scim/test_auth.py
@@ -0,0 +1,160 @@
+"""Tests for SCIMTokenAuthentication."""
+
+import hashlib
+from datetime import timedelta
+
+import pytest
+from django.utils import timezone
+from rest_framework.exceptions import AuthenticationFailed
+from rest_framework.test import APIRequestFactory
+
+from api.models import ActivatedPhaseLicense, Organisation, SCIMToken
+from ee.authentication.scim.auth import SCIMServiceUser, SCIMTokenAuthentication
+
+from .conftest import TOKEN_HASH, TOKEN_RAW
+
+factory = APIRequestFactory()
+
+
+def _make_request(token=TOKEN_RAW):
+    """Create a DRF request with the given Bearer token."""
+    request = factory.get(
+        "/scim/v2/Users",
+        HTTP_AUTHORIZATION=f"Bearer {token}",
+    )
+    return request
+
+
+@pytest.mark.django_db
+class TestSCIMTokenAuthentication:
+
+    def test_valid_token(self, scim_token, organisation):
+        auth = SCIMTokenAuthentication()
+        request = _make_request()
+        user, auth_info = auth.authenticate(request)
+
+        assert isinstance(user, SCIMServiceUser)
+        assert user.is_authenticated
+        assert str(auth_info["organisation"].id) == str(organisation.id)
+        assert str(auth_info["scim_token"].id) == str(scim_token.id)
+
+    def test_updates_last_used_at(self, scim_token):
+        assert scim_token.last_used_at is None
+
+        auth = SCIMTokenAuthentication()
+        auth.authenticate(_make_request())
+
+        scim_token.refresh_from_db()
+        assert scim_token.last_used_at is not None
+
+    def test_no_auth_header_returns_none(self, scim_token):
+        """Missing Authorization header should return None (not raise), allowing other authenticators to try."""
+        auth = SCIMTokenAuthentication()
+        request = factory.get("/scim/v2/Users")
+        result = auth.authenticate(request)
+        assert result is None
+
+    def test_non_bearer_header_returns_none(self, scim_token):
+        auth = SCIMTokenAuthentication()
+        request = factory.get(
+            "/scim/v2/Users",
+            HTTP_AUTHORIZATION="Basic dXNlcjpwYXNz",
+        )
+        result = auth.authenticate(request)
+        assert result is None
+
+    def test_non_scim_bearer_token_returns_none(self, scim_token):
+        """Phase tokens (pss_service:v2:...) should be ignored."""
+        auth = SCIMTokenAuthentication()
+        request = _make_request(token="pss_service:v2:prefix:body")
+        result = auth.authenticate(request)
+        assert result is None
+
+    def test_invalid_token_hash_raises(self, scim_token):
+        auth = SCIMTokenAuthentication()
+        request = _make_request(token="ph_scim:v1:fake:invalid_token_value")
+        with pytest.raises(AuthenticationFailed, match="Invalid SCIM token"):
+            auth.authenticate(request)
+
+    def test_expired_token_raises(self, scim_token):
+        scim_token.expires_at = timezone.now() - timedelta(hours=1)
+        scim_token.save(update_fields=["expires_at"])
+
+        auth = SCIMTokenAuthentication()
+        with pytest.raises(AuthenticationFailed, match="expired"):
+            auth.authenticate(_make_request())
+
+    def test_non_expired_token_works(self, scim_token):
+        scim_token.expires_at = timezone.now() + timedelta(days=30)
+        scim_token.save(update_fields=["expires_at"])
+
+        auth = SCIMTokenAuthentication()
+        user, _ = auth.authenticate(_make_request())
+        assert user.is_authenticated
+
+    def test_scim_disabled_on_org_raises(self, scim_token, organisation):
+        organisation.scim_enabled = False
+        organisation.save(update_fields=["scim_enabled"])
+
+        auth = SCIMTokenAuthentication()
+        with pytest.raises(AuthenticationFailed, match="not enabled"):
+            auth.authenticate(_make_request())
+
+    def test_token_is_inactive_raises(self, scim_token):
+        scim_token.is_active = False
+        scim_token.save(update_fields=["is_active"])
+
+        auth = SCIMTokenAuthentication()
+        with pytest.raises(AuthenticationFailed, match="disabled"):
+            auth.authenticate(_make_request())
+
+    def test_soft_deleted_token_raises(self, scim_token):
+        scim_token.deleted_at = timezone.now()
+        scim_token.save(update_fields=["deleted_at"])
+
+        auth = SCIMTokenAuthentication()
+        with pytest.raises(AuthenticationFailed, match="Invalid SCIM token"):
+            auth.authenticate(_make_request())
+
+    def test_non_enterprise_plan_without_license_raises(self, scim_token, organisation):
+        organisation.plan = "FR"
+        organisation.save(update_fields=["plan"])
+
+        auth = SCIMTokenAuthentication()
+        with pytest.raises(AuthenticationFailed, match="Enterprise plan"):
+            auth.authenticate(_make_request())
+
+    def test_non_enterprise_plan_with_license_works(self, scim_token, organisation):
+        """An activated license should bypass the plan check."""
+        organisation.plan = "FR"
+        organisation.save(update_fields=["plan"])
+
+        ActivatedPhaseLicense.objects.create(
+            id="test-license-id",
+            customer_name="TestCorp",
+            organisation=organisation,
+            plan="EN",
+            metadata={},
+            environment="production",
+            license_type="enterprise",
+            signature_date=timezone.now().date(),
+            issuing_authority="Phase",
+            issued_at=timezone.now(),
+            expires_at=timezone.now() + timedelta(days=365),
+        )
+
+        auth = SCIMTokenAuthentication()
+        user, _ = auth.authenticate(_make_request())
+        assert user.is_authenticated
+
+
+@pytest.mark.django_db
+class TestSCIMServiceUser:
+
+    def test_service_user_properties(self, scim_token):
+        user = SCIMServiceUser(scim_token)
+        assert user.is_authenticated is True
+        assert user.is_active is True
+        assert user.id == scim_token.id
+        assert user.organisation == scim_token.organisation
+        assert user.scim_token == scim_token
diff --git a/backend/tests/ee/authentication/scim/test_filters.py b/backend/tests/ee/authentication/scim/test_filters.py
new file mode 100644
index 000000000..75fa06bc8
--- /dev/null
+++ b/backend/tests/ee/authentication/scim/test_filters.py
@@ -0,0 +1,100 @@
+"""Unit tests for the SCIM filter parser — no database required."""
+
+import pytest
+
+from ee.authentication.scim.filters import (
+    parse_patch_path_filter,
+    parse_scim_filter,
+)
+
+
+class TestParseScimFilter:
+    """Tests for the SCIM filter expression parser."""
+
+    def test_simple_eq(self):
+        result = parse_scim_filter('userName eq "alice@example.com"')
+        assert result == [("username", "eq", "alice@example.com")]
+
+    def test_eq_case_insensitive_operator(self):
+        result = parse_scim_filter('userName EQ "alice@example.com"')
+        assert result == [("username", "eq", "alice@example.com")]
+
+    def test_and_conjunction(self):
+        result = parse_scim_filter(
+            'userName eq "alice@example.com" and externalId eq "ext-123"'
+        )
+        assert result == [
+            ("username", "eq", "alice@example.com"),
+            ("externalid", "eq", "ext-123"),
+        ]
+
+    def test_and_case_insensitive(self):
+        result = parse_scim_filter(
+            'userName eq "alice@example.com" AND externalId eq "ext-123"'
+        )
+        assert len(result) == 2
+
+    def test_empty_string(self):
+        assert parse_scim_filter("") == []
+
+    def test_none_value(self):
+        assert parse_scim_filter(None) == []
+
+    def test_external_id_filter(self):
+        result = parse_scim_filter('externalId eq "abc-123-def"')
+        assert result == [("externalid", "eq", "abc-123-def")]
+
+    def test_display_name_filter(self):
+        result = parse_scim_filter('displayName eq "Engineering"')
+        assert result == [("displayname", "eq", "Engineering")]
+
+    def test_unsupported_operator_still_parsed(self):
+        """Parser extracts clauses regardless of operator; queryset builder ignores non-eq."""
+        result = parse_scim_filter('userName co "alice"')
+        assert result == [("username", "co", "alice")]
+
+    def test_malformed_filter_no_quotes(self):
+        result = parse_scim_filter("userName eq alice")
+        assert result == []
+
+    def test_malformed_filter_missing_value(self):
+        result = parse_scim_filter('userName eq ""')
+        assert result == [("username", "eq", "")]
+
+    def test_email_with_special_chars(self):
+        result = parse_scim_filter('userName eq "user+tag@sub.example.com"')
+        assert result == [("username", "eq", "user+tag@sub.example.com")]
+
+    def test_attribute_lowercased(self):
+        result = parse_scim_filter('UserName eq "test"')
+        assert result[0][0] == "username"
+
+
+class TestParsePatchPathFilter:
+    """Tests for Azure Entra ID-style PATCH member removal path parsing."""
+
+    def test_azure_entra_format(self):
+        result = parse_patch_path_filter('members[value eq "abc-123-def"]')
+        assert result == "abc-123-def"
+
+    def test_uuid_value(self):
+        result = parse_patch_path_filter(
+            'members[value eq "550e8400-e29b-41d4-a716-446655440000"]'
+        )
+        assert result == "550e8400-e29b-41d4-a716-446655440000"
+
+    def test_case_insensitive(self):
+        result = parse_patch_path_filter('members[value EQ "abc-123"]')
+        assert result == "abc-123"
+
+    def test_non_member_path_returns_none(self):
+        assert parse_patch_path_filter("displayName") is None
+
+    def test_plain_members_returns_none(self):
+        assert parse_patch_path_filter("members") is None
+
+    def test_empty_string(self):
+        assert parse_patch_path_filter("") is None
+
+    def test_malformed_bracket(self):
+        assert parse_patch_path_filter('members[value eq "abc"') is None
diff --git a/backend/tests/ee/authentication/scim/test_groups.py b/backend/tests/ee/authentication/scim/test_groups.py
new file mode 100644
index 000000000..b3be0a5ed
--- /dev/null
+++ b/backend/tests/ee/authentication/scim/test_groups.py
@@ -0,0 +1,724 @@
+"""Integration tests for SCIM /Groups endpoints.
+
+Covers: list, filter, create, get, replace (PUT), partial update (PATCH), delete.
+Tests both Entra ID and Okta payload/patch formats where they diverge.
+"""
+
+import json
+
+import pytest
+
+from api.models import (
+    SCIMEvent,
+    SCIMGroup,
+    SCIMUser,
+    Team,
+    TeamMembership,
+)
+
+from .conftest import (
+    SCIM_CONTENT_TYPE,
+    make_patch_op,
+    make_scim_group_payload,
+)
+
+GROUPS_URL = "/scim/v2/Groups"
+
+
+def group_url(scim_group_id):
+    return f"{GROUPS_URL}/{scim_group_id}"
+
+
+# ---------------------------------------------------------------------------
+# List / Filter
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestListGroups:
+
+    def test_list_empty(self, scim_client, scim_token):
+        resp = scim_client.get(GROUPS_URL)
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["totalResults"] == 0
+        assert data["Resources"] == []
+
+    def test_list_returns_groups(self, scim_client, scim_group_engineering):
+        resp = scim_client.get(GROUPS_URL)
+        data = resp.json()
+        assert data["totalResults"] == 1
+        assert data["Resources"][0]["displayName"] == "Engineering"
+
+    def test_list_includes_members(self, scim_client, scim_group_engineering):
+        resp = scim_client.get(GROUPS_URL)
+        members = resp.json()["Resources"][0]["members"]
+        assert len(members) == 2
+
+    def test_filter_by_display_name(
+        self, scim_client, scim_group_engineering, organisation
+    ):
+        # Create a second group
+        team2 = Team.objects.create(
+            name="Marketing", organisation=organisation, is_scim_managed=True
+        )
+        SCIMGroup.objects.create(
+            external_id="mkt-ext",
+            organisation=organisation,
+            team=team2,
+            display_name="Marketing",
+        )
+
+        resp = scim_client.get(
+            GROUPS_URL, {"filter": 'displayName eq "Engineering"'}
+        )
+        data = resp.json()
+        assert data["totalResults"] == 1
+        assert data["Resources"][0]["displayName"] == "Engineering"
+
+    def test_filter_by_external_id(self, scim_client, scim_group_engineering):
+        resp = scim_client.get(
+            GROUPS_URL, {"filter": 'externalId eq "eng-ext-id"'}
+        )
+        data = resp.json()
+        assert data["totalResults"] == 1
+
+    def test_filter_no_match(self, scim_client, scim_group_engineering):
+        resp = scim_client.get(
+            GROUPS_URL, {"filter": 'displayName eq "Nonexistent"'}
+        )
+        assert resp.json()["totalResults"] == 0
+
+    def test_pagination(self, scim_client, scim_group_engineering, organisation):
+        team2 = Team.objects.create(
+            name="Marketing", organisation=organisation, is_scim_managed=True
+        )
+        SCIMGroup.objects.create(
+            external_id="mkt-ext",
+            organisation=organisation,
+            team=team2,
+            display_name="Marketing",
+        )
+
+        resp = scim_client.get(GROUPS_URL, {"startIndex": 1, "count": 1})
+        data = resp.json()
+        assert data["totalResults"] == 2
+        assert len(data["Resources"]) == 1
+
+
+# ---------------------------------------------------------------------------
+# Create (POST)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestCreateGroup:
+
+    def test_create_group(self, scim_client, scim_token, developer_role):
+        payload = make_scim_group_payload("Design", "design-ext-id")
+        resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        data = resp.json()
+        assert data["displayName"] == "Design"
+        assert data["externalId"] == "design-ext-id"
+        assert "/scim/v2/Groups/" in data["meta"]["location"]
+
+        # Verify Team created
+        scim_group = SCIMGroup.objects.get(id=data["id"])
+        assert scim_group.team is not None
+        assert scim_group.team.is_scim_managed is True
+        assert scim_group.team.name == "Design"
+
+    def test_create_group_with_description(self, scim_client, scim_token, developer_role):
+        payload = make_scim_group_payload(
+            "QA Team", "qa-ext-id", description="Quality Assurance"
+        )
+        resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        scim_group = SCIMGroup.objects.get(id=resp.json()["id"])
+        assert scim_group.team.description == "Quality Assurance"
+
+    def test_create_group_with_initial_members(
+        self, scim_client, scim_user_alice, scim_user_bob
+    ):
+        payload = make_scim_group_payload(
+            "NewTeam",
+            "new-ext-id",
+            members=[
+                {"value": str(scim_user_alice.id)},
+                {"value": str(scim_user_bob.id)},
+            ],
+        )
+        resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        scim_group = SCIMGroup.objects.get(id=resp.json()["id"])
+        assert scim_group.team.memberships.count() == 2
+
+    def test_create_group_missing_display_name_returns_400(
+        self, scim_client, scim_token
+    ):
+        payload = {
+            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+            "externalId": "x",
+        }
+        resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 400
+
+    @pytest.mark.django_db(transaction=True)
+    def test_create_duplicate_external_id_returns_409(
+        self, scim_client, scim_group_engineering
+    ):
+        payload = make_scim_group_payload("Another", "eng-ext-id")
+        resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 409
+
+    def test_create_group_logs_event(self, scim_client, scim_token, developer_role):
+        payload = make_scim_group_payload("Logged Group", "log-ext-id")
+        resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        event = SCIMEvent.objects.filter(
+            event_type="group_created", status="success"
+        ).first()
+        assert event is not None
+        assert event.resource_name == "Logged Group"
+        assert event.response_status == 201
+
+    def test_create_group_truncates_long_name(
+        self, scim_client, scim_token, developer_role
+    ):
+        long_name = "A" * 100
+        payload = make_scim_group_payload(long_name, "long-ext-id")
+        resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        scim_group = SCIMGroup.objects.get(id=resp.json()["id"])
+        assert len(scim_group.team.name) == 64
+
+
+# ---------------------------------------------------------------------------
+# Get (GET /:id)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestGetGroup:
+
+    def test_get_existing_group(self, scim_client, scim_group_engineering):
+        resp = scim_client.get(group_url(scim_group_engineering.id))
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["displayName"] == "Engineering"
+        assert len(data["members"]) == 2
+
+    def test_get_nonexistent_group(self, scim_client, scim_token):
+        resp = scim_client.get(group_url("nonexistent-id"))
+        assert resp.status_code == 404
+
+    def test_get_group_members_have_correct_format(
+        self, scim_client, scim_group_engineering
+    ):
+        resp = scim_client.get(group_url(scim_group_engineering.id))
+        members = resp.json()["members"]
+        for m in members:
+            assert "value" in m
+            assert "display" in m
+
+
+# ---------------------------------------------------------------------------
+# Replace (PUT — Okta's primary method for group updates)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestReplaceGroup:
+
+    def test_rename_group_via_put(self, scim_client, scim_group_engineering):
+        payload = make_scim_group_payload(
+            "Engineering v2",
+            "eng-ext-id",
+            members=[
+                {"value": str(m["value"])}
+                for m in scim_client.get(
+                    group_url(scim_group_engineering.id)
+                ).json()["members"]
+            ],
+        )
+        resp = scim_client.put(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_group_engineering.refresh_from_db()
+        assert scim_group_engineering.display_name == "Engineering v2"
+        scim_group_engineering.team.refresh_from_db()
+        assert scim_group_engineering.team.name == "Engineering v2"
+
+    def test_put_membership_diff_adds_new_members(
+        self,
+        scim_client,
+        scim_group_engineering,
+        scim_user_alice,
+        scim_user_bob,
+        organisation,
+        developer_role,
+    ):
+        """PUT with a new member in the list should add them."""
+        # Create a third user
+        from api.models import CustomUser, OrganisationMember
+
+        user_carol = CustomUser.objects.create(
+            username="carol@example.com", email="carol@example.com"
+        )
+        om_carol = OrganisationMember.objects.create(
+            user=user_carol,
+            organisation=organisation,
+            role=developer_role,
+            identity_key="",
+            wrapped_keyring="",
+            wrapped_recovery="",
+        )
+        scim_carol = SCIMUser.objects.create(
+            external_id="carol-ext",
+            organisation=organisation,
+            user=user_carol,
+            org_member=om_carol,
+            email="carol@example.com",
+            display_name="Carol Test",
+            active=True,
+        )
+
+        payload = make_scim_group_payload(
+            "Engineering",
+            "eng-ext-id",
+            members=[
+                {"value": str(scim_user_alice.id)},
+                {"value": str(scim_user_bob.id)},
+                {"value": str(scim_carol.id)},
+            ],
+        )
+        resp = scim_client.put(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert scim_group_engineering.team.memberships.count() == 3
+
+    def test_put_membership_diff_removes_departed_members(
+        self, scim_client, scim_group_engineering, scim_user_alice, scim_user_bob
+    ):
+        """PUT without a current member should remove them."""
+        payload = make_scim_group_payload(
+            "Engineering",
+            "eng-ext-id",
+            members=[{"value": str(scim_user_alice.id)}],
+        )
+        resp = scim_client.put(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert scim_group_engineering.team.memberships.count() == 1
+        assert not TeamMembership.objects.filter(
+            team=scim_group_engineering.team,
+            org_member=scim_user_bob.org_member,
+        ).exists()
+
+    def test_put_empty_members_removes_all(
+        self, scim_client, scim_group_engineering
+    ):
+        payload = make_scim_group_payload("Engineering", "eng-ext-id", members=[])
+        resp = scim_client.put(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert scim_group_engineering.team.memberships.count() == 0
+
+
+# ---------------------------------------------------------------------------
+# Partial update (PATCH — Entra ID's primary method for groups)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestPatchGroup:
+
+    # -- Add members --
+
+    def test_add_member_entra_style(
+        self,
+        scim_client,
+        scim_group_engineering,
+        organisation,
+        developer_role,
+    ):
+        """Entra ID sends PATCH Add members with value array."""
+        from api.models import CustomUser, OrganisationMember
+
+        user_dave = CustomUser.objects.create(
+            username="dave@example.com", email="dave@example.com"
+        )
+        om_dave = OrganisationMember.objects.create(
+            user=user_dave,
+            organisation=organisation,
+            role=developer_role,
+            identity_key="",
+            wrapped_keyring="",
+            wrapped_recovery="",
+        )
+        scim_dave = SCIMUser.objects.create(
+            external_id="dave-ext",
+            organisation=organisation,
+            user=user_dave,
+            org_member=om_dave,
+            email="dave@example.com",
+            display_name="Dave Test",
+            active=True,
+        )
+
+        payload = make_patch_op([
+            {
+                "op": "Add",
+                "path": "members",
+                "value": [{"value": str(scim_dave.id)}],
+            }
+        ])
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert scim_group_engineering.team.memberships.count() == 3
+        assert TeamMembership.objects.filter(
+            team=scim_group_engineering.team, org_member=om_dave
+        ).exists()
+
+    def test_add_member_logs_event(
+        self,
+        scim_client,
+        scim_group_engineering,
+        organisation,
+        developer_role,
+    ):
+        from api.models import CustomUser, OrganisationMember
+
+        user_eve = CustomUser.objects.create(
+            username="eve@example.com", email="eve@example.com"
+        )
+        om_eve = OrganisationMember.objects.create(
+            user=user_eve,
+            organisation=organisation,
+            role=developer_role,
+            identity_key="",
+            wrapped_keyring="",
+            wrapped_recovery="",
+        )
+        scim_eve = SCIMUser.objects.create(
+            external_id="eve-ext",
+            organisation=organisation,
+            user=user_eve,
+            org_member=om_eve,
+            email="eve@example.com",
+            display_name="Eve Test",
+            active=True,
+        )
+
+        payload = make_patch_op([
+            {"op": "Add", "path": "members", "value": [{"value": str(scim_eve.id)}]}
+        ])
+        scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        event = SCIMEvent.objects.filter(event_type="member_added").first()
+        assert event is not None
+        assert event.detail["member_email"] == "eve@example.com"
+
+    def test_add_member_idempotent(
+        self, scim_client, scim_group_engineering, scim_user_alice
+    ):
+        """Adding an already-present member should not create duplicates."""
+        payload = make_patch_op([
+            {
+                "op": "Add",
+                "path": "members",
+                "value": [{"value": str(scim_user_alice.id)}],
+            }
+        ])
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        # Still only 2 memberships (alice and bob), not 3
+        assert scim_group_engineering.team.memberships.count() == 2
+
+    # -- Remove members (Entra ID format) --
+
+    def test_remove_member_entra_bracket_notation(
+        self, scim_client, scim_group_engineering, scim_user_bob
+    ):
+        """Entra ID sends: op=Remove, path='members[value eq "id"]'."""
+        payload = make_patch_op([
+            {
+                "op": "Remove",
+                "path": f'members[value eq "{scim_user_bob.id}"]',
+            }
+        ])
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert not TeamMembership.objects.filter(
+            team=scim_group_engineering.team,
+            org_member=scim_user_bob.org_member,
+        ).exists()
+        # Alice should still be there
+        assert scim_group_engineering.team.memberships.count() == 1
+
+    # -- Remove members (Okta format) --
+
+    def test_remove_member_okta_value_array(
+        self, scim_client, scim_group_engineering, scim_user_bob
+    ):
+        """Okta sends: op=Remove, path='members', value=[{"value": "id"}]."""
+        payload = make_patch_op([
+            {
+                "op": "Remove",
+                "path": "members",
+                "value": [{"value": str(scim_user_bob.id)}],
+            }
+        ])
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert not TeamMembership.objects.filter(
+            team=scim_group_engineering.team,
+            org_member=scim_user_bob.org_member,
+        ).exists()
+
+    def test_remove_member_logs_event(
+        self, scim_client, scim_group_engineering, scim_user_bob
+    ):
+        payload = make_patch_op([
+            {
+                "op": "Remove",
+                "path": f'members[value eq "{scim_user_bob.id}"]',
+            }
+        ])
+        scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        event = SCIMEvent.objects.filter(event_type="member_removed").first()
+        assert event is not None
+        assert event.detail["member_email"] == "bob@example.com"
+
+    def test_remove_nonexistent_member_is_noop(
+        self, scim_client, scim_group_engineering
+    ):
+        """Removing a member that's not in the group should not error."""
+        payload = make_patch_op([
+            {
+                "op": "Remove",
+                "path": 'members[value eq "nonexistent-id"]',
+            }
+        ])
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert scim_group_engineering.team.memberships.count() == 2
+
+    # -- Rename group --
+
+    def test_rename_via_patch_replace(self, scim_client, scim_group_engineering):
+        payload = make_patch_op([
+            {"op": "Replace", "path": "displayName", "value": "Platform"},
+        ])
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_group_engineering.refresh_from_db()
+        assert scim_group_engineering.display_name == "Platform"
+        scim_group_engineering.team.refresh_from_db()
+        assert scim_group_engineering.team.name == "Platform"
+
+    def test_rename_via_patch_add(self, scim_client, scim_group_engineering):
+        """Some IdPs use 'Add' op for displayName updates."""
+        payload = make_patch_op([
+            {"op": "Add", "path": "displayName", "value": "Infrastructure"},
+        ])
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_group_engineering.team.refresh_from_db()
+        assert scim_group_engineering.team.name == "Infrastructure"
+
+    # -- Update description --
+
+    def test_update_description_via_patch(self, scim_client, scim_group_engineering):
+        payload = make_patch_op([
+            {"op": "Replace", "path": "description", "value": "The engineering team"},
+        ])
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_group_engineering.team.refresh_from_db()
+        assert scim_group_engineering.team.description == "The engineering team"
+
+    # -- No operations --
+
+    def test_patch_no_operations_returns_400(self, scim_client, scim_group_engineering):
+        payload = {
+            "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+            "Operations": [],
+        }
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 400
+
+    # -- Remove last member --
+
+    def test_remove_all_members_leaves_empty_team(
+        self, scim_client, scim_group_engineering, scim_user_alice, scim_user_bob
+    ):
+        payload = make_patch_op([
+            {
+                "op": "Remove",
+                "path": f'members[value eq "{scim_user_alice.id}"]',
+            },
+            {
+                "op": "Remove",
+                "path": f'members[value eq "{scim_user_bob.id}"]',
+            },
+        ])
+        resp = scim_client.patch(
+            group_url(scim_group_engineering.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert scim_group_engineering.team.memberships.count() == 0
+        # Team still exists
+        scim_group_engineering.team.refresh_from_db()
+        assert scim_group_engineering.team.deleted_at is None
+
+
+# ---------------------------------------------------------------------------
+# Delete (DELETE)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestDeleteGroup:
+
+    def test_delete_returns_204(self, scim_client, scim_group_engineering):
+        resp = scim_client.delete(group_url(scim_group_engineering.id))
+        assert resp.status_code == 204
+
+    def test_delete_soft_deletes_team(self, scim_client, scim_group_engineering):
+        team = scim_group_engineering.team
+        scim_client.delete(group_url(scim_group_engineering.id))
+        team.refresh_from_db()
+        assert team.deleted_at is not None
+
+    def test_delete_removes_scim_group_record(
+        self, scim_client, scim_group_engineering
+    ):
+        group_id = scim_group_engineering.id
+        scim_client.delete(group_url(group_id))
+        assert not SCIMGroup.objects.filter(id=group_id).exists()
+
+    def test_delete_does_not_affect_member_org_membership(
+        self, scim_client, scim_group_engineering, scim_user_alice
+    ):
+        """Deleting a group should not deactivate the member's org membership."""
+        scim_client.delete(group_url(scim_group_engineering.id))
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.deleted_at is None
+
+    def test_delete_logs_event(self, scim_client, scim_group_engineering):
+        scim_client.delete(group_url(scim_group_engineering.id))
+        event = SCIMEvent.objects.filter(event_type="group_deleted").first()
+        assert event is not None
+        assert event.resource_name == "Engineering"
+        assert event.response_status == 204
+
+    def test_delete_nonexistent_returns_404(self, scim_client, scim_token):
+        resp = scim_client.delete(group_url("nonexistent-id"))
+        assert resp.status_code == 404
+
+
+# ---------------------------------------------------------------------------
+# Response format
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestGroupResponseFormat:
+
+    def test_response_contains_schemas(self, scim_client, scim_group_engineering):
+        resp = scim_client.get(group_url(scim_group_engineering.id))
+        data = resp.json()
+        assert "urn:ietf:params:scim:schemas:core:2.0:Group" in data["schemas"]
+
+    def test_response_meta_location_format(self, scim_client, scim_group_engineering):
+        resp = scim_client.get(group_url(scim_group_engineering.id))
+        location = resp.json()["meta"]["location"]
+        assert location.startswith("https://")
+        assert "/service/scim/v2/Groups/" in location
diff --git a/backend/tests/ee/authentication/scim/test_lifecycle.py b/backend/tests/ee/authentication/scim/test_lifecycle.py
new file mode 100644
index 000000000..bad682cfd
--- /dev/null
+++ b/backend/tests/ee/authentication/scim/test_lifecycle.py
@@ -0,0 +1,627 @@
+"""End-to-end lifecycle tests for SCIM provisioning.
+
+These tests simulate complete IdP provisioning flows — the same multi-step
+sequences that Entra ID and Okta perform in production — and verify the
+cumulative state after each step.
+"""
+
+import json
+
+import pytest
+
+from api.models import (
+    CustomUser,
+    Organisation,
+    OrganisationMember,
+    SCIMEvent,
+    SCIMGroup,
+    SCIMUser,
+    Team,
+    TeamMembership,
+)
+
+from .conftest import (
+    SCIM_CONTENT_TYPE,
+    make_patch_op,
+    make_scim_group_payload,
+    make_scim_user_payload,
+)
+
+USERS_URL = "/scim/v2/Users"
+GROUPS_URL = "/scim/v2/Groups"
+
+
+# ---------------------------------------------------------------------------
+# Scenario 9.1: Full user lifecycle
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestFullUserLifecycle:
+    """
+    1. Provision user
+    2. Push group containing user
+    3. (SSO login + key ceremony simulated)
+    4. Remove user from group
+    5. Verify user still in org but not in team
+    6. Unassign user → deactivated
+    """
+
+    def test_full_lifecycle(self, scim_client, scim_token, developer_role, organisation):
+        # 1. Provision user
+        user_payload = make_scim_user_payload(
+            "lifecycle@example.com", "lifecycle-ext"
+        )
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(user_payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        scim_user_id = resp.json()["id"]
+
+        scim_user = SCIMUser.objects.get(id=scim_user_id)
+        assert scim_user.active is True
+        assert scim_user.org_member.identity_key == ""  # Pending
+
+        # 2. Push group containing this user
+        group_payload = make_scim_group_payload(
+            "Lifecycle Team",
+            "lifecycle-grp-ext",
+            members=[{"value": scim_user_id}],
+        )
+        resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(group_payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        scim_group_id = resp.json()["id"]
+        scim_group = SCIMGroup.objects.get(id=scim_group_id)
+        assert scim_group.team.memberships.count() == 1
+
+        # 3. Simulate SSO login + key ceremony (set identity_key)
+        scim_user.org_member.identity_key = "real-identity-key"
+        scim_user.org_member.wrapped_keyring = "real-keyring"
+        scim_user.org_member.wrapped_recovery = "real-recovery"
+        scim_user.org_member.save()
+
+        # 4. Remove user from group (Entra ID style)
+        remove_payload = make_patch_op([
+            {"op": "Remove", "path": f'members[value eq "{scim_user_id}"]'}
+        ])
+        resp = scim_client.patch(
+            f"{GROUPS_URL}/{scim_group_id}",
+            data=json.dumps(remove_payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+
+        # 5. Verify: user still in org, not in team
+        scim_user.refresh_from_db()
+        assert scim_user.active is True
+        scim_user.org_member.refresh_from_db()
+        assert scim_user.org_member.deleted_at is None
+        assert not TeamMembership.objects.filter(
+            org_member=scim_user.org_member
+        ).exists()
+
+        # 6. Unassign user (Entra PATCH active=false)
+        deactivate_payload = make_patch_op([
+            {"op": "Replace", "path": "active", "value": "False"}
+        ])
+        resp = scim_client.patch(
+            f"{USERS_URL}/{scim_user_id}",
+            data=json.dumps(deactivate_payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+
+        # Verify final state
+        scim_user.refresh_from_db()
+        assert scim_user.active is False
+        scim_user.org_member.refresh_from_db()
+        assert scim_user.org_member.deleted_at is not None
+        assert scim_user.org_member.identity_key == ""
+        assert scim_user.org_member.wrapped_keyring == ""
+
+        # Verify audit trail
+        events = SCIMEvent.objects.filter(
+            organisation=organisation
+        ).order_by("timestamp")
+        event_types = [e.event_type for e in events]
+        assert "user_created" in event_types
+        assert "group_created" in event_types
+        assert "member_removed" in event_types
+        assert "user_deactivated" in event_types
+
+
+# ---------------------------------------------------------------------------
+# Scenario 9.2: Deactivate → reactivate with different group membership
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestDeactivateReactivateDifferentGroups:
+    """
+    1. User in Group A and Group B
+    2. Deactivate user → memberships cleared
+    3. Remove user from Group B in IdP (while deactivated)
+    4. Reactivate user
+    5. IdP re-pushes: user added to Group A only
+    6. Verify: user in Team A, NOT in Team B
+    """
+
+    def test_reactivation_with_different_groups(
+        self, scim_client, scim_token, developer_role, organisation
+    ):
+        # Setup: provision user
+        user_payload = make_scim_user_payload("regroup@example.com", "regroup-ext")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(user_payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        scim_user_id = resp.json()["id"]
+
+        # Create Group A and Group B with user
+        for name, ext_id in [("Group A", "grp-a-ext"), ("Group B", "grp-b-ext")]:
+            resp = scim_client.post(
+                GROUPS_URL,
+                data=json.dumps(
+                    make_scim_group_payload(name, ext_id, members=[{"value": scim_user_id}])
+                ),
+                content_type=SCIM_CONTENT_TYPE,
+            )
+            assert resp.status_code == 201
+
+        scim_user = SCIMUser.objects.get(id=scim_user_id)
+        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 2
+
+        # Deactivate user (Okta PUT style)
+        deactivate_payload = make_scim_user_payload(
+            "regroup@example.com", "regroup-ext", active=False
+        )
+        resp = scim_client.put(
+            f"{USERS_URL}/{scim_user_id}",
+            data=json.dumps(deactivate_payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+
+        # All team memberships should be cleared
+        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 0
+
+        # Reactivate user
+        reactivate_payload = make_scim_user_payload(
+            "regroup@example.com", "regroup-ext", active=True
+        )
+        resp = scim_client.put(
+            f"{USERS_URL}/{scim_user_id}",
+            data=json.dumps(reactivate_payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_user.refresh_from_db()
+        assert scim_user.active is True
+
+        # Still no team memberships (IdP hasn't re-pushed yet)
+        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 0
+
+        # IdP re-pushes Group A only (simulating user was removed from B while deactivated)
+        group_a = SCIMGroup.objects.get(external_id="grp-a-ext")
+        add_payload = make_patch_op([
+            {"op": "Add", "path": "members", "value": [{"value": scim_user_id}]}
+        ])
+        resp = scim_client.patch(
+            f"{GROUPS_URL}/{group_a.id}",
+            data=json.dumps(add_payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+
+        # Verify: in Group A's team, NOT in Group B's team
+        group_b = SCIMGroup.objects.get(external_id="grp-b-ext")
+        assert TeamMembership.objects.filter(
+            team=group_a.team, org_member=scim_user.org_member
+        ).exists()
+        assert not TeamMembership.objects.filter(
+            team=group_b.team, org_member=scim_user.org_member
+        ).exists()
+
+
+# ---------------------------------------------------------------------------
+# Scenario 9.3: Entra ID group removal triggers user deprovisioning
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestEntraGroupRemovalThenUserDeactivation:
+    """
+    Entra ID's deprovisioning sequence:
+    1. PATCH /Groups/:id — remove member from group
+    2. PATCH /Users/:id — deactivate user (arrives ~10-30s later)
+    """
+
+    def test_entra_deprovisioning_sequence(
+        self, scim_client, scim_token, developer_role, organisation
+    ):
+        # Provision user and group
+        user_resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(
+                make_scim_user_payload("entra-flow@example.com", "entra-flow-ext")
+            ),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        scim_user_id = user_resp.json()["id"]
+
+        group_resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(
+                make_scim_group_payload(
+                    "Entra Team", "entra-team-ext",
+                    members=[{"value": scim_user_id}],
+                )
+            ),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        scim_group_id = group_resp.json()["id"]
+
+        # Step 1: Entra removes user from group
+        resp = scim_client.patch(
+            f"{GROUPS_URL}/{scim_group_id}",
+            data=json.dumps(make_patch_op([
+                {"op": "Remove", "path": f'members[value eq "{scim_user_id}"]'}
+            ])),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+
+        # User still active but not in team
+        scim_user = SCIMUser.objects.get(id=scim_user_id)
+        assert scim_user.active is True
+        assert not TeamMembership.objects.filter(
+            org_member=scim_user.org_member
+        ).exists()
+
+        # Step 2: Entra deactivates user (arrives later)
+        resp = scim_client.patch(
+            f"{USERS_URL}/{scim_user_id}",
+            data=json.dumps(make_patch_op([
+                {"op": "Replace", "path": "active", "value": "False"}
+            ])),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+
+        # Verify final state
+        scim_user.refresh_from_db()
+        assert scim_user.active is False
+        scim_user.org_member.refresh_from_db()
+        assert scim_user.org_member.deleted_at is not None
+
+        # Verify event sequence
+        events = list(
+            SCIMEvent.objects.filter(organisation=organisation)
+            .order_by("timestamp")
+            .values_list("event_type", flat=True)
+        )
+        assert "member_removed" in events
+        assert "user_deactivated" in events
+        # member_removed should come before user_deactivated
+        assert events.index("member_removed") < events.index("user_deactivated")
+
+
+# ---------------------------------------------------------------------------
+# Scenario: Multiple groups, single user — membership isolation
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestMultiGroupMembership:
+    """Removing a user from one group should not affect their membership in other groups."""
+
+    def test_remove_from_one_group_preserves_other(
+        self, scim_client, scim_token, developer_role, organisation
+    ):
+        # Provision user
+        user_resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(make_scim_user_payload("multi@example.com", "multi-ext")),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        scim_user_id = user_resp.json()["id"]
+
+        # Create two groups with the same user
+        group_ids = []
+        for name, ext_id in [("Team Alpha", "alpha-ext"), ("Team Beta", "beta-ext")]:
+            resp = scim_client.post(
+                GROUPS_URL,
+                data=json.dumps(
+                    make_scim_group_payload(name, ext_id, members=[{"value": scim_user_id}])
+                ),
+                content_type=SCIM_CONTENT_TYPE,
+            )
+            group_ids.append(resp.json()["id"])
+
+        scim_user = SCIMUser.objects.get(id=scim_user_id)
+        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 2
+
+        # Remove from Team Alpha only
+        resp = scim_client.patch(
+            f"{GROUPS_URL}/{group_ids[0]}",
+            data=json.dumps(make_patch_op([
+                {"op": "Remove", "path": f'members[value eq "{scim_user_id}"]'}
+            ])),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+
+        # Verify: removed from Alpha, still in Beta
+        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 1
+        beta_group = SCIMGroup.objects.get(id=group_ids[1])
+        assert TeamMembership.objects.filter(
+            team=beta_group.team, org_member=scim_user.org_member
+        ).exists()
+
+
+# ---------------------------------------------------------------------------
+# Scenario: Provision user → link to existing account → verify preservation
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestProvisionExistingAccount:
+    """When SCIM provisions a user whose email already exists as a CustomUser,
+    the existing account should be linked without data loss."""
+
+    def test_existing_user_linked_preserves_data(
+        self, scim_client, scim_token, developer_role, organisation
+    ):
+        # Pre-existing user (e.g. signed up manually before SCIM)
+        existing_user = CustomUser.objects.create(
+            username="veteran@example.com", email="veteran@example.com"
+        )
+        existing_user.set_password("some-password")
+        existing_user.save()
+
+        # SCIM provisions this email
+        payload = make_scim_user_payload("veteran@example.com", "veteran-ext")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+
+        # Verify link to existing user
+        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
+        assert str(scim_user.user.userId) == str(existing_user.userId)
+        # Existing password should still be set
+        existing_user.refresh_from_db()
+        assert existing_user.has_usable_password() is True
+        # No duplicate CustomUser
+        assert CustomUser.objects.filter(email="veteran@example.com").count() == 1
+
+
+# ---------------------------------------------------------------------------
+# Scenario: Group created empty, members added later
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestGroupCreatedEmptyThenPopulated:
+    """IdPs sometimes create the group first, then add members in subsequent PATCH calls."""
+
+    def test_empty_group_then_add_members(
+        self, scim_client, scim_token, developer_role, organisation
+    ):
+        # Create user
+        user_resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(make_scim_user_payload("latejoin@example.com", "latejoin-ext")),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        scim_user_id = user_resp.json()["id"]
+
+        # Create empty group
+        group_resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(make_scim_group_payload("Empty First", "empty-ext")),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert group_resp.status_code == 201
+        scim_group_id = group_resp.json()["id"]
+        assert group_resp.json()["members"] == []
+
+        # Add member via PATCH
+        resp = scim_client.patch(
+            f"{GROUPS_URL}/{scim_group_id}",
+            data=json.dumps(make_patch_op([
+                {"op": "Add", "path": "members", "value": [{"value": scim_user_id}]}
+            ])),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+
+        scim_group = SCIMGroup.objects.get(id=scim_group_id)
+        assert scim_group.team.memberships.count() == 1
+
+
+# ---------------------------------------------------------------------------
+# Scenario: Cross-org isolation
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestCrossOrgIsolation:
+    """SCIM operations on one org should not affect another org's data."""
+
+    def test_cannot_access_other_org_users(
+        self, scim_client, scim_token, developer_role, organisation
+    ):
+        # Create a user in our org
+        payload = make_scim_user_payload("ouruser@example.com", "our-ext")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        our_user_id = resp.json()["id"]
+
+        # Create another org and a user in it (directly in DB)
+        from api.models import Role
+
+        other_org = Organisation.objects.create(
+            name="OtherOrg", identity_key="other-key", plan="EN", scim_enabled=True
+        )
+        other_role = Role.objects.create(
+            name="Developer", organisation=other_org, is_default=True, permissions={}
+        )
+        other_user = CustomUser.objects.create(
+            username="other@example.com", email="other@example.com"
+        )
+        other_om = OrganisationMember.objects.create(
+            user=other_user,
+            organisation=other_org,
+            role=other_role,
+            identity_key="",
+            wrapped_keyring="",
+            wrapped_recovery="",
+        )
+        other_scim_user = SCIMUser.objects.create(
+            external_id="other-ext",
+            organisation=other_org,
+            user=other_user,
+            org_member=other_om,
+            email="other@example.com",
+            display_name="Other User",
+            active=True,
+        )
+
+        # Our token should not see the other org's user
+        resp = scim_client.get(f"{USERS_URL}/{other_scim_user.id}")
+        assert resp.status_code == 404
+
+        # List should only show our user
+        resp = scim_client.get(USERS_URL)
+        assert resp.json()["totalResults"] == 1
+        assert resp.json()["Resources"][0]["id"] == our_user_id
+
+
+# ---------------------------------------------------------------------------
+# Scenario: Audit trail completeness
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestAuditTrailCompleteness:
+    """Every state-changing SCIM operation should produce at least one SCIMEvent."""
+
+    def test_all_operations_logged(
+        self, scim_client, scim_token, developer_role, organisation
+    ):
+        SCIMEvent.objects.filter(organisation=organisation).delete()
+
+        # Create user
+        user_resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(make_scim_user_payload("audit@example.com", "audit-ext")),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        scim_user_id = user_resp.json()["id"]
+
+        # Create empty group, then add member via PATCH (to generate member_added event)
+        group_resp = scim_client.post(
+            GROUPS_URL,
+            data=json.dumps(make_scim_group_payload("Audit Team", "audit-grp-ext")),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        scim_group_id = group_resp.json()["id"]
+
+        # Add member via PATCH (generates member_added event)
+        scim_client.patch(
+            f"{GROUPS_URL}/{scim_group_id}",
+            data=json.dumps(make_patch_op([
+                {"op": "Add", "path": "members", "value": [{"value": scim_user_id}]}
+            ])),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+
+        # Update user (PUT)
+        scim_client.put(
+            f"{USERS_URL}/{scim_user_id}",
+            data=json.dumps(make_scim_user_payload(
+                "audit@example.com", "audit-ext", display_name="Audit Updated"
+            )),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+
+        # Rename group
+        scim_client.patch(
+            f"{GROUPS_URL}/{scim_group_id}",
+            data=json.dumps(make_patch_op([
+                {"op": "Replace", "path": "displayName", "value": "Audit Team v2"}
+            ])),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+
+        # Remove user from group
+        scim_client.patch(
+            f"{GROUPS_URL}/{scim_group_id}",
+            data=json.dumps(make_patch_op([
+                {"op": "Remove", "path": f'members[value eq "{scim_user_id}"]'}
+            ])),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+
+        # Deactivate user
+        scim_client.patch(
+            f"{USERS_URL}/{scim_user_id}",
+            data=json.dumps(make_patch_op([
+                {"op": "Replace", "path": "active", "value": "False"}
+            ])),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+
+        # Reactivate user
+        scim_client.patch(
+            f"{USERS_URL}/{scim_user_id}",
+            data=json.dumps(make_patch_op([
+                {"op": "Replace", "path": "active", "value": "True"}
+            ])),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+
+        # Delete group
+        scim_client.delete(f"{GROUPS_URL}/{scim_group_id}")
+
+        # Delete user
+        scim_client.delete(f"{USERS_URL}/{scim_user_id}")
+
+        # Verify all event types were logged
+        event_types = set(
+            SCIMEvent.objects.filter(organisation=organisation)
+            .values_list("event_type", flat=True)
+        )
+        expected = {
+            "user_created",
+            "user_updated",
+            "user_deactivated",
+            "user_reactivated",
+            "group_created",
+            "group_updated",
+            "group_deleted",
+            "member_added",
+            "member_removed",
+        }
+        assert expected.issubset(event_types), f"Missing events: {expected - event_types}"
+
+        # Verify all events have required fields
+        for event in SCIMEvent.objects.filter(organisation=organisation):
+            assert event.scim_token is not None
+            assert event.event_type != ""
+            assert event.resource_type in ("user", "group")
+            assert event.request_method != ""
diff --git a/backend/tests/ee/authentication/scim/test_users.py b/backend/tests/ee/authentication/scim/test_users.py
new file mode 100644
index 000000000..f0156addf
--- /dev/null
+++ b/backend/tests/ee/authentication/scim/test_users.py
@@ -0,0 +1,726 @@
+"""Integration tests for SCIM /Users endpoints.
+
+Covers: list, filter, create, get, replace (PUT), partial update (PATCH), delete.
+Tests both Entra ID and Okta payload formats where they diverge.
+"""
+
+import json
+
+import pytest
+
+from api.models import (
+    CustomUser,
+    OrganisationMember,
+    SCIMEvent,
+    SCIMUser,
+    TeamMembership,
+)
+
+from .conftest import (
+    SCIM_CONTENT_TYPE,
+    make_patch_op,
+    make_scim_user_payload,
+)
+
+USERS_URL = "/scim/v2/Users"
+
+
+def user_url(scim_user_id):
+    return f"{USERS_URL}/{scim_user_id}"
+
+
+# ---------------------------------------------------------------------------
+# List / Filter
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestListUsers:
+
+    def test_list_empty(self, scim_client, scim_token):
+        resp = scim_client.get(USERS_URL)
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["totalResults"] == 0
+        assert data["Resources"] == []
+
+    def test_list_returns_provisioned_users(self, scim_client, scim_user_alice, scim_user_bob):
+        resp = scim_client.get(USERS_URL)
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["totalResults"] == 2
+        emails = {r["userName"] for r in data["Resources"]}
+        assert emails == {"alice@example.com", "bob@example.com"}
+
+    def test_list_pagination_count(self, scim_client, scim_user_alice, scim_user_bob):
+        """count parameter limits the number of returned resources."""
+        resp = scim_client.get(USERS_URL, {"startIndex": 1, "count": 1})
+        data = resp.json()
+        assert data["totalResults"] == 2
+        assert len(data["Resources"]) == 1
+        assert data["startIndex"] == 1
+        assert data["itemsPerPage"] == 1
+
+    def test_filter_by_username(self, scim_client, scim_user_alice, scim_user_bob):
+        resp = scim_client.get(
+            USERS_URL, {"filter": 'userName eq "alice@example.com"'}
+        )
+        data = resp.json()
+        assert data["totalResults"] == 1
+        assert data["Resources"][0]["userName"] == "alice@example.com"
+
+    def test_filter_by_external_id(self, scim_client, scim_user_alice):
+        resp = scim_client.get(
+            USERS_URL, {"filter": 'externalId eq "alice-ext-id"'}
+        )
+        data = resp.json()
+        assert data["totalResults"] == 1
+        assert data["Resources"][0]["externalId"] == "alice-ext-id"
+
+    def test_filter_case_insensitive_email(self, scim_client, scim_user_alice):
+        resp = scim_client.get(
+            USERS_URL, {"filter": 'userName eq "ALICE@EXAMPLE.COM"'}
+        )
+        data = resp.json()
+        assert data["totalResults"] == 1
+
+    def test_filter_no_match(self, scim_client, scim_user_alice):
+        resp = scim_client.get(
+            USERS_URL, {"filter": 'userName eq "nobody@example.com"'}
+        )
+        data = resp.json()
+        assert data["totalResults"] == 0
+
+
+# ---------------------------------------------------------------------------
+# Create (POST)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestCreateUser:
+
+    def test_create_new_user(self, scim_client, scim_token, developer_role):
+        payload = make_scim_user_payload("carol@example.com", "carol-ext-id")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        data = resp.json()
+
+        assert data["userName"] == "carol@example.com"
+        assert data["externalId"] == "carol-ext-id"
+        assert data["active"] is True
+        assert "meta" in data
+        assert "/scim/v2/Users/" in data["meta"]["location"]
+
+        # Verify DB state
+        scim_user = SCIMUser.objects.get(id=data["id"])
+        assert scim_user.email == "carol@example.com"
+        assert scim_user.active is True
+        assert scim_user.user is not None
+        assert scim_user.org_member is not None
+        assert scim_user.org_member.deleted_at is None
+
+    def test_create_user_links_existing_custom_user(
+        self, scim_client, scim_token, developer_role, db
+    ):
+        """If a CustomUser with the same email already exists, link to it."""
+        existing = CustomUser.objects.create(
+            username="existing@example.com", email="existing@example.com"
+        )
+        payload = make_scim_user_payload("existing@example.com", "existing-ext-id")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
+        assert str(scim_user.user.userId) == str(existing.userId)
+
+    def test_create_user_no_identity_key(self, scim_client, scim_token, developer_role):
+        """SCIM-provisioned users should have empty identity_key (pending setup)."""
+        payload = make_scim_user_payload("pending@example.com", "pending-ext-id")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
+        assert scim_user.org_member.identity_key == ""
+
+    def test_create_user_default_developer_role(
+        self, scim_client, scim_token, developer_role
+    ):
+        payload = make_scim_user_payload("dev@example.com", "dev-ext-id")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
+        assert scim_user.org_member.role.name == "Developer"
+
+    def test_create_duplicate_external_id_returns_409(
+        self, scim_client, scim_user_alice
+    ):
+        payload = make_scim_user_payload("different@example.com", "alice-ext-id")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 409
+        assert "uniqueness" in resp.json().get("scimType", "")
+
+    def test_create_duplicate_email_returns_409(self, scim_client, scim_user_alice):
+        payload = make_scim_user_payload("alice@example.com", "new-ext-id")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 409
+
+    def test_create_missing_username_returns_400(self, scim_client, scim_token):
+        payload = {"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "externalId": "x"}
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 400
+
+    def test_create_missing_external_id_returns_400(self, scim_client, scim_token):
+        payload = {
+            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+            "userName": "test@example.com",
+        }
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 400
+
+    def test_create_user_with_active_false(
+        self, scim_client, scim_token, developer_role
+    ):
+        """Creating a user with active=false should provision then immediately deactivate."""
+        payload = make_scim_user_payload(
+            "inactive@example.com", "inactive-ext-id", active=False
+        )
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
+        assert scim_user.active is False
+        assert scim_user.org_member.deleted_at is not None
+
+    def test_create_user_logs_event(self, scim_client, scim_token, developer_role):
+        payload = make_scim_user_payload("logged@example.com", "logged-ext-id")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        event = SCIMEvent.objects.filter(event_type="user_created", status="success").first()
+        assert event is not None
+        assert event.resource_name == "logged@example.com"
+        assert event.response_status == 201
+
+    @pytest.mark.django_db(transaction=True)
+    def test_create_duplicate_logs_error_event(self, scim_client, scim_user_alice):
+        payload = make_scim_user_payload("alice@example.com", "alice-ext-id")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 409
+        event = SCIMEvent.objects.filter(event_type="user_created", status="error").first()
+        assert event is not None
+        assert event.response_status == 409
+
+    def test_create_user_display_name_from_name_parts(
+        self, scim_client, scim_token, developer_role
+    ):
+        """If displayName is missing, build it from givenName + familyName."""
+        payload = {
+            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+            "externalId": "nodisp-ext",
+            "userName": "nodisp@example.com",
+            "name": {"givenName": "Jane", "familyName": "Doe"},
+            "active": True,
+        }
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        assert resp.json()["displayName"] == "Jane Doe"
+
+    def test_create_user_email_from_emails_array(
+        self, scim_client, scim_token, developer_role
+    ):
+        """If userName is empty, fall back to emails array."""
+        payload = {
+            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+            "externalId": "emails-ext",
+            "userName": "",
+            "emails": [{"value": "fallback@example.com", "type": "work", "primary": True}],
+            "active": True,
+        }
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 201
+        assert resp.json()["userName"] == "fallback@example.com"
+
+
+# ---------------------------------------------------------------------------
+# Get (GET /:id)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestGetUser:
+
+    def test_get_existing_user(self, scim_client, scim_user_alice):
+        resp = scim_client.get(user_url(scim_user_alice.id))
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["id"] == str(scim_user_alice.id)
+        assert data["userName"] == "alice@example.com"
+        assert data["active"] is True
+        assert "/scim/v2/Users/" in data["meta"]["location"]
+
+    def test_get_nonexistent_user(self, scim_client, scim_token):
+        resp = scim_client.get(user_url("nonexistent-id"))
+        assert resp.status_code == 404
+
+    def test_get_user_includes_name(self, scim_client, scim_user_alice):
+        resp = scim_client.get(user_url(scim_user_alice.id))
+        data = resp.json()
+        assert "name" in data
+        assert data["name"]["givenName"] == "Alice"
+
+    def test_get_user_includes_emails(self, scim_client, scim_user_alice):
+        resp = scim_client.get(user_url(scim_user_alice.id))
+        data = resp.json()
+        assert len(data["emails"]) == 1
+        assert data["emails"][0]["value"] == "alice@example.com"
+        assert data["emails"][0]["primary"] is True
+
+
+# ---------------------------------------------------------------------------
+# Replace (PUT — Okta's primary method)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestReplaceUser:
+
+    def test_update_display_name_via_put(self, scim_client, scim_user_alice):
+        payload = make_scim_user_payload(
+            "alice@example.com",
+            "alice-ext-id",
+            display_name="Alice Updated",
+            given_name="Alice",
+            family_name="Updated",
+        )
+        resp = scim_client.put(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert resp.json()["displayName"] == "Alice Updated"
+
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.display_name == "Alice Updated"
+
+    def test_deactivate_via_put_okta_style(self, scim_client, scim_user_alice):
+        """Okta sends PUT with active:false to deactivate users."""
+        payload = make_scim_user_payload(
+            "alice@example.com", "alice-ext-id", active=False
+        )
+        resp = scim_client.put(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert resp.json()["active"] is False
+
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.active is False
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.deleted_at is not None
+
+    def test_deactivate_via_put_logs_correct_event_type(
+        self, scim_client, scim_user_alice
+    ):
+        """PUT deactivation must log 'user_deactivated', not 'user_updated'."""
+        payload = make_scim_user_payload(
+            "alice@example.com", "alice-ext-id", active=False
+        )
+        scim_client.put(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        event = SCIMEvent.objects.filter(
+            resource_id=str(scim_user_alice.id)
+        ).order_by("-timestamp").first()
+        assert event.event_type == "user_deactivated"
+
+    def test_reactivate_via_put(self, scim_client, scim_user_alice):
+        """PUT with active:true should reactivate a deactivated user."""
+        # First deactivate
+        from ee.authentication.scim.utils import deactivate_scim_user
+
+        deactivate_scim_user(scim_user_alice)
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.active is False
+
+        # Reactivate via PUT
+        payload = make_scim_user_payload(
+            "alice@example.com", "alice-ext-id", active=True
+        )
+        resp = scim_client.put(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert resp.json()["active"] is True
+
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.active is True
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.deleted_at is None
+
+    def test_reactivate_via_put_logs_correct_event_type(self, scim_client, scim_user_alice):
+        from ee.authentication.scim.utils import deactivate_scim_user
+
+        deactivate_scim_user(scim_user_alice)
+        payload = make_scim_user_payload("alice@example.com", "alice-ext-id", active=True)
+        scim_client.put(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        event = SCIMEvent.objects.filter(
+            resource_id=str(scim_user_alice.id), event_type="user_reactivated"
+        ).first()
+        assert event is not None
+
+    def test_update_email_via_put(self, scim_client, scim_user_alice):
+        payload = make_scim_user_payload(
+            "alice-new@example.com", "alice-ext-id"
+        )
+        resp = scim_client.put(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.email == "alice-new@example.com"
+        scim_user_alice.user.refresh_from_db()
+        assert scim_user_alice.user.email == "alice-new@example.com"
+
+
+# ---------------------------------------------------------------------------
+# Partial update (PATCH — Entra ID's primary method)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestPatchUser:
+
+    def test_deactivate_via_patch_entra_style(self, scim_client, scim_user_alice):
+        """Entra ID sends PATCH with Replace active=False."""
+        payload = make_patch_op([
+            {"op": "Replace", "path": "active", "value": "False"},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert resp.json()["active"] is False
+
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.active is False
+
+    def test_deactivate_via_patch_bool_value(self, scim_client, scim_user_alice):
+        """Some IdPs send boolean false instead of string 'False'."""
+        payload = make_patch_op([
+            {"op": "Replace", "path": "active", "value": False},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert resp.json()["active"] is False
+
+    def test_deactivate_via_patch_valueless_replace(self, scim_client, scim_user_alice):
+        """Some IdPs send replace without path, with value as a dict."""
+        payload = make_patch_op([
+            {"op": "Replace", "value": {"active": False}},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert resp.json()["active"] is False
+
+    def test_deactivate_via_patch_valueless_string_active(self, scim_client, scim_user_alice):
+        """Valueless replace with string 'false'."""
+        payload = make_patch_op([
+            {"op": "Replace", "value": {"active": "false"}},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert resp.json()["active"] is False
+
+    def test_reactivate_via_patch(self, scim_client, scim_user_alice):
+        from ee.authentication.scim.utils import deactivate_scim_user
+
+        deactivate_scim_user(scim_user_alice)
+
+        payload = make_patch_op([
+            {"op": "Replace", "path": "active", "value": "True"},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert resp.json()["active"] is True
+
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.active is True
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.deleted_at is None
+
+    def test_patch_username(self, scim_client, scim_user_alice):
+        payload = make_patch_op([
+            {"op": "Replace", "path": "userName", "value": "alice-renamed@example.com"},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.email == "alice-renamed@example.com"
+
+    def test_patch_display_name(self, scim_client, scim_user_alice):
+        payload = make_patch_op([
+            {"op": "Replace", "path": "displayName", "value": "Alice Wonderland"},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.display_name == "Alice Wonderland"
+
+    def test_patch_name_given_name(self, scim_client, scim_user_alice):
+        payload = make_patch_op([
+            {"op": "Replace", "path": "name.givenName", "value": "Alicia"},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_user_alice.refresh_from_db()
+        assert "Alicia" in scim_user_alice.display_name
+
+    def test_patch_name_family_name(self, scim_client, scim_user_alice):
+        payload = make_patch_op([
+            {"op": "Replace", "path": "name.familyName", "value": "Wonderland"},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        scim_user_alice.refresh_from_db()
+        assert "Wonderland" in scim_user_alice.display_name
+
+    def test_patch_deactivate_logs_correct_event_type(
+        self, scim_client, scim_user_alice
+    ):
+        payload = make_patch_op([
+            {"op": "Replace", "path": "active", "value": "False"},
+        ])
+        scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        event = SCIMEvent.objects.filter(
+            resource_id=str(scim_user_alice.id), event_type="user_deactivated"
+        ).first()
+        assert event is not None
+
+    def test_patch_no_operations_returns_400(self, scim_client, scim_user_alice):
+        payload = {
+            "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+            "Operations": [],
+        }
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 400
+
+    def test_patch_entra_multi_op(self, scim_client, scim_user_alice):
+        """Entra often sends multiple operations in a single PATCH (e.g. active + title)."""
+        payload = make_patch_op([
+            {"op": "Replace", "path": "active", "value": "False"},
+            {"op": "Add", "path": "title", "value": "Engineer"},
+        ])
+        resp = scim_client.patch(
+            user_url(scim_user_alice.id),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 200
+        assert resp.json()["active"] is False
+
+
+# ---------------------------------------------------------------------------
+# Delete (DELETE — hard-delete from some IdPs)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestDeleteUser:
+
+    def test_delete_returns_204(self, scim_client, scim_user_alice):
+        resp = scim_client.delete(user_url(scim_user_alice.id))
+        assert resp.status_code == 204
+
+    def test_delete_deactivates_user(self, scim_client, scim_user_alice):
+        scim_client.delete(user_url(scim_user_alice.id))
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.active is False
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.deleted_at is not None
+
+    def test_delete_already_inactive_is_idempotent(self, scim_client, scim_user_alice):
+        from ee.authentication.scim.utils import deactivate_scim_user
+
+        deactivate_scim_user(scim_user_alice)
+        resp = scim_client.delete(user_url(scim_user_alice.id))
+        assert resp.status_code == 204
+
+    def test_delete_logs_event(self, scim_client, scim_user_alice):
+        scim_client.delete(user_url(scim_user_alice.id))
+        event = SCIMEvent.objects.filter(
+            event_type="user_deactivated",
+            resource_id=str(scim_user_alice.id),
+        ).first()
+        assert event is not None
+        assert event.response_status == 204
+
+    def test_delete_nonexistent_returns_404(self, scim_client, scim_token):
+        resp = scim_client.delete(user_url("nonexistent-id"))
+        assert resp.status_code == 404
+
+    def test_delete_clears_team_memberships(
+        self, scim_client, scim_user_alice, scim_group_engineering
+    ):
+        """Deleting a user should revoke keys and remove all team memberships."""
+        assert TeamMembership.objects.filter(
+            org_member=scim_user_alice.org_member
+        ).exists()
+
+        scim_client.delete(user_url(scim_user_alice.id))
+
+        assert not TeamMembership.objects.filter(
+            org_member=scim_user_alice.org_member
+        ).exists()
+
+    def test_delete_wipes_crypto_material(self, scim_client, scim_user_alice):
+        # Give the user some crypto material first
+        scim_user_alice.org_member.identity_key = "test-key"
+        scim_user_alice.org_member.wrapped_keyring = "test-keyring"
+        scim_user_alice.org_member.wrapped_recovery = "test-recovery"
+        scim_user_alice.org_member.save()
+
+        scim_client.delete(user_url(scim_user_alice.id))
+
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.identity_key == ""
+        assert scim_user_alice.org_member.wrapped_keyring == ""
+        assert scim_user_alice.org_member.wrapped_recovery == ""
+
+
+# ---------------------------------------------------------------------------
+# SCIM response format validation
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestUserResponseFormat:
+
+    def test_response_contains_schemas(self, scim_client, scim_user_alice):
+        resp = scim_client.get(user_url(scim_user_alice.id))
+        data = resp.json()
+        assert "schemas" in data
+        assert "urn:ietf:params:scim:schemas:core:2.0:User" in data["schemas"]
+
+    def test_response_meta_location_format(self, scim_client, scim_user_alice):
+        resp = scim_client.get(user_url(scim_user_alice.id))
+        location = resp.json()["meta"]["location"]
+        assert location.startswith("https://")
+        assert "/service/scim/v2/Users/" in location
+
+    def test_list_response_format(self, scim_client, scim_user_alice):
+        resp = scim_client.get(USERS_URL)
+        data = resp.json()
+        assert "urn:ietf:params:scim:api:messages:2.0:ListResponse" in data["schemas"]
+        assert "totalResults" in data
+        assert "startIndex" in data
+        assert "itemsPerPage" in data
+        assert "Resources" in data
+
+    def test_error_response_format(self, scim_client, scim_token):
+        resp = scim_client.get(user_url("nonexistent"))
+        data = resp.json()
+        assert "urn:ietf:params:scim:api:messages:2.0:Error" in data["schemas"]
+        assert "status" in data
+        assert "detail" in data
diff --git a/backend/tests/ee/authentication/scim/test_utils.py b/backend/tests/ee/authentication/scim/test_utils.py
new file mode 100644
index 000000000..f95e4419a
--- /dev/null
+++ b/backend/tests/ee/authentication/scim/test_utils.py
@@ -0,0 +1,228 @@
+"""Tests for SCIM provisioning utility functions.
+
+Covers: provision_scim_user, deactivate_scim_user, reactivate_scim_user.
+"""
+
+import pytest
+from django.utils import timezone
+
+from api.models import (
+    CustomUser,
+    OrganisationMember,
+    SCIMUser,
+    Team,
+    TeamMembership,
+)
+from ee.authentication.scim.utils import (
+    deactivate_scim_user,
+    provision_scim_user,
+    reactivate_scim_user,
+)
+
+
+# ---------------------------------------------------------------------------
+# provision_scim_user
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestProvisionScimUser:
+
+    def test_creates_new_user_and_org_member(self, organisation, developer_role):
+        scim_user = provision_scim_user(
+            organisation=organisation,
+            external_id="new-ext-1",
+            email="newuser@example.com",
+            display_name="New User",
+        )
+        assert scim_user.email == "newuser@example.com"
+        assert scim_user.active is True
+        assert scim_user.user is not None
+        assert scim_user.org_member is not None
+        assert scim_user.org_member.role.name == "Developer"
+
+    def test_new_user_has_unusable_password(self, organisation, developer_role):
+        scim_user = provision_scim_user(
+            organisation=organisation,
+            external_id="pwd-ext",
+            email="nopwd@example.com",
+            display_name="No Pwd",
+        )
+        assert scim_user.user.has_usable_password() is False
+
+    def test_new_user_has_empty_crypto_material(self, organisation, developer_role):
+        scim_user = provision_scim_user(
+            organisation=organisation,
+            external_id="crypto-ext",
+            email="crypto@example.com",
+            display_name="Crypto Test",
+        )
+        assert scim_user.org_member.identity_key == ""
+        assert scim_user.org_member.wrapped_keyring == ""
+        assert scim_user.org_member.wrapped_recovery == ""
+
+    def test_email_normalized_to_lowercase(self, organisation, developer_role):
+        scim_user = provision_scim_user(
+            organisation=organisation,
+            external_id="case-ext",
+            email="UPPER@EXAMPLE.COM",
+            display_name="Case Test",
+        )
+        assert scim_user.email == "upper@example.com"
+
+    def test_links_existing_custom_user(self, organisation, developer_role):
+        existing_user = CustomUser.objects.create(
+            username="existing@example.com",
+            email="existing@example.com",
+        )
+        scim_user = provision_scim_user(
+            organisation=organisation,
+            external_id="existing-ext",
+            email="existing@example.com",
+            display_name="Existing",
+        )
+        assert str(scim_user.user.userId) == str(existing_user.userId)
+        # Should not create a duplicate CustomUser
+        assert CustomUser.objects.filter(email="existing@example.com").count() == 1
+
+    def test_reactivates_soft_deleted_org_member(self, organisation, developer_role):
+        user = CustomUser.objects.create(
+            username="softdel@example.com", email="softdel@example.com"
+        )
+        org_member = OrganisationMember.objects.create(
+            user=user,
+            organisation=organisation,
+            role=developer_role,
+            identity_key="old-key",
+            wrapped_keyring="old-keyring",
+            wrapped_recovery="old-recovery",
+            deleted_at=timezone.now(),
+        )
+        scim_user = provision_scim_user(
+            organisation=organisation,
+            external_id="softdel-ext",
+            email="softdel@example.com",
+            display_name="Soft Deleted",
+        )
+        assert str(scim_user.org_member.id) == str(org_member.id)
+        org_member.refresh_from_db()
+        assert org_member.deleted_at is None
+
+    def test_stores_scim_data(self, organisation, developer_role):
+        scim_data = {"userName": "data@example.com", "custom": "field"}
+        scim_user = provision_scim_user(
+            organisation=organisation,
+            external_id="data-ext",
+            email="data@example.com",
+            display_name="Data Test",
+            scim_data=scim_data,
+        )
+        assert scim_user.scim_data == scim_data
+
+
+# ---------------------------------------------------------------------------
+# deactivate_scim_user
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestDeactivateScimUser:
+
+    def test_sets_active_false(self, scim_user_alice):
+        deactivate_scim_user(scim_user_alice)
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.active is False
+
+    def test_soft_deletes_org_member(self, scim_user_alice):
+        deactivate_scim_user(scim_user_alice)
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.deleted_at is not None
+
+    def test_wipes_crypto_material(self, scim_user_alice):
+        scim_user_alice.org_member.identity_key = "some-key"
+        scim_user_alice.org_member.wrapped_keyring = "some-keyring"
+        scim_user_alice.org_member.wrapped_recovery = "some-recovery"
+        scim_user_alice.org_member.save()
+
+        deactivate_scim_user(scim_user_alice)
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.identity_key == ""
+        assert scim_user_alice.org_member.wrapped_keyring == ""
+        assert scim_user_alice.org_member.wrapped_recovery == ""
+
+    def test_deletes_team_memberships(self, scim_user_alice, scim_group_engineering):
+        assert TeamMembership.objects.filter(
+            org_member=scim_user_alice.org_member
+        ).exists()
+
+        deactivate_scim_user(scim_user_alice)
+
+        assert not TeamMembership.objects.filter(
+            org_member=scim_user_alice.org_member
+        ).exists()
+
+    def test_does_not_delete_custom_user(self, scim_user_alice):
+        user_id = scim_user_alice.user.userId
+        deactivate_scim_user(scim_user_alice)
+        assert CustomUser.objects.filter(userId=user_id).exists()
+
+    def test_does_not_affect_other_members_team_membership(
+        self, scim_user_alice, scim_user_bob, scim_group_engineering
+    ):
+        """Deactivating Alice should not remove Bob from the team."""
+        deactivate_scim_user(scim_user_alice)
+        assert TeamMembership.objects.filter(
+            team=scim_group_engineering.team,
+            org_member=scim_user_bob.org_member,
+        ).exists()
+
+
+# ---------------------------------------------------------------------------
+# reactivate_scim_user
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.django_db
+class TestReactivateScimUser:
+
+    def test_sets_active_true(self, scim_user_alice):
+        deactivate_scim_user(scim_user_alice)
+        reactivate_scim_user(scim_user_alice)
+        scim_user_alice.refresh_from_db()
+        assert scim_user_alice.active is True
+
+    def test_clears_deleted_at(self, scim_user_alice):
+        deactivate_scim_user(scim_user_alice)
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.deleted_at is not None
+
+        reactivate_scim_user(scim_user_alice)
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.deleted_at is None
+
+    def test_does_not_restore_team_memberships(
+        self, scim_user_alice, scim_group_engineering
+    ):
+        """After deactivation clears team memberships, reactivation should NOT restore them.
+        The IdP's group push will re-add the user to the correct teams."""
+        deactivate_scim_user(scim_user_alice)
+        assert not TeamMembership.objects.filter(
+            org_member=scim_user_alice.org_member
+        ).exists()
+
+        reactivate_scim_user(scim_user_alice)
+        # Still no team memberships — IdP must re-push
+        assert not TeamMembership.objects.filter(
+            org_member=scim_user_alice.org_member
+        ).exists()
+
+    def test_crypto_material_stays_empty(self, scim_user_alice):
+        """Reactivation should not restore crypto material — user must redo key ceremony."""
+        scim_user_alice.org_member.identity_key = "old-key"
+        scim_user_alice.org_member.save()
+
+        deactivate_scim_user(scim_user_alice)
+        reactivate_scim_user(scim_user_alice)
+
+        scim_user_alice.org_member.refresh_from_db()
+        assert scim_user_alice.org_member.identity_key == ""

From 1b812c3393ce9b770f895bc4ee105b3940a777dc Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 8 Apr 2026 13:30:14 +0530
Subject: [PATCH 059/118] fix: tests

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/pytest.ini                            |  3 +-
 .../tests/ee/authentication/scim/conftest.py  | 31 +++++++++++--------
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/backend/pytest.ini b/backend/pytest.ini
index f15010964..91a5cca2a 100644
--- a/backend/pytest.ini
+++ b/backend/pytest.ini
@@ -1,3 +1,2 @@
 [pytest]
-DJANGO_SETTINGS_MODULE = backend.settings
-python_files = tests.py test_*.py *_tests.py
\ No newline at end of file
+python_files = tests.py test_*.py *_tests.py
diff --git a/backend/tests/ee/authentication/scim/conftest.py b/backend/tests/ee/authentication/scim/conftest.py
index 8a44fba3a..b55a9e36b 100644
--- a/backend/tests/ee/authentication/scim/conftest.py
+++ b/backend/tests/ee/authentication/scim/conftest.py
@@ -5,19 +5,6 @@
 from django.test import RequestFactory
 from rest_framework.test import APIClient
 
-from api.models import (
-    CustomUser,
-    Organisation,
-    OrganisationMember,
-    Role,
-    SCIMEvent,
-    SCIMGroup,
-    SCIMToken,
-    SCIMUser,
-    Team,
-    TeamMembership,
-)
-
 
 # ---------------------------------------------------------------------------
 # Helpers
@@ -91,6 +78,8 @@ def make_patch_op(operations):
 @pytest.fixture
 def organisation(db):
     """Create an Enterprise org with scim_enabled=True."""
+    from api.models import Organisation
+
     return Organisation.objects.create(
         name="TestOrg-SCIM",
         identity_key="test-org-identity-key",
@@ -102,6 +91,8 @@ def organisation(db):
 @pytest.fixture
 def developer_role(organisation):
     """Create the default Developer role needed for SCIM provisioning."""
+    from api.models import Role
+
     return Role.objects.create(
         name="Developer",
         organisation=organisation,
@@ -114,6 +105,8 @@ def developer_role(organisation):
 @pytest.fixture
 def owner_role(organisation):
     """Create the Owner role."""
+    from api.models import Role
+
     return Role.objects.create(
         name="Owner",
         organisation=organisation,
@@ -126,6 +119,8 @@ def owner_role(organisation):
 @pytest.fixture
 def admin_user(db):
     """A non-SCIM admin user (the org owner)."""
+    from api.models import CustomUser
+
     user = CustomUser.objects.create(
         username="admin@testorg.com",
         email="admin@testorg.com",
@@ -138,6 +133,8 @@ def admin_user(db):
 @pytest.fixture
 def admin_member(organisation, admin_user, owner_role):
     """OrganisationMember for the admin user."""
+    from api.models import OrganisationMember
+
     return OrganisationMember.objects.create(
         user=admin_user,
         organisation=organisation,
@@ -151,6 +148,8 @@ def admin_member(organisation, admin_user, owner_role):
 @pytest.fixture
 def scim_token(organisation, admin_member):
     """Create a valid, active SCIM token."""
+    from api.models import SCIMToken
+
     return SCIMToken.objects.create(
         organisation=organisation,
         name="Test IdP",
@@ -172,6 +171,8 @@ def scim_client(scim_token):
 @pytest.fixture
 def scim_user_alice(organisation, developer_role):
     """A pre-provisioned SCIM user (Alice)."""
+    from api.models import CustomUser, OrganisationMember, SCIMUser
+
     user = CustomUser.objects.create(
         username="alice@example.com",
         email="alice@example.com",
@@ -203,6 +204,8 @@ def scim_user_alice(organisation, developer_role):
 @pytest.fixture
 def scim_user_bob(organisation, developer_role):
     """A second pre-provisioned SCIM user (Bob)."""
+    from api.models import CustomUser, OrganisationMember, SCIMUser
+
     user = CustomUser.objects.create(
         username="bob@example.com",
         email="bob@example.com",
@@ -234,6 +237,8 @@ def scim_user_bob(organisation, developer_role):
 @pytest.fixture
 def scim_group_engineering(organisation, scim_user_alice, scim_user_bob):
     """A SCIM-managed group (Team) with Alice and Bob as members."""
+    from api.models import SCIMGroup, Team, TeamMembership
+
     team = Team.objects.create(
         name="Engineering",
         organisation=organisation,

From b8c078c5c16ea4784949cfa789babcb626ee36da Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 8 Apr 2026 13:37:56 +0530
Subject: [PATCH 060/118] fix: use sqlite for integration tests

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/conftest.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/backend/conftest.py b/backend/conftest.py
index a8cba84c0..fdab61e70 100644
--- a/backend/conftest.py
+++ b/backend/conftest.py
@@ -1,5 +1,6 @@
 import os
 import django
+import pytest
 
 # Set environment variables required for settings.py to import successfully
 os.environ.setdefault("ALLOWED_HOSTS", "localhost")
@@ -34,3 +35,15 @@ def pytest_configure():
             "BACKEND": "django.core.cache.backends.locmem.LocMemCache",
         }
     }
+
+
+@pytest.fixture(scope="session")
+def django_db_modify_db_settings():
+    """Use in-memory SQLite for tests so CI doesn't need a Postgres service."""
+    from django.conf import settings
+
+    settings.DATABASES["default"] = {
+        "ENGINE": "django.db.backends.sqlite3",
+        "NAME": ":memory:",
+        "ATOMIC_REQUESTS": False,
+    }

From 7f4f6ddbea88bd447ab06d91fc7cbf4f9feac952 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 8 Apr 2026 13:51:06 +0530
Subject: [PATCH 061/118] fix: conftest for sqlite

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/conftest.py | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/backend/conftest.py b/backend/conftest.py
index fdab61e70..dd4ea6f34 100644
--- a/backend/conftest.py
+++ b/backend/conftest.py
@@ -1,6 +1,5 @@
 import os
 import django
-import pytest
 
 # Set environment variables required for settings.py to import successfully
 os.environ.setdefault("ALLOWED_HOSTS", "localhost")
@@ -27,21 +26,16 @@
 def pytest_configure():
     django.setup()
 
-    # Override cache to in-memory so tests don't require a running Redis
     from django.conf import settings
 
+    # Override cache to in-memory so tests don't require a running Redis
     settings.CACHES = {
         "default": {
             "BACKEND": "django.core.cache.backends.locmem.LocMemCache",
         }
     }
 
-
-@pytest.fixture(scope="session")
-def django_db_modify_db_settings():
-    """Use in-memory SQLite for tests so CI doesn't need a Postgres service."""
-    from django.conf import settings
-
+    # Override database to use in-memory SQLite so tests don't need a Postgres service
     settings.DATABASES["default"] = {
         "ENGINE": "django.db.backends.sqlite3",
         "NAME": ":memory:",

From 0dd1334c99436203fa99b7765649fd1c6125a20f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 8 Apr 2026 15:00:10 +0530
Subject: [PATCH 062/118] feat: use mock-based tests

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/conftest.py                           |    7 -
 .../tests/ee/authentication/scim/conftest.py  |  300 +++--
 .../tests/ee/authentication/scim/test_auth.py |  179 ++-
 .../ee/authentication/scim/test_groups.py     | 1042 +++++++++++------
 .../ee/authentication/scim/test_lifecycle.py  |  627 ----------
 .../ee/authentication/scim/test_users.py      |  914 +++++++++------
 .../ee/authentication/scim/test_utils.py      |  507 +++++---
 7 files changed, 1790 insertions(+), 1786 deletions(-)
 delete mode 100644 backend/tests/ee/authentication/scim/test_lifecycle.py

diff --git a/backend/conftest.py b/backend/conftest.py
index dd4ea6f34..e801a6e0a 100644
--- a/backend/conftest.py
+++ b/backend/conftest.py
@@ -34,10 +34,3 @@ def pytest_configure():
             "BACKEND": "django.core.cache.backends.locmem.LocMemCache",
         }
     }
-
-    # Override database to use in-memory SQLite so tests don't need a Postgres service
-    settings.DATABASES["default"] = {
-        "ENGINE": "django.db.backends.sqlite3",
-        "NAME": ":memory:",
-        "ATOMIC_REQUESTS": False,
-    }
diff --git a/backend/tests/ee/authentication/scim/conftest.py b/backend/tests/ee/authentication/scim/conftest.py
index b55a9e36b..d1d7e881d 100644
--- a/backend/tests/ee/authentication/scim/conftest.py
+++ b/backend/tests/ee/authentication/scim/conftest.py
@@ -1,13 +1,14 @@
 import hashlib
-import json
+import uuid
+from datetime import datetime, timezone as dt_tz
+from unittest.mock import MagicMock, Mock, patch
 
 import pytest
-from django.test import RequestFactory
 from rest_framework.test import APIClient
 
 
 # ---------------------------------------------------------------------------
-# Helpers
+# Constants
 # ---------------------------------------------------------------------------
 
 SCIM_CONTENT_TYPE = "application/scim+json"
@@ -21,6 +22,11 @@ def scim_auth_header(token=TOKEN_RAW):
     return f"Bearer {token}"
 
 
+# ---------------------------------------------------------------------------
+# Payload helpers (pure data — no DB)
+# ---------------------------------------------------------------------------
+
+
 def make_scim_user_payload(
     username,
     external_id,
@@ -71,191 +77,149 @@ def make_patch_op(operations):
 
 
 # ---------------------------------------------------------------------------
-# Fixtures
+# Mock factories
 # ---------------------------------------------------------------------------
 
 
-@pytest.fixture
-def organisation(db):
-    """Create an Enterprise org with scim_enabled=True."""
-    from api.models import Organisation
-
-    return Organisation.objects.create(
-        name="TestOrg-SCIM",
-        identity_key="test-org-identity-key",
-        plan="EN",
-        scim_enabled=True,
-    )
+def make_mock_organisation(**overrides):
+    """Create a mock Organisation with sensible defaults."""
+    org = MagicMock()
+    org.id = overrides.get("id", str(uuid.uuid4()))
+    org.name = overrides.get("name", "TestOrg-SCIM")
+    org.plan = overrides.get("plan", "EN")
+    org.scim_enabled = overrides.get("scim_enabled", True)
+    org.identity_key = overrides.get("identity_key", "test-org-identity-key")
+    return org
+
+
+def make_mock_scim_token(organisation=None, **overrides):
+    """Create a mock SCIMToken."""
+    token = MagicMock()
+    token.id = overrides.get("id", str(uuid.uuid4()))
+    token.organisation = organisation or make_mock_organisation()
+    token.name = overrides.get("name", "Test IdP")
+    token.token_hash = overrides.get("token_hash", TOKEN_HASH)
+    token.token_prefix = overrides.get("token_prefix", TOKEN_PREFIX)
+    token.is_active = overrides.get("is_active", True)
+    token.expires_at = overrides.get("expires_at", None)
+    token.deleted_at = overrides.get("deleted_at", None)
+    token.last_used_at = overrides.get("last_used_at", None)
+    token.created_by = overrides.get("created_by", MagicMock())
+    return token
+
+
+def make_mock_user(**overrides):
+    """Create a mock CustomUser."""
+    user = MagicMock()
+    user.userId = overrides.get("userId", str(uuid.uuid4()))
+    user.username = overrides.get("username", "user@example.com")
+    user.email = overrides.get("email", user.username)
+    user.has_usable_password = MagicMock(return_value=False)
+    return user
 
 
-@pytest.fixture
-def developer_role(organisation):
-    """Create the default Developer role needed for SCIM provisioning."""
-    from api.models import Role
-
-    return Role.objects.create(
-        name="Developer",
-        organisation=organisation,
-        description="Default role for SCIM users",
-        is_default=True,
-        permissions={},
+def make_mock_org_member(user=None, organisation=None, **overrides):
+    """Create a mock OrganisationMember."""
+    member = MagicMock()
+    member.id = overrides.get("id", str(uuid.uuid4()))
+    member.user = user or make_mock_user()
+    member.organisation = organisation or make_mock_organisation()
+    member.role = overrides.get("role", MagicMock(name="Developer"))
+    member.identity_key = overrides.get("identity_key", "")
+    member.wrapped_keyring = overrides.get("wrapped_keyring", "")
+    member.wrapped_recovery = overrides.get("wrapped_recovery", "")
+    member.deleted_at = overrides.get("deleted_at", None)
+    return member
+
+
+def make_mock_scim_user(organisation=None, user=None, org_member=None, **overrides):
+    """Create a mock SCIMUser."""
+    org = organisation or make_mock_organisation()
+    scim_user = MagicMock()
+    scim_user.id = overrides.get("id", str(uuid.uuid4()))
+    scim_user.external_id = overrides.get("external_id", "ext-" + str(uuid.uuid4())[:8])
+    scim_user.organisation = org
+    scim_user.user = user or make_mock_user(email=overrides.get("email", "user@example.com"))
+    scim_user.org_member = org_member or make_mock_org_member(user=scim_user.user, organisation=org)
+    scim_user.email = overrides.get("email", scim_user.user.email)
+    scim_user.display_name = overrides.get("display_name", "Test User")
+    scim_user.active = overrides.get("active", True)
+    scim_user.scim_data = overrides.get(
+        "scim_data",
+        make_scim_user_payload(scim_user.email, scim_user.external_id),
     )
+    scim_user.created_at = overrides.get("created_at", datetime(2025, 1, 1, tzinfo=dt_tz.utc))
+    scim_user.updated_at = overrides.get("updated_at", datetime(2025, 1, 1, tzinfo=dt_tz.utc))
+    return scim_user
+
+
+def make_mock_team(organisation=None, **overrides):
+    """Create a mock Team."""
+    team = MagicMock()
+    team.id = overrides.get("id", str(uuid.uuid4()))
+    team.name = overrides.get("name", "TestTeam")
+    team.organisation = organisation or make_mock_organisation()
+    team.is_scim_managed = overrides.get("is_scim_managed", True)
+    team.description = overrides.get("description", None)
+    team.deleted_at = overrides.get("deleted_at", None)
+    return team
+
+
+def make_mock_scim_group(organisation=None, team=None, **overrides):
+    """Create a mock SCIMGroup."""
+    org = organisation or make_mock_organisation()
+    scim_group = MagicMock()
+    scim_group.id = overrides.get("id", str(uuid.uuid4()))
+    scim_group.external_id = overrides.get("external_id", "grp-" + str(uuid.uuid4())[:8])
+    scim_group.organisation = org
+    scim_group.team = team or make_mock_team(organisation=org, name=overrides.get("display_name", "TestGroup"))
+    scim_group.display_name = overrides.get("display_name", "TestGroup")
+    scim_group.scim_data = overrides.get(
+        "scim_data",
+        make_scim_group_payload(scim_group.display_name, scim_group.external_id),
+    )
+    scim_group.created_at = overrides.get("created_at", datetime(2025, 1, 1, tzinfo=dt_tz.utc))
+    scim_group.updated_at = overrides.get("updated_at", datetime(2025, 1, 1, tzinfo=dt_tz.utc))
+    return scim_group
 
 
-@pytest.fixture
-def owner_role(organisation):
-    """Create the Owner role."""
-    from api.models import Role
-
-    return Role.objects.create(
-        name="Owner",
-        organisation=organisation,
-        description="Owner role",
-        is_default=True,
-        permissions={},
-    )
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
 
 
 @pytest.fixture
-def admin_user(db):
-    """A non-SCIM admin user (the org owner)."""
-    from api.models import CustomUser
-
-    user = CustomUser.objects.create(
-        username="admin@testorg.com",
-        email="admin@testorg.com",
-    )
-    user.set_unusable_password()
-    user.save()
-    return user
+def mock_organisation():
+    return make_mock_organisation()
 
 
 @pytest.fixture
-def admin_member(organisation, admin_user, owner_role):
-    """OrganisationMember for the admin user."""
-    from api.models import OrganisationMember
-
-    return OrganisationMember.objects.create(
-        user=admin_user,
-        organisation=organisation,
-        role=owner_role,
-        identity_key="admin-identity-key",
-        wrapped_keyring="admin-wrapped-keyring",
-        wrapped_recovery="admin-wrapped-recovery",
-    )
+def mock_scim_token(mock_organisation):
+    return make_mock_scim_token(organisation=mock_organisation)
 
 
 @pytest.fixture
-def scim_token(organisation, admin_member):
-    """Create a valid, active SCIM token."""
-    from api.models import SCIMToken
-
-    return SCIMToken.objects.create(
-        organisation=organisation,
-        name="Test IdP",
-        token_hash=TOKEN_HASH,
-        token_prefix=TOKEN_PREFIX,
-        created_by=admin_member,
-        is_active=True,
-    )
+def mock_auth(mock_organisation, mock_scim_token):
+    """Patch SCIMTokenAuthentication.authenticate so that all views see a
+    valid SCIM service user without touching the DB."""
+    from ee.authentication.scim.auth import SCIMServiceUser
+
+    service_user = SCIMServiceUser(mock_scim_token)
+    auth_info = {
+        "scim_token": mock_scim_token,
+        "organisation": mock_organisation,
+    }
+
+    with patch(
+        "ee.authentication.scim.auth.SCIMTokenAuthentication.authenticate",
+        return_value=(service_user, auth_info),
+    ) as m:
+        yield m
 
 
 @pytest.fixture
-def scim_client(scim_token):
-    """DRF APIClient pre-configured with a valid SCIM Bearer token."""
+def scim_client(mock_auth):
+    """DRF APIClient that passes SCIM Bearer auth (mocked)."""
     client = APIClient()
     client.credentials(HTTP_AUTHORIZATION=scim_auth_header())
     return client
-
-
-@pytest.fixture
-def scim_user_alice(organisation, developer_role):
-    """A pre-provisioned SCIM user (Alice)."""
-    from api.models import CustomUser, OrganisationMember, SCIMUser
-
-    user = CustomUser.objects.create(
-        username="alice@example.com",
-        email="alice@example.com",
-    )
-    user.set_unusable_password()
-    user.save()
-
-    org_member = OrganisationMember.objects.create(
-        user=user,
-        organisation=organisation,
-        role=developer_role,
-        identity_key="",
-        wrapped_keyring="",
-        wrapped_recovery="",
-    )
-
-    return SCIMUser.objects.create(
-        external_id="alice-ext-id",
-        organisation=organisation,
-        user=user,
-        org_member=org_member,
-        email="alice@example.com",
-        display_name="Alice Test",
-        active=True,
-        scim_data=make_scim_user_payload("alice@example.com", "alice-ext-id"),
-    )
-
-
-@pytest.fixture
-def scim_user_bob(organisation, developer_role):
-    """A second pre-provisioned SCIM user (Bob)."""
-    from api.models import CustomUser, OrganisationMember, SCIMUser
-
-    user = CustomUser.objects.create(
-        username="bob@example.com",
-        email="bob@example.com",
-    )
-    user.set_unusable_password()
-    user.save()
-
-    org_member = OrganisationMember.objects.create(
-        user=user,
-        organisation=organisation,
-        role=developer_role,
-        identity_key="",
-        wrapped_keyring="",
-        wrapped_recovery="",
-    )
-
-    return SCIMUser.objects.create(
-        external_id="bob-ext-id",
-        organisation=organisation,
-        user=user,
-        org_member=org_member,
-        email="bob@example.com",
-        display_name="Bob Test",
-        active=True,
-        scim_data=make_scim_user_payload("bob@example.com", "bob-ext-id"),
-    )
-
-
-@pytest.fixture
-def scim_group_engineering(organisation, scim_user_alice, scim_user_bob):
-    """A SCIM-managed group (Team) with Alice and Bob as members."""
-    from api.models import SCIMGroup, Team, TeamMembership
-
-    team = Team.objects.create(
-        name="Engineering",
-        organisation=organisation,
-        is_scim_managed=True,
-    )
-    TeamMembership.objects.create(team=team, org_member=scim_user_alice.org_member)
-    TeamMembership.objects.create(team=team, org_member=scim_user_bob.org_member)
-
-    return SCIMGroup.objects.create(
-        external_id="eng-ext-id",
-        organisation=organisation,
-        team=team,
-        display_name="Engineering",
-        scim_data=make_scim_group_payload("Engineering", "eng-ext-id"),
-    )
-
-
-@pytest.fixture
-def request_factory():
-    return RequestFactory()
diff --git a/backend/tests/ee/authentication/scim/test_auth.py b/backend/tests/ee/authentication/scim/test_auth.py
index de8f7c3e2..dedaa6a4b 100644
--- a/backend/tests/ee/authentication/scim/test_auth.py
+++ b/backend/tests/ee/authentication/scim/test_auth.py
@@ -1,60 +1,79 @@
-"""Tests for SCIMTokenAuthentication."""
+"""Tests for SCIMTokenAuthentication — fully mocked, no database."""
 
 import hashlib
 from datetime import timedelta
+from unittest.mock import MagicMock, patch
 
 import pytest
 from django.utils import timezone
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.test import APIRequestFactory
 
-from api.models import ActivatedPhaseLicense, Organisation, SCIMToken
 from ee.authentication.scim.auth import SCIMServiceUser, SCIMTokenAuthentication
 
-from .conftest import TOKEN_HASH, TOKEN_RAW
+from .conftest import TOKEN_HASH, TOKEN_RAW, make_mock_organisation, make_mock_scim_token
 
 factory = APIRequestFactory()
 
 
 def _make_request(token=TOKEN_RAW):
-    """Create a DRF request with the given Bearer token."""
-    request = factory.get(
+    return factory.get(
         "/scim/v2/Users",
         HTTP_AUTHORIZATION=f"Bearer {token}",
     )
-    return request
 
 
-@pytest.mark.django_db
+# ---------------------------------------------------------------------------
+# SCIMTokenAuthentication
+# ---------------------------------------------------------------------------
+
+
 class TestSCIMTokenAuthentication:
 
-    def test_valid_token(self, scim_token, organisation):
+    def _make_token(self, **overrides):
+        org = overrides.pop("organisation", make_mock_organisation())
+        return make_mock_scim_token(organisation=org, **overrides)
+
+    # -- valid token --
+
+    @patch("ee.authentication.scim.auth.can_use_scim", return_value=True)
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_valid_token(self, MockSCIMToken, mock_can_use):
+        token = self._make_token()
+        MockSCIMToken.objects.select_related.return_value.get.return_value = token
+        MockSCIMToken.DoesNotExist = Exception
+
         auth = SCIMTokenAuthentication()
-        request = _make_request()
-        user, auth_info = auth.authenticate(request)
+        user, auth_info = auth.authenticate(_make_request())
 
         assert isinstance(user, SCIMServiceUser)
         assert user.is_authenticated
-        assert str(auth_info["organisation"].id) == str(organisation.id)
-        assert str(auth_info["scim_token"].id) == str(scim_token.id)
+        assert auth_info["organisation"] is token.organisation
+        assert auth_info["scim_token"] is token
 
-    def test_updates_last_used_at(self, scim_token):
-        assert scim_token.last_used_at is None
+    @patch("ee.authentication.scim.auth.can_use_scim", return_value=True)
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_updates_last_used_at(self, MockSCIMToken, mock_can_use):
+        token = self._make_token()
+        assert token.last_used_at is None
+        MockSCIMToken.objects.select_related.return_value.get.return_value = token
+        MockSCIMToken.DoesNotExist = Exception
 
         auth = SCIMTokenAuthentication()
         auth.authenticate(_make_request())
 
-        scim_token.refresh_from_db()
-        assert scim_token.last_used_at is not None
+        token.save.assert_called_once_with(update_fields=["last_used_at"])
+        assert token.last_used_at is not None
+
+    # -- header parsing --
 
-    def test_no_auth_header_returns_none(self, scim_token):
-        """Missing Authorization header should return None (not raise), allowing other authenticators to try."""
+    def test_no_auth_header_returns_none(self):
         auth = SCIMTokenAuthentication()
         request = factory.get("/scim/v2/Users")
         result = auth.authenticate(request)
         assert result is None
 
-    def test_non_bearer_header_returns_none(self, scim_token):
+    def test_non_bearer_header_returns_none(self):
         auth = SCIMTokenAuthentication()
         request = factory.get(
             "/scim/v2/Users",
@@ -63,98 +82,128 @@ def test_non_bearer_header_returns_none(self, scim_token):
         result = auth.authenticate(request)
         assert result is None
 
-    def test_non_scim_bearer_token_returns_none(self, scim_token):
+    def test_non_scim_bearer_token_returns_none(self):
         """Phase tokens (pss_service:v2:...) should be ignored."""
         auth = SCIMTokenAuthentication()
         request = _make_request(token="pss_service:v2:prefix:body")
         result = auth.authenticate(request)
         assert result is None
 
-    def test_invalid_token_hash_raises(self, scim_token):
+    # -- invalid hash --
+
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_invalid_token_hash_raises(self, MockSCIMToken):
+        MockSCIMToken.DoesNotExist = Exception
+        MockSCIMToken.objects.select_related.return_value.get.side_effect = Exception("not found")
+
         auth = SCIMTokenAuthentication()
-        request = _make_request(token="ph_scim:v1:fake:invalid_token_value")
         with pytest.raises(AuthenticationFailed, match="Invalid SCIM token"):
-            auth.authenticate(request)
+            auth.authenticate(_make_request(token="ph_scim:v1:fake:invalid_token_value"))
 
-    def test_expired_token_raises(self, scim_token):
-        scim_token.expires_at = timezone.now() - timedelta(hours=1)
-        scim_token.save(update_fields=["expires_at"])
+    # -- expired --
+
+    @patch("ee.authentication.scim.auth.can_use_scim", return_value=True)
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_expired_token_raises(self, MockSCIMToken, mock_can_use):
+        token = self._make_token(expires_at=timezone.now() - timedelta(hours=1))
+        MockSCIMToken.objects.select_related.return_value.get.return_value = token
+        MockSCIMToken.DoesNotExist = Exception
 
         auth = SCIMTokenAuthentication()
         with pytest.raises(AuthenticationFailed, match="expired"):
             auth.authenticate(_make_request())
 
-    def test_non_expired_token_works(self, scim_token):
-        scim_token.expires_at = timezone.now() + timedelta(days=30)
-        scim_token.save(update_fields=["expires_at"])
+    @patch("ee.authentication.scim.auth.can_use_scim", return_value=True)
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_non_expired_token_works(self, MockSCIMToken, mock_can_use):
+        token = self._make_token(expires_at=timezone.now() + timedelta(days=30))
+        MockSCIMToken.objects.select_related.return_value.get.return_value = token
+        MockSCIMToken.DoesNotExist = Exception
 
         auth = SCIMTokenAuthentication()
         user, _ = auth.authenticate(_make_request())
         assert user.is_authenticated
 
-    def test_scim_disabled_on_org_raises(self, scim_token, organisation):
-        organisation.scim_enabled = False
-        organisation.save(update_fields=["scim_enabled"])
+    # -- scim disabled --
+
+    @patch("ee.authentication.scim.auth.can_use_scim", return_value=True)
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_scim_disabled_on_org_raises(self, MockSCIMToken, mock_can_use):
+        org = make_mock_organisation(scim_enabled=False)
+        token = self._make_token(organisation=org)
+        MockSCIMToken.objects.select_related.return_value.get.return_value = token
+        MockSCIMToken.DoesNotExist = Exception
 
         auth = SCIMTokenAuthentication()
         with pytest.raises(AuthenticationFailed, match="not enabled"):
             auth.authenticate(_make_request())
 
-    def test_token_is_inactive_raises(self, scim_token):
-        scim_token.is_active = False
-        scim_token.save(update_fields=["is_active"])
+    # -- token inactive --
+
+    @patch("ee.authentication.scim.auth.can_use_scim", return_value=True)
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_token_is_inactive_raises(self, MockSCIMToken, mock_can_use):
+        token = self._make_token(is_active=False)
+        MockSCIMToken.objects.select_related.return_value.get.return_value = token
+        MockSCIMToken.DoesNotExist = Exception
 
         auth = SCIMTokenAuthentication()
         with pytest.raises(AuthenticationFailed, match="disabled"):
             auth.authenticate(_make_request())
 
-    def test_soft_deleted_token_raises(self, scim_token):
-        scim_token.deleted_at = timezone.now()
-        scim_token.save(update_fields=["deleted_at"])
+    # -- soft-deleted token --
+
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_soft_deleted_token_raises(self, MockSCIMToken):
+        """Soft-deleted tokens are filtered by the query (deleted_at__isnull=True),
+        so they raise DoesNotExist."""
+        MockSCIMToken.DoesNotExist = Exception
+        MockSCIMToken.objects.select_related.return_value.get.side_effect = Exception("not found")
 
         auth = SCIMTokenAuthentication()
         with pytest.raises(AuthenticationFailed, match="Invalid SCIM token"):
             auth.authenticate(_make_request())
 
-    def test_non_enterprise_plan_without_license_raises(self, scim_token, organisation):
-        organisation.plan = "FR"
-        organisation.save(update_fields=["plan"])
+    # -- plan checks --
+
+    @patch("ee.authentication.scim.auth.can_use_scim", return_value=False)
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_non_enterprise_plan_without_license_raises(self, MockSCIMToken, mock_can_use):
+        org = make_mock_organisation(plan="FR")
+        token = self._make_token(organisation=org)
+        MockSCIMToken.objects.select_related.return_value.get.return_value = token
+        MockSCIMToken.DoesNotExist = Exception
 
         auth = SCIMTokenAuthentication()
         with pytest.raises(AuthenticationFailed, match="Enterprise plan"):
             auth.authenticate(_make_request())
 
-    def test_non_enterprise_plan_with_license_works(self, scim_token, organisation):
-        """An activated license should bypass the plan check."""
-        organisation.plan = "FR"
-        organisation.save(update_fields=["plan"])
-
-        ActivatedPhaseLicense.objects.create(
-            id="test-license-id",
-            customer_name="TestCorp",
-            organisation=organisation,
-            plan="EN",
-            metadata={},
-            environment="production",
-            license_type="enterprise",
-            signature_date=timezone.now().date(),
-            issuing_authority="Phase",
-            issued_at=timezone.now(),
-            expires_at=timezone.now() + timedelta(days=365),
-        )
+    @patch("ee.authentication.scim.auth.can_use_scim", return_value=True)
+    @patch("ee.authentication.scim.auth.SCIMToken")
+    def test_non_enterprise_plan_with_license_works(self, MockSCIMToken, mock_can_use):
+        """An activated license should bypass the plan check via can_use_scim."""
+        org = make_mock_organisation(plan="FR")
+        token = self._make_token(organisation=org)
+        MockSCIMToken.objects.select_related.return_value.get.return_value = token
+        MockSCIMToken.DoesNotExist = Exception
 
         auth = SCIMTokenAuthentication()
         user, _ = auth.authenticate(_make_request())
         assert user.is_authenticated
 
 
-@pytest.mark.django_db
+# ---------------------------------------------------------------------------
+# SCIMServiceUser
+# ---------------------------------------------------------------------------
+
+
 class TestSCIMServiceUser:
 
-    def test_service_user_properties(self, scim_token):
-        user = SCIMServiceUser(scim_token)
+    def test_service_user_properties(self):
+        token = make_mock_scim_token()
+        user = SCIMServiceUser(token)
         assert user.is_authenticated is True
         assert user.is_active is True
-        assert user.id == scim_token.id
-        assert user.organisation == scim_token.organisation
-        assert user.scim_token == scim_token
+        assert user.id == token.id
+        assert user.organisation == token.organisation
+        assert user.scim_token == token
diff --git a/backend/tests/ee/authentication/scim/test_groups.py b/backend/tests/ee/authentication/scim/test_groups.py
index b3be0a5ed..1ffd8814d 100644
--- a/backend/tests/ee/authentication/scim/test_groups.py
+++ b/backend/tests/ee/authentication/scim/test_groups.py
@@ -1,109 +1,151 @@
-"""Integration tests for SCIM /Groups endpoints.
+"""Tests for SCIM /Groups endpoints — fully mocked, no database.
 
 Covers: list, filter, create, get, replace (PUT), partial update (PATCH), delete.
-Tests both Entra ID and Okta payload/patch formats where they diverge.
 """
 
 import json
+import uuid
+from unittest.mock import MagicMock, patch, call
 
 import pytest
-
-from api.models import (
-    SCIMEvent,
-    SCIMGroup,
-    SCIMUser,
-    Team,
-    TeamMembership,
-)
+from django.db import IntegrityError
 
 from .conftest import (
     SCIM_CONTENT_TYPE,
+    make_mock_organisation,
+    make_mock_scim_group,
+    make_mock_scim_user,
+    make_mock_team,
     make_patch_op,
     make_scim_group_payload,
 )
 
 GROUPS_URL = "/scim/v2/Groups"
 
+# Patch targets — where names are looked up in views/groups.py
+_P = "ee.authentication.scim.views.groups"
+
 
 def group_url(scim_group_id):
     return f"{GROUPS_URL}/{scim_group_id}"
 
 
+def _serialized_group(scim_group=None, members=None, **overrides):
+    """Return a fake serialized SCIM group dict."""
+    sg = scim_group or make_mock_scim_group()
+    return {
+        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+        "id": str(overrides.get("id", sg.id)),
+        "externalId": overrides.get("external_id", sg.external_id),
+        "displayName": overrides.get("display_name", sg.display_name),
+        "members": members if members is not None else [],
+        "meta": {
+            "resourceType": "Group",
+            "created": "2025-01-01T00:00:00+00:00",
+            "lastModified": "2025-01-01T00:00:00+00:00",
+            "location": f"https://testserver/service/scim/v2/Groups/{sg.id}",
+        },
+    }
+
+
 # ---------------------------------------------------------------------------
 # List / Filter
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestListGroups:
 
-    def test_list_empty(self, scim_client, scim_token):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_list_empty(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        qs = MagicMock()
+        qs.count.return_value = 0
+        qs.__getitem__ = MagicMock(return_value=[])
+        MockSCIMGroup.objects.filter.return_value.order_by.return_value = qs
+
         resp = scim_client.get(GROUPS_URL)
         assert resp.status_code == 200
         data = resp.json()
         assert data["totalResults"] == 0
         assert data["Resources"] == []
 
-    def test_list_returns_groups(self, scim_client, scim_group_engineering):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_list_returns_groups(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        qs = MagicMock()
+        qs.count.return_value = 1
+        qs.__getitem__ = MagicMock(return_value=[eng])
+        MockSCIMGroup.objects.filter.return_value.order_by.return_value = qs
+
+        mock_serialize.return_value = _serialized_group(eng)
+
         resp = scim_client.get(GROUPS_URL)
         data = resp.json()
         assert data["totalResults"] == 1
         assert data["Resources"][0]["displayName"] == "Engineering"
 
-    def test_list_includes_members(self, scim_client, scim_group_engineering):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_list_includes_members(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        qs = MagicMock()
+        qs.count.return_value = 1
+        qs.__getitem__ = MagicMock(return_value=[eng])
+        MockSCIMGroup.objects.filter.return_value.order_by.return_value = qs
+
+        members = [
+            {"value": "user-1", "display": "Alice"},
+            {"value": "user-2", "display": "Bob"},
+        ]
+        mock_serialize.return_value = _serialized_group(eng, members=members)
+
         resp = scim_client.get(GROUPS_URL)
-        members = resp.json()["Resources"][0]["members"]
-        assert len(members) == 2
+        data = resp.json()
+        assert len(data["Resources"][0]["members"]) == 2
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.scim_filter_to_queryset")
+    @patch(f"{_P}.SCIMGroup")
     def test_filter_by_display_name(
-        self, scim_client, scim_group_engineering, organisation
+        self, MockSCIMGroup, mock_filter_qs, mock_serialize, mock_log, scim_client
     ):
-        # Create a second group
-        team2 = Team.objects.create(
-            name="Marketing", organisation=organisation, is_scim_managed=True
-        )
-        SCIMGroup.objects.create(
-            external_id="mkt-ext",
-            organisation=organisation,
-            team=team2,
-            display_name="Marketing",
-        )
+        eng = make_mock_scim_group(display_name="Engineering")
+        qs = MagicMock()
+        MockSCIMGroup.objects.filter.return_value.order_by.return_value = qs
 
-        resp = scim_client.get(
-            GROUPS_URL, {"filter": 'displayName eq "Engineering"'}
-        )
-        data = resp.json()
-        assert data["totalResults"] == 1
-        assert data["Resources"][0]["displayName"] == "Engineering"
+        filtered_qs = MagicMock()
+        filtered_qs.count.return_value = 1
+        filtered_qs.__getitem__ = MagicMock(return_value=[eng])
+        mock_filter_qs.return_value = filtered_qs
 
-    def test_filter_by_external_id(self, scim_client, scim_group_engineering):
-        resp = scim_client.get(
-            GROUPS_URL, {"filter": 'externalId eq "eng-ext-id"'}
-        )
+        mock_serialize.return_value = _serialized_group(eng)
+
+        resp = scim_client.get(GROUPS_URL, {"filter": 'displayName eq "Engineering"'})
         data = resp.json()
         assert data["totalResults"] == 1
+        assert data["Resources"][0]["displayName"] == "Engineering"
 
-    def test_filter_no_match(self, scim_client, scim_group_engineering):
-        resp = scim_client.get(
-            GROUPS_URL, {"filter": 'displayName eq "Nonexistent"'}
-        )
-        assert resp.json()["totalResults"] == 0
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_pagination(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        qs = MagicMock()
+        qs.count.return_value = 2
+        qs.__getitem__ = MagicMock(return_value=[eng])
+        MockSCIMGroup.objects.filter.return_value.order_by.return_value = qs
 
-    def test_pagination(self, scim_client, scim_group_engineering, organisation):
-        team2 = Team.objects.create(
-            name="Marketing", organisation=organisation, is_scim_managed=True
-        )
-        SCIMGroup.objects.create(
-            external_id="mkt-ext",
-            organisation=organisation,
-            team=team2,
-            display_name="Marketing",
-        )
+        mock_serialize.return_value = _serialized_group(eng)
 
         resp = scim_client.get(GROUPS_URL, {"startIndex": 1, "count": 1})
         data = resp.json()
         assert data["totalResults"] == 2
-        assert len(data["Resources"]) == 1
+        assert data["itemsPerPage"] == 1
 
 
 # ---------------------------------------------------------------------------
@@ -111,10 +153,26 @@ def test_pagination(self, scim_client, scim_group_engineering, organisation):
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestCreateGroup:
 
-    def test_create_group(self, scim_client, scim_token, developer_role):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
+    @patch(f"{_P}.Team")
+    def test_create_group(
+        self, MockTeam, MockSCIMGroup, MockSCIMUser, mock_add_member,
+        mock_serialize, mock_log, scim_client
+    ):
+        team = make_mock_team(name="Design")
+        MockTeam.objects.create.return_value = team
+
+        scim_group = make_mock_scim_group(display_name="Design", external_id="design-ext-id")
+        MockSCIMGroup.objects.create.return_value = scim_group
+        MockSCIMGroup.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_group(scim_group)
+
         payload = make_scim_group_payload("Design", "design-ext-id")
         resp = scim_client.post(
             GROUPS_URL,
@@ -124,38 +182,64 @@ def test_create_group(self, scim_client, scim_token, developer_role):
         assert resp.status_code == 201
         data = resp.json()
         assert data["displayName"] == "Design"
-        assert data["externalId"] == "design-ext-id"
-        assert "/scim/v2/Groups/" in data["meta"]["location"]
+        MockTeam.objects.create.assert_called_once()
+        create_kwargs = MockTeam.objects.create.call_args[1]
+        assert create_kwargs["is_scim_managed"] is True
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
+    @patch(f"{_P}.Team")
+    def test_create_group_with_description(
+        self, MockTeam, MockSCIMGroup, MockSCIMUser, mock_add_member,
+        mock_serialize, mock_log, scim_client
+    ):
+        team = make_mock_team(name="QA Team")
+        MockTeam.objects.create.return_value = team
 
-        # Verify Team created
-        scim_group = SCIMGroup.objects.get(id=data["id"])
-        assert scim_group.team is not None
-        assert scim_group.team.is_scim_managed is True
-        assert scim_group.team.name == "Design"
+        scim_group = make_mock_scim_group(display_name="QA Team")
+        MockSCIMGroup.objects.create.return_value = scim_group
+        MockSCIMGroup.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_group(scim_group)
 
-    def test_create_group_with_description(self, scim_client, scim_token, developer_role):
-        payload = make_scim_group_payload(
-            "QA Team", "qa-ext-id", description="Quality Assurance"
-        )
+        payload = make_scim_group_payload("QA Team", "qa-ext-id", description="Quality Assurance")
         resp = scim_client.post(
             GROUPS_URL,
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 201
-        scim_group = SCIMGroup.objects.get(id=resp.json()["id"])
-        assert scim_group.team.description == "Quality Assurance"
-
+        create_kwargs = MockTeam.objects.create.call_args[1]
+        assert create_kwargs["description"] == "Quality Assurance"
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
+    @patch(f"{_P}.Team")
     def test_create_group_with_initial_members(
-        self, scim_client, scim_user_alice, scim_user_bob
+        self, MockTeam, MockSCIMGroup, MockSCIMUser, mock_add_member,
+        mock_serialize, mock_log, scim_client
     ):
+        team = make_mock_team(name="NewTeam")
+        MockTeam.objects.create.return_value = team
+
+        scim_group = make_mock_scim_group(display_name="NewTeam")
+        MockSCIMGroup.objects.create.return_value = scim_group
+        MockSCIMGroup.DoesNotExist = Exception
+
+        alice = make_mock_scim_user(email="alice@example.com", id="alice-id")
+        bob = make_mock_scim_user(email="bob@example.com", id="bob-id")
+        MockSCIMUser.objects.filter.return_value.first.side_effect = [alice, bob]
+
+        mock_serialize.return_value = _serialized_group(scim_group)
+
         payload = make_scim_group_payload(
-            "NewTeam",
-            "new-ext-id",
-            members=[
-                {"value": str(scim_user_alice.id)},
-                {"value": str(scim_user_bob.id)},
-            ],
+            "NewTeam", "new-ext-id",
+            members=[{"value": "alice-id"}, {"value": "bob-id"}],
         )
         resp = scim_client.post(
             GROUPS_URL,
@@ -163,12 +247,10 @@ def test_create_group_with_initial_members(
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 201
-        scim_group = SCIMGroup.objects.get(id=resp.json()["id"])
-        assert scim_group.team.memberships.count() == 2
+        assert mock_add_member.call_count == 2
 
-    def test_create_group_missing_display_name_returns_400(
-        self, scim_client, scim_token
-    ):
+    @patch(f"{_P}.log_scim_event")
+    def test_create_group_missing_display_name_returns_400(self, mock_log, scim_client):
         payload = {
             "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
             "externalId": "x",
@@ -180,10 +262,17 @@ def test_create_group_missing_display_name_returns_400(
         )
         assert resp.status_code == 400
 
-    @pytest.mark.django_db(transaction=True)
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.SCIMGroup")
+    @patch(f"{_P}.Team")
     def test_create_duplicate_external_id_returns_409(
-        self, scim_client, scim_group_engineering
+        self, MockTeam, MockSCIMGroup, mock_log, scim_client
     ):
+        team = make_mock_team()
+        MockTeam.objects.create.return_value = team
+        MockSCIMGroup.objects.create.side_effect = IntegrityError("duplicate key")
+        MockSCIMGroup.DoesNotExist = Exception
+
         payload = make_scim_group_payload("Another", "eng-ext-id")
         resp = scim_client.post(
             GROUPS_URL,
@@ -191,8 +280,25 @@ def test_create_duplicate_external_id_returns_409(
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 409
+        # Team should be cleaned up
+        team.delete.assert_called_once()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
+    @patch(f"{_P}.Team")
+    def test_create_group_logs_event(
+        self, MockTeam, MockSCIMGroup, MockSCIMUser, mock_add_member,
+        mock_serialize, mock_log, scim_client
+    ):
+        MockTeam.objects.create.return_value = make_mock_team()
+        scim_group = make_mock_scim_group(display_name="Logged Group")
+        MockSCIMGroup.objects.create.return_value = scim_group
+        MockSCIMGroup.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_group(scim_group)
 
-    def test_create_group_logs_event(self, scim_client, scim_token, developer_role):
         payload = make_scim_group_payload("Logged Group", "log-ext-id")
         resp = scim_client.post(
             GROUPS_URL,
@@ -200,16 +306,28 @@ def test_create_group_logs_event(self, scim_client, scim_token, developer_role):
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 201
-        event = SCIMEvent.objects.filter(
-            event_type="group_created", status="success"
-        ).first()
-        assert event is not None
-        assert event.resource_name == "Logged Group"
-        assert event.response_status == 201
-
+        mock_log.assert_called()
+        log_call = mock_log.call_args_list[-1]
+        assert log_call[0][1] == "group_created"
+        assert log_call[1]["response_status"] == 201
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
+    @patch(f"{_P}.Team")
     def test_create_group_truncates_long_name(
-        self, scim_client, scim_token, developer_role
+        self, MockTeam, MockSCIMGroup, MockSCIMUser, mock_add_member,
+        mock_serialize, mock_log, scim_client
     ):
+        team = make_mock_team()
+        MockTeam.objects.create.return_value = team
+        scim_group = make_mock_scim_group()
+        MockSCIMGroup.objects.create.return_value = scim_group
+        MockSCIMGroup.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_group(scim_group)
+
         long_name = "A" * 100
         payload = make_scim_group_payload(long_name, "long-ext-id")
         resp = scim_client.post(
@@ -218,8 +336,8 @@ def test_create_group_truncates_long_name(
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 201
-        scim_group = SCIMGroup.objects.get(id=resp.json()["id"])
-        assert len(scim_group.team.name) == 64
+        create_kwargs = MockTeam.objects.create.call_args[1]
+        assert len(create_kwargs["name"]) == 64
 
 
 # ---------------------------------------------------------------------------
@@ -227,498 +345,662 @@ def test_create_group_truncates_long_name(
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestGetGroup:
 
-    def test_get_existing_group(self, scim_client, scim_group_engineering):
-        resp = scim_client.get(group_url(scim_group_engineering.id))
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_get_existing_group(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering", id="eng-id")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        members = [
+            {"value": "u1", "display": "Alice"},
+            {"value": "u2", "display": "Bob"},
+        ]
+        mock_serialize.return_value = _serialized_group(eng, members=members)
+
+        resp = scim_client.get(group_url("eng-id"))
         assert resp.status_code == 200
         data = resp.json()
         assert data["displayName"] == "Engineering"
         assert len(data["members"]) == 2
 
-    def test_get_nonexistent_group(self, scim_client, scim_token):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.SCIMGroup")
+    def test_get_nonexistent_group(self, MockSCIMGroup, mock_log, scim_client):
+        MockSCIMGroup.DoesNotExist = Exception
+        MockSCIMGroup.objects.select_related.return_value.get.side_effect = Exception("not found")
+
         resp = scim_client.get(group_url("nonexistent-id"))
         assert resp.status_code == 404
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
     def test_get_group_members_have_correct_format(
-        self, scim_client, scim_group_engineering
+        self, MockSCIMGroup, mock_serialize, mock_log, scim_client
     ):
-        resp = scim_client.get(group_url(scim_group_engineering.id))
-        members = resp.json()["members"]
-        for m in members:
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        members = [
+            {"value": "u1", "display": "Alice"},
+            {"value": "u2", "display": "Bob"},
+        ]
+        mock_serialize.return_value = _serialized_group(eng, members=members)
+
+        resp = scim_client.get(group_url(eng.id))
+        for m in resp.json()["members"]:
             assert "value" in m
             assert "display" in m
 
 
 # ---------------------------------------------------------------------------
-# Replace (PUT — Okta's primary method for group updates)
+# Replace (PUT)
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestReplaceGroup:
 
-    def test_rename_group_via_put(self, scim_client, scim_group_engineering):
-        payload = make_scim_group_payload(
-            "Engineering v2",
-            "eng-ext-id",
-            members=[
-                {"value": str(m["value"])}
-                for m in scim_client.get(
-                    group_url(scim_group_engineering.id)
-                ).json()["members"]
-            ],
-        )
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._remove_member_from_team")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.TeamMembership")
+    @patch(f"{_P}.SCIMGroup")
+    def test_rename_group_via_put(
+        self, MockSCIMGroup, MockTM, MockSCIMUser, mock_add, mock_remove,
+        mock_serialize, mock_log, scim_client
+    ):
+        eng = make_mock_scim_group(display_name="Engineering", external_id="eng-ext-id")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        # No membership changes (empty current, empty incoming)
+        MockTM.objects.filter.return_value.select_related.return_value = []
+        mock_serialize.return_value = _serialized_group(eng, display_name="Engineering v2")
+
+        payload = make_scim_group_payload("Engineering v2", "eng-ext-id", members=[])
         resp = scim_client.put(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        scim_group_engineering.refresh_from_db()
-        assert scim_group_engineering.display_name == "Engineering v2"
-        scim_group_engineering.team.refresh_from_db()
-        assert scim_group_engineering.team.name == "Engineering v2"
-
+        assert eng.display_name == "Engineering v2"
+        eng.team.save.assert_called()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._remove_member_from_team")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.TeamMembership")
+    @patch(f"{_P}.SCIMGroup")
     def test_put_membership_diff_adds_new_members(
-        self,
-        scim_client,
-        scim_group_engineering,
-        scim_user_alice,
-        scim_user_bob,
-        organisation,
-        developer_role,
+        self, MockSCIMGroup, MockTM, MockSCIMUser, mock_add, mock_remove,
+        mock_serialize, mock_log, scim_client
     ):
-        """PUT with a new member in the list should add them."""
-        # Create a third user
-        from api.models import CustomUser, OrganisationMember
-
-        user_carol = CustomUser.objects.create(
-            username="carol@example.com", email="carol@example.com"
-        )
-        om_carol = OrganisationMember.objects.create(
-            user=user_carol,
-            organisation=organisation,
-            role=developer_role,
-            identity_key="",
-            wrapped_keyring="",
-            wrapped_recovery="",
-        )
-        scim_carol = SCIMUser.objects.create(
-            external_id="carol-ext",
-            organisation=organisation,
-            user=user_carol,
-            org_member=om_carol,
-            email="carol@example.com",
-            display_name="Carol Test",
-            active=True,
-        )
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        # Current: alice. Incoming: alice + carol
+        alice = make_mock_scim_user(email="alice@example.com", id="alice-id")
+        carol = make_mock_scim_user(email="carol@example.com", id="carol-id")
+
+        # Current memberships — one membership pointing to alice
+        alice_tm = MagicMock()
+        alice_tm.org_member = alice.org_member
+        MockTM.objects.filter.return_value.select_related.return_value = [alice_tm]
+
+        # When querying SCIMUser for current membership mapping, return alice
+        # When querying for the new member to add, return carol
+        def scim_user_filter_side_effect(**kwargs):
+            qs = MagicMock()
+            if kwargs.get("org_member") == alice.org_member:
+                qs.first.return_value = alice
+            elif kwargs.get("id") == "carol-id":
+                qs.first.return_value = carol
+            elif kwargs.get("id") == "alice-id":
+                qs.first.return_value = alice
+            else:
+                qs.first.return_value = None
+            return qs
+
+        MockSCIMUser.objects.filter.side_effect = scim_user_filter_side_effect
+
+        mock_serialize.return_value = _serialized_group(eng)
 
         payload = make_scim_group_payload(
-            "Engineering",
-            "eng-ext-id",
-            members=[
-                {"value": str(scim_user_alice.id)},
-                {"value": str(scim_user_bob.id)},
-                {"value": str(scim_carol.id)},
-            ],
+            "Engineering", "eng-ext-id",
+            members=[{"value": "alice-id"}, {"value": "carol-id"}],
         )
         resp = scim_client.put(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert scim_group_engineering.team.memberships.count() == 3
-
+        # carol should be added
+        mock_add.assert_called()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._remove_member_from_team")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.TeamMembership")
+    @patch(f"{_P}.SCIMGroup")
     def test_put_membership_diff_removes_departed_members(
-        self, scim_client, scim_group_engineering, scim_user_alice, scim_user_bob
+        self, MockSCIMGroup, MockTM, MockSCIMUser, mock_add, mock_remove,
+        mock_serialize, mock_log, scim_client
     ):
-        """PUT without a current member should remove them."""
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        alice = make_mock_scim_user(email="alice@example.com", id="alice-id")
+        bob = make_mock_scim_user(email="bob@example.com", id="bob-id")
+
+        alice_tm = MagicMock()
+        alice_tm.org_member = alice.org_member
+        bob_tm = MagicMock()
+        bob_tm.org_member = bob.org_member
+        MockTM.objects.filter.return_value.select_related.return_value = [alice_tm, bob_tm]
+
+        def scim_user_filter_side_effect(**kwargs):
+            qs = MagicMock()
+            if kwargs.get("org_member") == alice.org_member:
+                qs.first.return_value = alice
+            elif kwargs.get("org_member") == bob.org_member:
+                qs.first.return_value = bob
+            elif kwargs.get("id") == "alice-id":
+                qs.first.return_value = alice
+            elif kwargs.get("id") == "bob-id":
+                qs.first.return_value = bob
+            else:
+                qs.first.return_value = None
+            return qs
+
+        MockSCIMUser.objects.filter.side_effect = scim_user_filter_side_effect
+        mock_serialize.return_value = _serialized_group(eng)
+
+        # Only keep alice
         payload = make_scim_group_payload(
-            "Engineering",
-            "eng-ext-id",
-            members=[{"value": str(scim_user_alice.id)}],
+            "Engineering", "eng-ext-id",
+            members=[{"value": "alice-id"}],
         )
         resp = scim_client.put(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert scim_group_engineering.team.memberships.count() == 1
-        assert not TeamMembership.objects.filter(
-            team=scim_group_engineering.team,
-            org_member=scim_user_bob.org_member,
-        ).exists()
-
+        # Bob should be removed
+        mock_remove.assert_called()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._remove_member_from_team")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.TeamMembership")
+    @patch(f"{_P}.SCIMGroup")
     def test_put_empty_members_removes_all(
-        self, scim_client, scim_group_engineering
+        self, MockSCIMGroup, MockTM, MockSCIMUser, mock_add, mock_remove,
+        mock_serialize, mock_log, scim_client
     ):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        alice = make_mock_scim_user(email="alice@example.com", id="alice-id")
+        bob = make_mock_scim_user(email="bob@example.com", id="bob-id")
+
+        alice_tm = MagicMock()
+        alice_tm.org_member = alice.org_member
+        bob_tm = MagicMock()
+        bob_tm.org_member = bob.org_member
+        MockTM.objects.filter.return_value.select_related.return_value = [alice_tm, bob_tm]
+
+        def scim_user_filter_side_effect(**kwargs):
+            qs = MagicMock()
+            if kwargs.get("org_member") == alice.org_member:
+                qs.first.return_value = alice
+            elif kwargs.get("org_member") == bob.org_member:
+                qs.first.return_value = bob
+            elif kwargs.get("id") == "alice-id":
+                qs.first.return_value = alice
+            elif kwargs.get("id") == "bob-id":
+                qs.first.return_value = bob
+            else:
+                qs.first.return_value = None
+            return qs
+
+        MockSCIMUser.objects.filter.side_effect = scim_user_filter_side_effect
+        mock_serialize.return_value = _serialized_group(eng, members=[])
+
         payload = make_scim_group_payload("Engineering", "eng-ext-id", members=[])
         resp = scim_client.put(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert scim_group_engineering.team.memberships.count() == 0
+        # Both alice and bob should be removed
+        assert mock_remove.call_count == 2
 
 
 # ---------------------------------------------------------------------------
-# Partial update (PATCH — Entra ID's primary method for groups)
+# Partial update (PATCH)
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestPatchGroup:
 
     # -- Add members --
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
     def test_add_member_entra_style(
-        self,
-        scim_client,
-        scim_group_engineering,
-        organisation,
-        developer_role,
+        self, MockSCIMGroup, MockSCIMUser, mock_add_member, mock_serialize, mock_log, scim_client
     ):
-        """Entra ID sends PATCH Add members with value array."""
-        from api.models import CustomUser, OrganisationMember
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
 
-        user_dave = CustomUser.objects.create(
-            username="dave@example.com", email="dave@example.com"
-        )
-        om_dave = OrganisationMember.objects.create(
-            user=user_dave,
-            organisation=organisation,
-            role=developer_role,
-            identity_key="",
-            wrapped_keyring="",
-            wrapped_recovery="",
-        )
-        scim_dave = SCIMUser.objects.create(
-            external_id="dave-ext",
-            organisation=organisation,
-            user=user_dave,
-            org_member=om_dave,
-            email="dave@example.com",
-            display_name="Dave Test",
-            active=True,
-        )
+        dave = make_mock_scim_user(email="dave@example.com", id="dave-id")
+        MockSCIMUser.objects.filter.return_value.first.return_value = dave
+
+        mock_serialize.return_value = _serialized_group(eng)
 
         payload = make_patch_op([
-            {
-                "op": "Add",
-                "path": "members",
-                "value": [{"value": str(scim_dave.id)}],
-            }
+            {"op": "Add", "path": "members", "value": [{"value": "dave-id"}]}
         ])
         resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert scim_group_engineering.team.memberships.count() == 3
-        assert TeamMembership.objects.filter(
-            team=scim_group_engineering.team, org_member=om_dave
-        ).exists()
+        mock_add_member.assert_called_once()
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
     def test_add_member_logs_event(
-        self,
-        scim_client,
-        scim_group_engineering,
-        organisation,
-        developer_role,
+        self, MockSCIMGroup, MockSCIMUser, mock_add_member, mock_serialize, mock_log, scim_client
     ):
-        from api.models import CustomUser, OrganisationMember
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
 
-        user_eve = CustomUser.objects.create(
-            username="eve@example.com", email="eve@example.com"
-        )
-        om_eve = OrganisationMember.objects.create(
-            user=user_eve,
-            organisation=organisation,
-            role=developer_role,
-            identity_key="",
-            wrapped_keyring="",
-            wrapped_recovery="",
-        )
-        scim_eve = SCIMUser.objects.create(
-            external_id="eve-ext",
-            organisation=organisation,
-            user=user_eve,
-            org_member=om_eve,
-            email="eve@example.com",
-            display_name="Eve Test",
-            active=True,
-        )
+        eve = make_mock_scim_user(email="eve@example.com", id="eve-id")
+        MockSCIMUser.objects.filter.return_value.first.return_value = eve
+        mock_serialize.return_value = _serialized_group(eng)
 
         payload = make_patch_op([
-            {"op": "Add", "path": "members", "value": [{"value": str(scim_eve.id)}]}
+            {"op": "Add", "path": "members", "value": [{"value": "eve-id"}]}
         ])
         scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
-        event = SCIMEvent.objects.filter(event_type="member_added").first()
-        assert event is not None
-        assert event.detail["member_email"] == "eve@example.com"
-
+        # Should have at least one member_added log call
+        member_added_calls = [
+            c for c in mock_log.call_args_list if c[0][1] == "member_added"
+        ]
+        assert len(member_added_calls) >= 1
+        assert member_added_calls[0][1]["detail"]["member_email"] == "eve@example.com"
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._add_member_to_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
     def test_add_member_idempotent(
-        self, scim_client, scim_group_engineering, scim_user_alice
+        self, MockSCIMGroup, MockSCIMUser, mock_add_member, mock_serialize, mock_log, scim_client
     ):
-        """Adding an already-present member should not create duplicates."""
+        """Adding a member should call _add_member_to_team (which handles dedup internally)."""
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        alice = make_mock_scim_user(email="alice@example.com", id="alice-id")
+        MockSCIMUser.objects.filter.return_value.first.return_value = alice
+        mock_serialize.return_value = _serialized_group(eng)
+
         payload = make_patch_op([
-            {
-                "op": "Add",
-                "path": "members",
-                "value": [{"value": str(scim_user_alice.id)}],
-            }
+            {"op": "Add", "path": "members", "value": [{"value": "alice-id"}]}
         ])
         resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        # Still only 2 memberships (alice and bob), not 3
-        assert scim_group_engineering.team.memberships.count() == 2
+        mock_add_member.assert_called_once()
 
     # -- Remove members (Entra ID format) --
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._remove_member_from_team")
+    @patch(f"{_P}.parse_patch_path_filter")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
     def test_remove_member_entra_bracket_notation(
-        self, scim_client, scim_group_engineering, scim_user_bob
+        self, MockSCIMGroup, MockSCIMUser, mock_parse_filter, mock_remove,
+        mock_serialize, mock_log, scim_client
     ):
-        """Entra ID sends: op=Remove, path='members[value eq "id"]'."""
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        bob = make_mock_scim_user(email="bob@example.com", id="bob-id")
+        MockSCIMUser.objects.filter.return_value.first.return_value = bob
+        mock_parse_filter.return_value = "bob-id"
+        mock_serialize.return_value = _serialized_group(eng)
+
         payload = make_patch_op([
-            {
-                "op": "Remove",
-                "path": f'members[value eq "{scim_user_bob.id}"]',
-            }
+            {"op": "Remove", "path": f'members[value eq "bob-id"]'}
         ])
         resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert not TeamMembership.objects.filter(
-            team=scim_group_engineering.team,
-            org_member=scim_user_bob.org_member,
-        ).exists()
-        # Alice should still be there
-        assert scim_group_engineering.team.memberships.count() == 1
+        mock_remove.assert_called_once()
 
     # -- Remove members (Okta format) --
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._remove_member_from_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
     def test_remove_member_okta_value_array(
-        self, scim_client, scim_group_engineering, scim_user_bob
+        self, MockSCIMGroup, MockSCIMUser, mock_remove, mock_serialize, mock_log, scim_client
     ):
-        """Okta sends: op=Remove, path='members', value=[{"value": "id"}]."""
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        bob = make_mock_scim_user(email="bob@example.com", id="bob-id")
+        MockSCIMUser.objects.filter.return_value.first.return_value = bob
+        mock_serialize.return_value = _serialized_group(eng)
+
         payload = make_patch_op([
-            {
-                "op": "Remove",
-                "path": "members",
-                "value": [{"value": str(scim_user_bob.id)}],
-            }
+            {"op": "Remove", "path": "members", "value": [{"value": "bob-id"}]}
         ])
         resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert not TeamMembership.objects.filter(
-            team=scim_group_engineering.team,
-            org_member=scim_user_bob.org_member,
-        ).exists()
+        mock_remove.assert_called()
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._remove_member_from_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
     def test_remove_member_logs_event(
-        self, scim_client, scim_group_engineering, scim_user_bob
+        self, MockSCIMGroup, MockSCIMUser, mock_remove, mock_serialize, mock_log, scim_client
     ):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        bob = make_mock_scim_user(email="bob@example.com", id="bob-id")
+        MockSCIMUser.objects.filter.return_value.first.return_value = bob
+        mock_serialize.return_value = _serialized_group(eng)
+
         payload = make_patch_op([
-            {
-                "op": "Remove",
-                "path": f'members[value eq "{scim_user_bob.id}"]',
-            }
+            {"op": "Remove", "path": "members", "value": [{"value": "bob-id"}]}
         ])
         scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
-        event = SCIMEvent.objects.filter(event_type="member_removed").first()
-        assert event is not None
-        assert event.detail["member_email"] == "bob@example.com"
+        member_removed_calls = [
+            c for c in mock_log.call_args_list if c[0][1] == "member_removed"
+        ]
+        assert len(member_removed_calls) >= 1
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}._remove_member_from_team")
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.SCIMGroup")
     def test_remove_nonexistent_member_is_noop(
-        self, scim_client, scim_group_engineering
+        self, MockSCIMGroup, MockSCIMUser, mock_remove, mock_serialize, mock_log, scim_client
     ):
-        """Removing a member that's not in the group should not error."""
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        MockSCIMUser.objects.filter.return_value.first.return_value = None
+        mock_serialize.return_value = _serialized_group(eng)
+
         payload = make_patch_op([
-            {
-                "op": "Remove",
-                "path": 'members[value eq "nonexistent-id"]',
-            }
+            {"op": "Remove", "path": "members", "value": [{"value": "nonexistent-id"}]}
         ])
         resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert scim_group_engineering.team.memberships.count() == 2
+        mock_remove.assert_not_called()
 
     # -- Rename group --
 
-    def test_rename_via_patch_replace(self, scim_client, scim_group_engineering):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_rename_via_patch_replace(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_group(eng, display_name="Platform")
+
         payload = make_patch_op([
             {"op": "Replace", "path": "displayName", "value": "Platform"},
         ])
         resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        scim_group_engineering.refresh_from_db()
-        assert scim_group_engineering.display_name == "Platform"
-        scim_group_engineering.team.refresh_from_db()
-        assert scim_group_engineering.team.name == "Platform"
+        assert eng.display_name == "Platform"
+        eng.team.save.assert_called()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_rename_via_patch_add(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_group(eng, display_name="Infrastructure")
 
-    def test_rename_via_patch_add(self, scim_client, scim_group_engineering):
-        """Some IdPs use 'Add' op for displayName updates."""
         payload = make_patch_op([
             {"op": "Add", "path": "displayName", "value": "Infrastructure"},
         ])
         resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        scim_group_engineering.team.refresh_from_db()
-        assert scim_group_engineering.team.name == "Infrastructure"
+        assert eng.display_name == "Infrastructure"
 
     # -- Update description --
 
-    def test_update_description_via_patch(self, scim_client, scim_group_engineering):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_update_description_via_patch(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_group(eng)
+
         payload = make_patch_op([
             {"op": "Replace", "path": "description", "value": "The engineering team"},
         ])
         resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        scim_group_engineering.team.refresh_from_db()
-        assert scim_group_engineering.team.description == "The engineering team"
+        eng.team.save.assert_called()
 
     # -- No operations --
 
-    def test_patch_no_operations_returns_400(self, scim_client, scim_group_engineering):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.SCIMGroup")
+    def test_patch_no_operations_returns_400(self, MockSCIMGroup, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
         payload = {
             "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
             "Operations": [],
         }
         resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
+            group_url(eng.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 400
 
-    # -- Remove last member --
-
-    def test_remove_all_members_leaves_empty_team(
-        self, scim_client, scim_group_engineering, scim_user_alice, scim_user_bob
-    ):
-        payload = make_patch_op([
-            {
-                "op": "Remove",
-                "path": f'members[value eq "{scim_user_alice.id}"]',
-            },
-            {
-                "op": "Remove",
-                "path": f'members[value eq "{scim_user_bob.id}"]',
-            },
-        ])
-        resp = scim_client.patch(
-            group_url(scim_group_engineering.id),
-            data=json.dumps(payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-        assert scim_group_engineering.team.memberships.count() == 0
-        # Team still exists
-        scim_group_engineering.team.refresh_from_db()
-        assert scim_group_engineering.team.deleted_at is None
-
 
 # ---------------------------------------------------------------------------
 # Delete (DELETE)
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestDeleteGroup:
 
-    def test_delete_returns_204(self, scim_client, scim_group_engineering):
-        resp = scim_client.delete(group_url(scim_group_engineering.id))
-        assert resp.status_code == 204
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.SCIMGroup")
+    def test_delete_returns_204(self, MockSCIMGroup, mock_revoke, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
 
-    def test_delete_soft_deletes_team(self, scim_client, scim_group_engineering):
-        team = scim_group_engineering.team
-        scim_client.delete(group_url(scim_group_engineering.id))
-        team.refresh_from_db()
-        assert team.deleted_at is not None
+        resp = scim_client.delete(group_url(eng.id))
+        assert resp.status_code == 204
 
-    def test_delete_removes_scim_group_record(
-        self, scim_client, scim_group_engineering
-    ):
-        group_id = scim_group_engineering.id
-        scim_client.delete(group_url(group_id))
-        assert not SCIMGroup.objects.filter(id=group_id).exists()
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.SCIMGroup")
+    def test_delete_soft_deletes_team(self, MockSCIMGroup, mock_revoke, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        scim_client.delete(group_url(eng.id))
+        assert eng.team.deleted_at is not None
+        eng.team.save.assert_called()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.SCIMGroup")
+    def test_delete_removes_scim_group_record(self, MockSCIMGroup, mock_revoke, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        scim_client.delete(group_url(eng.id))
+        eng.delete.assert_called_once()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.SCIMGroup")
+    def test_delete_logs_event(self, MockSCIMGroup, mock_revoke, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        scim_client.delete(group_url(eng.id))
+        mock_log.assert_called()
+        log_call = mock_log.call_args_list[0]
+        assert log_call[0][1] == "group_deleted"
+        assert log_call[1]["response_status"] == 204
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.SCIMGroup")
+    def test_delete_nonexistent_returns_404(self, MockSCIMGroup, mock_log, scim_client):
+        MockSCIMGroup.DoesNotExist = Exception
+        MockSCIMGroup.objects.select_related.return_value.get.side_effect = Exception("not found")
 
-    def test_delete_does_not_affect_member_org_membership(
-        self, scim_client, scim_group_engineering, scim_user_alice
-    ):
-        """Deleting a group should not deactivate the member's org membership."""
-        scim_client.delete(group_url(scim_group_engineering.id))
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.deleted_at is None
-
-    def test_delete_logs_event(self, scim_client, scim_group_engineering):
-        scim_client.delete(group_url(scim_group_engineering.id))
-        event = SCIMEvent.objects.filter(event_type="group_deleted").first()
-        assert event is not None
-        assert event.resource_name == "Engineering"
-        assert event.response_status == 204
-
-    def test_delete_nonexistent_returns_404(self, scim_client, scim_token):
         resp = scim_client.delete(group_url("nonexistent-id"))
         assert resp.status_code == 404
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.SCIMGroup")
+    def test_delete_revokes_team_environment_keys(
+        self, MockSCIMGroup, mock_revoke, mock_log, scim_client
+    ):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+
+        scim_client.delete(group_url(eng.id))
+        mock_revoke.assert_called_once_with(eng.team)
+
 
 # ---------------------------------------------------------------------------
 # Response format
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestGroupResponseFormat:
 
-    def test_response_contains_schemas(self, scim_client, scim_group_engineering):
-        resp = scim_client.get(group_url(scim_group_engineering.id))
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_response_contains_schemas(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_group(eng)
+
+        resp = scim_client.get(group_url(eng.id))
         data = resp.json()
         assert "urn:ietf:params:scim:schemas:core:2.0:Group" in data["schemas"]
 
-    def test_response_meta_location_format(self, scim_client, scim_group_engineering):
-        resp = scim_client.get(group_url(scim_group_engineering.id))
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_group")
+    @patch(f"{_P}.SCIMGroup")
+    def test_response_meta_location_format(self, MockSCIMGroup, mock_serialize, mock_log, scim_client):
+        eng = make_mock_scim_group(display_name="Engineering")
+        MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
+        MockSCIMGroup.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_group(eng)
+
+        resp = scim_client.get(group_url(eng.id))
         location = resp.json()["meta"]["location"]
-        assert location.startswith("https://")
         assert "/service/scim/v2/Groups/" in location
diff --git a/backend/tests/ee/authentication/scim/test_lifecycle.py b/backend/tests/ee/authentication/scim/test_lifecycle.py
deleted file mode 100644
index bad682cfd..000000000
--- a/backend/tests/ee/authentication/scim/test_lifecycle.py
+++ /dev/null
@@ -1,627 +0,0 @@
-"""End-to-end lifecycle tests for SCIM provisioning.
-
-These tests simulate complete IdP provisioning flows — the same multi-step
-sequences that Entra ID and Okta perform in production — and verify the
-cumulative state after each step.
-"""
-
-import json
-
-import pytest
-
-from api.models import (
-    CustomUser,
-    Organisation,
-    OrganisationMember,
-    SCIMEvent,
-    SCIMGroup,
-    SCIMUser,
-    Team,
-    TeamMembership,
-)
-
-from .conftest import (
-    SCIM_CONTENT_TYPE,
-    make_patch_op,
-    make_scim_group_payload,
-    make_scim_user_payload,
-)
-
-USERS_URL = "/scim/v2/Users"
-GROUPS_URL = "/scim/v2/Groups"
-
-
-# ---------------------------------------------------------------------------
-# Scenario 9.1: Full user lifecycle
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db
-class TestFullUserLifecycle:
-    """
-    1. Provision user
-    2. Push group containing user
-    3. (SSO login + key ceremony simulated)
-    4. Remove user from group
-    5. Verify user still in org but not in team
-    6. Unassign user → deactivated
-    """
-
-    def test_full_lifecycle(self, scim_client, scim_token, developer_role, organisation):
-        # 1. Provision user
-        user_payload = make_scim_user_payload(
-            "lifecycle@example.com", "lifecycle-ext"
-        )
-        resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(user_payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 201
-        scim_user_id = resp.json()["id"]
-
-        scim_user = SCIMUser.objects.get(id=scim_user_id)
-        assert scim_user.active is True
-        assert scim_user.org_member.identity_key == ""  # Pending
-
-        # 2. Push group containing this user
-        group_payload = make_scim_group_payload(
-            "Lifecycle Team",
-            "lifecycle-grp-ext",
-            members=[{"value": scim_user_id}],
-        )
-        resp = scim_client.post(
-            GROUPS_URL,
-            data=json.dumps(group_payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 201
-        scim_group_id = resp.json()["id"]
-        scim_group = SCIMGroup.objects.get(id=scim_group_id)
-        assert scim_group.team.memberships.count() == 1
-
-        # 3. Simulate SSO login + key ceremony (set identity_key)
-        scim_user.org_member.identity_key = "real-identity-key"
-        scim_user.org_member.wrapped_keyring = "real-keyring"
-        scim_user.org_member.wrapped_recovery = "real-recovery"
-        scim_user.org_member.save()
-
-        # 4. Remove user from group (Entra ID style)
-        remove_payload = make_patch_op([
-            {"op": "Remove", "path": f'members[value eq "{scim_user_id}"]'}
-        ])
-        resp = scim_client.patch(
-            f"{GROUPS_URL}/{scim_group_id}",
-            data=json.dumps(remove_payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-
-        # 5. Verify: user still in org, not in team
-        scim_user.refresh_from_db()
-        assert scim_user.active is True
-        scim_user.org_member.refresh_from_db()
-        assert scim_user.org_member.deleted_at is None
-        assert not TeamMembership.objects.filter(
-            org_member=scim_user.org_member
-        ).exists()
-
-        # 6. Unassign user (Entra PATCH active=false)
-        deactivate_payload = make_patch_op([
-            {"op": "Replace", "path": "active", "value": "False"}
-        ])
-        resp = scim_client.patch(
-            f"{USERS_URL}/{scim_user_id}",
-            data=json.dumps(deactivate_payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-
-        # Verify final state
-        scim_user.refresh_from_db()
-        assert scim_user.active is False
-        scim_user.org_member.refresh_from_db()
-        assert scim_user.org_member.deleted_at is not None
-        assert scim_user.org_member.identity_key == ""
-        assert scim_user.org_member.wrapped_keyring == ""
-
-        # Verify audit trail
-        events = SCIMEvent.objects.filter(
-            organisation=organisation
-        ).order_by("timestamp")
-        event_types = [e.event_type for e in events]
-        assert "user_created" in event_types
-        assert "group_created" in event_types
-        assert "member_removed" in event_types
-        assert "user_deactivated" in event_types
-
-
-# ---------------------------------------------------------------------------
-# Scenario 9.2: Deactivate → reactivate with different group membership
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db
-class TestDeactivateReactivateDifferentGroups:
-    """
-    1. User in Group A and Group B
-    2. Deactivate user → memberships cleared
-    3. Remove user from Group B in IdP (while deactivated)
-    4. Reactivate user
-    5. IdP re-pushes: user added to Group A only
-    6. Verify: user in Team A, NOT in Team B
-    """
-
-    def test_reactivation_with_different_groups(
-        self, scim_client, scim_token, developer_role, organisation
-    ):
-        # Setup: provision user
-        user_payload = make_scim_user_payload("regroup@example.com", "regroup-ext")
-        resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(user_payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        scim_user_id = resp.json()["id"]
-
-        # Create Group A and Group B with user
-        for name, ext_id in [("Group A", "grp-a-ext"), ("Group B", "grp-b-ext")]:
-            resp = scim_client.post(
-                GROUPS_URL,
-                data=json.dumps(
-                    make_scim_group_payload(name, ext_id, members=[{"value": scim_user_id}])
-                ),
-                content_type=SCIM_CONTENT_TYPE,
-            )
-            assert resp.status_code == 201
-
-        scim_user = SCIMUser.objects.get(id=scim_user_id)
-        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 2
-
-        # Deactivate user (Okta PUT style)
-        deactivate_payload = make_scim_user_payload(
-            "regroup@example.com", "regroup-ext", active=False
-        )
-        resp = scim_client.put(
-            f"{USERS_URL}/{scim_user_id}",
-            data=json.dumps(deactivate_payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-
-        # All team memberships should be cleared
-        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 0
-
-        # Reactivate user
-        reactivate_payload = make_scim_user_payload(
-            "regroup@example.com", "regroup-ext", active=True
-        )
-        resp = scim_client.put(
-            f"{USERS_URL}/{scim_user_id}",
-            data=json.dumps(reactivate_payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-        scim_user.refresh_from_db()
-        assert scim_user.active is True
-
-        # Still no team memberships (IdP hasn't re-pushed yet)
-        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 0
-
-        # IdP re-pushes Group A only (simulating user was removed from B while deactivated)
-        group_a = SCIMGroup.objects.get(external_id="grp-a-ext")
-        add_payload = make_patch_op([
-            {"op": "Add", "path": "members", "value": [{"value": scim_user_id}]}
-        ])
-        resp = scim_client.patch(
-            f"{GROUPS_URL}/{group_a.id}",
-            data=json.dumps(add_payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-
-        # Verify: in Group A's team, NOT in Group B's team
-        group_b = SCIMGroup.objects.get(external_id="grp-b-ext")
-        assert TeamMembership.objects.filter(
-            team=group_a.team, org_member=scim_user.org_member
-        ).exists()
-        assert not TeamMembership.objects.filter(
-            team=group_b.team, org_member=scim_user.org_member
-        ).exists()
-
-
-# ---------------------------------------------------------------------------
-# Scenario 9.3: Entra ID group removal triggers user deprovisioning
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db
-class TestEntraGroupRemovalThenUserDeactivation:
-    """
-    Entra ID's deprovisioning sequence:
-    1. PATCH /Groups/:id — remove member from group
-    2. PATCH /Users/:id — deactivate user (arrives ~10-30s later)
-    """
-
-    def test_entra_deprovisioning_sequence(
-        self, scim_client, scim_token, developer_role, organisation
-    ):
-        # Provision user and group
-        user_resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(
-                make_scim_user_payload("entra-flow@example.com", "entra-flow-ext")
-            ),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        scim_user_id = user_resp.json()["id"]
-
-        group_resp = scim_client.post(
-            GROUPS_URL,
-            data=json.dumps(
-                make_scim_group_payload(
-                    "Entra Team", "entra-team-ext",
-                    members=[{"value": scim_user_id}],
-                )
-            ),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        scim_group_id = group_resp.json()["id"]
-
-        # Step 1: Entra removes user from group
-        resp = scim_client.patch(
-            f"{GROUPS_URL}/{scim_group_id}",
-            data=json.dumps(make_patch_op([
-                {"op": "Remove", "path": f'members[value eq "{scim_user_id}"]'}
-            ])),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-
-        # User still active but not in team
-        scim_user = SCIMUser.objects.get(id=scim_user_id)
-        assert scim_user.active is True
-        assert not TeamMembership.objects.filter(
-            org_member=scim_user.org_member
-        ).exists()
-
-        # Step 2: Entra deactivates user (arrives later)
-        resp = scim_client.patch(
-            f"{USERS_URL}/{scim_user_id}",
-            data=json.dumps(make_patch_op([
-                {"op": "Replace", "path": "active", "value": "False"}
-            ])),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-
-        # Verify final state
-        scim_user.refresh_from_db()
-        assert scim_user.active is False
-        scim_user.org_member.refresh_from_db()
-        assert scim_user.org_member.deleted_at is not None
-
-        # Verify event sequence
-        events = list(
-            SCIMEvent.objects.filter(organisation=organisation)
-            .order_by("timestamp")
-            .values_list("event_type", flat=True)
-        )
-        assert "member_removed" in events
-        assert "user_deactivated" in events
-        # member_removed should come before user_deactivated
-        assert events.index("member_removed") < events.index("user_deactivated")
-
-
-# ---------------------------------------------------------------------------
-# Scenario: Multiple groups, single user — membership isolation
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db
-class TestMultiGroupMembership:
-    """Removing a user from one group should not affect their membership in other groups."""
-
-    def test_remove_from_one_group_preserves_other(
-        self, scim_client, scim_token, developer_role, organisation
-    ):
-        # Provision user
-        user_resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(make_scim_user_payload("multi@example.com", "multi-ext")),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        scim_user_id = user_resp.json()["id"]
-
-        # Create two groups with the same user
-        group_ids = []
-        for name, ext_id in [("Team Alpha", "alpha-ext"), ("Team Beta", "beta-ext")]:
-            resp = scim_client.post(
-                GROUPS_URL,
-                data=json.dumps(
-                    make_scim_group_payload(name, ext_id, members=[{"value": scim_user_id}])
-                ),
-                content_type=SCIM_CONTENT_TYPE,
-            )
-            group_ids.append(resp.json()["id"])
-
-        scim_user = SCIMUser.objects.get(id=scim_user_id)
-        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 2
-
-        # Remove from Team Alpha only
-        resp = scim_client.patch(
-            f"{GROUPS_URL}/{group_ids[0]}",
-            data=json.dumps(make_patch_op([
-                {"op": "Remove", "path": f'members[value eq "{scim_user_id}"]'}
-            ])),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-
-        # Verify: removed from Alpha, still in Beta
-        assert TeamMembership.objects.filter(org_member=scim_user.org_member).count() == 1
-        beta_group = SCIMGroup.objects.get(id=group_ids[1])
-        assert TeamMembership.objects.filter(
-            team=beta_group.team, org_member=scim_user.org_member
-        ).exists()
-
-
-# ---------------------------------------------------------------------------
-# Scenario: Provision user → link to existing account → verify preservation
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db
-class TestProvisionExistingAccount:
-    """When SCIM provisions a user whose email already exists as a CustomUser,
-    the existing account should be linked without data loss."""
-
-    def test_existing_user_linked_preserves_data(
-        self, scim_client, scim_token, developer_role, organisation
-    ):
-        # Pre-existing user (e.g. signed up manually before SCIM)
-        existing_user = CustomUser.objects.create(
-            username="veteran@example.com", email="veteran@example.com"
-        )
-        existing_user.set_password("some-password")
-        existing_user.save()
-
-        # SCIM provisions this email
-        payload = make_scim_user_payload("veteran@example.com", "veteran-ext")
-        resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 201
-
-        # Verify link to existing user
-        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
-        assert str(scim_user.user.userId) == str(existing_user.userId)
-        # Existing password should still be set
-        existing_user.refresh_from_db()
-        assert existing_user.has_usable_password() is True
-        # No duplicate CustomUser
-        assert CustomUser.objects.filter(email="veteran@example.com").count() == 1
-
-
-# ---------------------------------------------------------------------------
-# Scenario: Group created empty, members added later
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db
-class TestGroupCreatedEmptyThenPopulated:
-    """IdPs sometimes create the group first, then add members in subsequent PATCH calls."""
-
-    def test_empty_group_then_add_members(
-        self, scim_client, scim_token, developer_role, organisation
-    ):
-        # Create user
-        user_resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(make_scim_user_payload("latejoin@example.com", "latejoin-ext")),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        scim_user_id = user_resp.json()["id"]
-
-        # Create empty group
-        group_resp = scim_client.post(
-            GROUPS_URL,
-            data=json.dumps(make_scim_group_payload("Empty First", "empty-ext")),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert group_resp.status_code == 201
-        scim_group_id = group_resp.json()["id"]
-        assert group_resp.json()["members"] == []
-
-        # Add member via PATCH
-        resp = scim_client.patch(
-            f"{GROUPS_URL}/{scim_group_id}",
-            data=json.dumps(make_patch_op([
-                {"op": "Add", "path": "members", "value": [{"value": scim_user_id}]}
-            ])),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 200
-
-        scim_group = SCIMGroup.objects.get(id=scim_group_id)
-        assert scim_group.team.memberships.count() == 1
-
-
-# ---------------------------------------------------------------------------
-# Scenario: Cross-org isolation
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db
-class TestCrossOrgIsolation:
-    """SCIM operations on one org should not affect another org's data."""
-
-    def test_cannot_access_other_org_users(
-        self, scim_client, scim_token, developer_role, organisation
-    ):
-        # Create a user in our org
-        payload = make_scim_user_payload("ouruser@example.com", "our-ext")
-        resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 201
-        our_user_id = resp.json()["id"]
-
-        # Create another org and a user in it (directly in DB)
-        from api.models import Role
-
-        other_org = Organisation.objects.create(
-            name="OtherOrg", identity_key="other-key", plan="EN", scim_enabled=True
-        )
-        other_role = Role.objects.create(
-            name="Developer", organisation=other_org, is_default=True, permissions={}
-        )
-        other_user = CustomUser.objects.create(
-            username="other@example.com", email="other@example.com"
-        )
-        other_om = OrganisationMember.objects.create(
-            user=other_user,
-            organisation=other_org,
-            role=other_role,
-            identity_key="",
-            wrapped_keyring="",
-            wrapped_recovery="",
-        )
-        other_scim_user = SCIMUser.objects.create(
-            external_id="other-ext",
-            organisation=other_org,
-            user=other_user,
-            org_member=other_om,
-            email="other@example.com",
-            display_name="Other User",
-            active=True,
-        )
-
-        # Our token should not see the other org's user
-        resp = scim_client.get(f"{USERS_URL}/{other_scim_user.id}")
-        assert resp.status_code == 404
-
-        # List should only show our user
-        resp = scim_client.get(USERS_URL)
-        assert resp.json()["totalResults"] == 1
-        assert resp.json()["Resources"][0]["id"] == our_user_id
-
-
-# ---------------------------------------------------------------------------
-# Scenario: Audit trail completeness
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db
-class TestAuditTrailCompleteness:
-    """Every state-changing SCIM operation should produce at least one SCIMEvent."""
-
-    def test_all_operations_logged(
-        self, scim_client, scim_token, developer_role, organisation
-    ):
-        SCIMEvent.objects.filter(organisation=organisation).delete()
-
-        # Create user
-        user_resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(make_scim_user_payload("audit@example.com", "audit-ext")),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        scim_user_id = user_resp.json()["id"]
-
-        # Create empty group, then add member via PATCH (to generate member_added event)
-        group_resp = scim_client.post(
-            GROUPS_URL,
-            data=json.dumps(make_scim_group_payload("Audit Team", "audit-grp-ext")),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        scim_group_id = group_resp.json()["id"]
-
-        # Add member via PATCH (generates member_added event)
-        scim_client.patch(
-            f"{GROUPS_URL}/{scim_group_id}",
-            data=json.dumps(make_patch_op([
-                {"op": "Add", "path": "members", "value": [{"value": scim_user_id}]}
-            ])),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-
-        # Update user (PUT)
-        scim_client.put(
-            f"{USERS_URL}/{scim_user_id}",
-            data=json.dumps(make_scim_user_payload(
-                "audit@example.com", "audit-ext", display_name="Audit Updated"
-            )),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-
-        # Rename group
-        scim_client.patch(
-            f"{GROUPS_URL}/{scim_group_id}",
-            data=json.dumps(make_patch_op([
-                {"op": "Replace", "path": "displayName", "value": "Audit Team v2"}
-            ])),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-
-        # Remove user from group
-        scim_client.patch(
-            f"{GROUPS_URL}/{scim_group_id}",
-            data=json.dumps(make_patch_op([
-                {"op": "Remove", "path": f'members[value eq "{scim_user_id}"]'}
-            ])),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-
-        # Deactivate user
-        scim_client.patch(
-            f"{USERS_URL}/{scim_user_id}",
-            data=json.dumps(make_patch_op([
-                {"op": "Replace", "path": "active", "value": "False"}
-            ])),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-
-        # Reactivate user
-        scim_client.patch(
-            f"{USERS_URL}/{scim_user_id}",
-            data=json.dumps(make_patch_op([
-                {"op": "Replace", "path": "active", "value": "True"}
-            ])),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-
-        # Delete group
-        scim_client.delete(f"{GROUPS_URL}/{scim_group_id}")
-
-        # Delete user
-        scim_client.delete(f"{USERS_URL}/{scim_user_id}")
-
-        # Verify all event types were logged
-        event_types = set(
-            SCIMEvent.objects.filter(organisation=organisation)
-            .values_list("event_type", flat=True)
-        )
-        expected = {
-            "user_created",
-            "user_updated",
-            "user_deactivated",
-            "user_reactivated",
-            "group_created",
-            "group_updated",
-            "group_deleted",
-            "member_added",
-            "member_removed",
-        }
-        assert expected.issubset(event_types), f"Missing events: {expected - event_types}"
-
-        # Verify all events have required fields
-        for event in SCIMEvent.objects.filter(organisation=organisation):
-            assert event.scim_token is not None
-            assert event.event_type != ""
-            assert event.resource_type in ("user", "group")
-            assert event.request_method != ""
diff --git a/backend/tests/ee/authentication/scim/test_users.py b/backend/tests/ee/authentication/scim/test_users.py
index f0156addf..428162326 100644
--- a/backend/tests/ee/authentication/scim/test_users.py
+++ b/backend/tests/ee/authentication/scim/test_users.py
@@ -1,95 +1,142 @@
-"""Integration tests for SCIM /Users endpoints.
+"""Tests for SCIM /Users endpoints — fully mocked, no database.
 
 Covers: list, filter, create, get, replace (PUT), partial update (PATCH), delete.
-Tests both Entra ID and Okta payload formats where they diverge.
 """
 
 import json
+import uuid
+from unittest.mock import MagicMock, patch, PropertyMock
 
 import pytest
-
-from api.models import (
-    CustomUser,
-    OrganisationMember,
-    SCIMEvent,
-    SCIMUser,
-    TeamMembership,
-)
+from django.db import IntegrityError
 
 from .conftest import (
     SCIM_CONTENT_TYPE,
+    make_mock_organisation,
+    make_mock_scim_user,
     make_patch_op,
     make_scim_user_payload,
 )
 
 USERS_URL = "/scim/v2/Users"
 
+# Patch targets — where names are looked up in views/users.py
+_P = "ee.authentication.scim.views.users"
+
 
 def user_url(scim_user_id):
     return f"{USERS_URL}/{scim_user_id}"
 
 
+def _serialized_user(scim_user=None, **overrides):
+    """Return a fake serialized SCIM user dict for mocking serialize_scim_user."""
+    su = scim_user or make_mock_scim_user()
+    base = {
+        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+        "id": str(overrides.get("id", su.id)),
+        "externalId": overrides.get("external_id", su.external_id),
+        "userName": overrides.get("email", su.email),
+        "displayName": overrides.get("display_name", su.display_name),
+        "active": overrides.get("active", su.active),
+        "emails": [{"value": overrides.get("email", su.email), "type": "work", "primary": True}],
+        "name": su.scim_data.get("name", {}),
+        "meta": {
+            "resourceType": "User",
+            "created": "2025-01-01T00:00:00+00:00",
+            "lastModified": "2025-01-01T00:00:00+00:00",
+            "location": f"https://testserver/service/scim/v2/Users/{su.id}",
+        },
+    }
+    base.update({k: v for k, v in overrides.items() if k not in (
+        "id", "external_id", "email", "display_name", "active"
+    )})
+    return base
+
+
 # ---------------------------------------------------------------------------
 # List / Filter
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestListUsers:
 
-    def test_list_empty(self, scim_client, scim_token):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_list_empty(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        qs = MagicMock()
+        qs.count.return_value = 0
+        qs.__getitem__ = MagicMock(return_value=[])
+        MockSCIMUser.objects.filter.return_value.order_by.return_value = qs
+
         resp = scim_client.get(USERS_URL)
         assert resp.status_code == 200
         data = resp.json()
         assert data["totalResults"] == 0
         assert data["Resources"] == []
 
-    def test_list_returns_provisioned_users(self, scim_client, scim_user_alice, scim_user_bob):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_list_returns_provisioned_users(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com")
+        bob = make_mock_scim_user(email="bob@example.com")
+
+        qs = MagicMock()
+        qs.count.return_value = 2
+        qs.__getitem__ = MagicMock(return_value=[alice, bob])
+        MockSCIMUser.objects.filter.return_value.order_by.return_value = qs
+
+        mock_serialize.side_effect = [
+            _serialized_user(alice),
+            _serialized_user(bob),
+        ]
+
         resp = scim_client.get(USERS_URL)
         assert resp.status_code == 200
         data = resp.json()
         assert data["totalResults"] == 2
-        emails = {r["userName"] for r in data["Resources"]}
-        assert emails == {"alice@example.com", "bob@example.com"}
+        assert len(data["Resources"]) == 2
 
-    def test_list_pagination_count(self, scim_client, scim_user_alice, scim_user_bob):
-        """count parameter limits the number of returned resources."""
-        resp = scim_client.get(USERS_URL, {"startIndex": 1, "count": 1})
-        data = resp.json()
-        assert data["totalResults"] == 2
-        assert len(data["Resources"]) == 1
-        assert data["startIndex"] == 1
-        assert data["itemsPerPage"] == 1
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.scim_filter_to_queryset")
+    @patch(f"{_P}.SCIMUser")
+    def test_filter_by_username(self, MockSCIMUser, mock_filter_qs, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com")
 
-    def test_filter_by_username(self, scim_client, scim_user_alice, scim_user_bob):
-        resp = scim_client.get(
-            USERS_URL, {"filter": 'userName eq "alice@example.com"'}
-        )
-        data = resp.json()
-        assert data["totalResults"] == 1
-        assert data["Resources"][0]["userName"] == "alice@example.com"
+        qs = MagicMock()
+        MockSCIMUser.objects.filter.return_value.order_by.return_value = qs
 
-    def test_filter_by_external_id(self, scim_client, scim_user_alice):
-        resp = scim_client.get(
-            USERS_URL, {"filter": 'externalId eq "alice-ext-id"'}
-        )
-        data = resp.json()
-        assert data["totalResults"] == 1
-        assert data["Resources"][0]["externalId"] == "alice-ext-id"
+        filtered_qs = MagicMock()
+        filtered_qs.count.return_value = 1
+        filtered_qs.__getitem__ = MagicMock(return_value=[alice])
+        mock_filter_qs.return_value = filtered_qs
 
-    def test_filter_case_insensitive_email(self, scim_client, scim_user_alice):
-        resp = scim_client.get(
-            USERS_URL, {"filter": 'userName eq "ALICE@EXAMPLE.COM"'}
-        )
+        mock_serialize.return_value = _serialized_user(alice)
+
+        resp = scim_client.get(USERS_URL, {"filter": 'userName eq "alice@example.com"'})
+        assert resp.status_code == 200
         data = resp.json()
         assert data["totalResults"] == 1
 
-    def test_filter_no_match(self, scim_client, scim_user_alice):
-        resp = scim_client.get(
-            USERS_URL, {"filter": 'userName eq "nobody@example.com"'}
-        )
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_list_pagination_count(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com")
+
+        qs = MagicMock()
+        qs.count.return_value = 2
+        qs.__getitem__ = MagicMock(return_value=[alice])
+        MockSCIMUser.objects.filter.return_value.order_by.return_value = qs
+
+        mock_serialize.return_value = _serialized_user(alice)
+
+        resp = scim_client.get(USERS_URL, {"startIndex": 1, "count": 1})
         data = resp.json()
-        assert data["totalResults"] == 0
+        assert data["totalResults"] == 2
+        assert data["itemsPerPage"] == 1
 
 
 # ---------------------------------------------------------------------------
@@ -97,10 +144,17 @@ def test_filter_no_match(self, scim_client, scim_user_alice):
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestCreateUser:
 
-    def test_create_new_user(self, scim_client, scim_token, developer_role):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.provision_scim_user")
+    @patch(f"{_P}.can_add_account", return_value=True)
+    def test_create_new_user(self, mock_quota, mock_provision, mock_serialize, mock_log, scim_client):
+        scim_user = make_mock_scim_user(email="carol@example.com", external_id="carol-ext-id")
+        mock_provision.return_value = scim_user
+        mock_serialize.return_value = _serialized_user(scim_user)
+
         payload = make_scim_user_payload("carol@example.com", "carol-ext-id")
         resp = scim_client.post(
             USERS_URL,
@@ -109,65 +163,40 @@ def test_create_new_user(self, scim_client, scim_token, developer_role):
         )
         assert resp.status_code == 201
         data = resp.json()
-
         assert data["userName"] == "carol@example.com"
-        assert data["externalId"] == "carol-ext-id"
-        assert data["active"] is True
-        assert "meta" in data
-        assert "/scim/v2/Users/" in data["meta"]["location"]
-
-        # Verify DB state
-        scim_user = SCIMUser.objects.get(id=data["id"])
-        assert scim_user.email == "carol@example.com"
-        assert scim_user.active is True
-        assert scim_user.user is not None
-        assert scim_user.org_member is not None
-        assert scim_user.org_member.deleted_at is None
-
-    def test_create_user_links_existing_custom_user(
-        self, scim_client, scim_token, developer_role, db
+        mock_provision.assert_called_once()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.provision_scim_user")
+    @patch(f"{_P}.can_add_account", return_value=True)
+    def test_create_user_calls_provision_with_correct_args(
+        self, mock_quota, mock_provision, mock_serialize, mock_log, scim_client, mock_organisation
     ):
-        """If a CustomUser with the same email already exists, link to it."""
-        existing = CustomUser.objects.create(
-            username="existing@example.com", email="existing@example.com"
-        )
-        payload = make_scim_user_payload("existing@example.com", "existing-ext-id")
-        resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 201
-        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
-        assert str(scim_user.user.userId) == str(existing.userId)
-
-    def test_create_user_no_identity_key(self, scim_client, scim_token, developer_role):
-        """SCIM-provisioned users should have empty identity_key (pending setup)."""
-        payload = make_scim_user_payload("pending@example.com", "pending-ext-id")
-        resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
-        assert scim_user.org_member.identity_key == ""
+        scim_user = make_mock_scim_user(email="test@example.com")
+        mock_provision.return_value = scim_user
+        mock_serialize.return_value = _serialized_user(scim_user)
 
-    def test_create_user_default_developer_role(
-        self, scim_client, scim_token, developer_role
-    ):
-        payload = make_scim_user_payload("dev@example.com", "dev-ext-id")
+        payload = make_scim_user_payload("test@example.com", "test-ext-id", display_name="Test User")
         resp = scim_client.post(
             USERS_URL,
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
-        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
-        assert scim_user.org_member.role.name == "Developer"
-
-    def test_create_duplicate_external_id_returns_409(
-        self, scim_client, scim_user_alice
-    ):
-        payload = make_scim_user_payload("different@example.com", "alice-ext-id")
+        assert resp.status_code == 201
+        call_kwargs = mock_provision.call_args
+        assert call_kwargs[1]["email"] == "test@example.com"
+        assert call_kwargs[1]["external_id"] == "test-ext-id"
+        assert call_kwargs[1]["display_name"] == "Test User"
+        assert call_kwargs[1]["scim_data"] == payload
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.provision_scim_user")
+    @patch(f"{_P}.can_add_account", return_value=True)
+    def test_create_duplicate_returns_409(self, mock_quota, mock_provision, mock_log, scim_client):
+        mock_provision.side_effect = IntegrityError("duplicate key")
+
+        payload = make_scim_user_payload("dup@example.com", "dup-ext-id")
         resp = scim_client.post(
             USERS_URL,
             data=json.dumps(payload),
@@ -176,17 +205,13 @@ def test_create_duplicate_external_id_returns_409(
         assert resp.status_code == 409
         assert "uniqueness" in resp.json().get("scimType", "")
 
-    def test_create_duplicate_email_returns_409(self, scim_client, scim_user_alice):
-        payload = make_scim_user_payload("alice@example.com", "new-ext-id")
-        resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 409
-
-    def test_create_missing_username_returns_400(self, scim_client, scim_token):
-        payload = {"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "externalId": "x"}
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.can_add_account", return_value=True)
+    def test_create_missing_username_returns_400(self, mock_quota, mock_log, scim_client):
+        payload = {
+            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+            "externalId": "x",
+        }
         resp = scim_client.post(
             USERS_URL,
             data=json.dumps(payload),
@@ -194,7 +219,9 @@ def test_create_missing_username_returns_400(self, scim_client, scim_token):
         )
         assert resp.status_code == 400
 
-    def test_create_missing_external_id_returns_400(self, scim_client, scim_token):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.can_add_account", return_value=True)
+    def test_create_missing_external_id_returns_400(self, mock_quota, mock_log, scim_client):
         payload = {
             "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
             "userName": "test@example.com",
@@ -206,53 +233,63 @@ def test_create_missing_external_id_returns_400(self, scim_client, scim_token):
         )
         assert resp.status_code == 400
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.provision_scim_user")
+    @patch(f"{_P}.can_add_account", return_value=True)
     def test_create_user_with_active_false(
-        self, scim_client, scim_token, developer_role
+        self, mock_quota, mock_provision, mock_deactivate, mock_serialize, mock_log, scim_client
     ):
-        """Creating a user with active=false should provision then immediately deactivate."""
-        payload = make_scim_user_payload(
-            "inactive@example.com", "inactive-ext-id", active=False
-        )
+        scim_user = make_mock_scim_user(email="inactive@example.com", active=False)
+        mock_provision.return_value = scim_user
+        mock_serialize.return_value = _serialized_user(scim_user, active=False)
+
+        payload = make_scim_user_payload("inactive@example.com", "inactive-ext", active=False)
         resp = scim_client.post(
             USERS_URL,
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 201
-        scim_user = SCIMUser.objects.get(id=resp.json()["id"])
-        assert scim_user.active is False
-        assert scim_user.org_member.deleted_at is not None
+        mock_deactivate.assert_called_once_with(scim_user)
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.provision_scim_user")
+    @patch(f"{_P}.can_add_account", return_value=True)
+    def test_create_user_logs_event(
+        self, mock_quota, mock_provision, mock_serialize, mock_log, scim_client
+    ):
+        scim_user = make_mock_scim_user(email="logged@example.com")
+        mock_provision.return_value = scim_user
+        mock_serialize.return_value = _serialized_user(scim_user)
 
-    def test_create_user_logs_event(self, scim_client, scim_token, developer_role):
-        payload = make_scim_user_payload("logged@example.com", "logged-ext-id")
+        payload = make_scim_user_payload("logged@example.com", "logged-ext")
         resp = scim_client.post(
             USERS_URL,
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 201
-        event = SCIMEvent.objects.filter(event_type="user_created", status="success").first()
-        assert event is not None
-        assert event.resource_name == "logged@example.com"
-        assert event.response_status == 201
-
-    @pytest.mark.django_db(transaction=True)
-    def test_create_duplicate_logs_error_event(self, scim_client, scim_user_alice):
-        payload = make_scim_user_payload("alice@example.com", "alice-ext-id")
-        resp = scim_client.post(
-            USERS_URL,
-            data=json.dumps(payload),
-            content_type=SCIM_CONTENT_TYPE,
-        )
-        assert resp.status_code == 409
-        event = SCIMEvent.objects.filter(event_type="user_created", status="error").first()
-        assert event is not None
-        assert event.response_status == 409
-
+        mock_log.assert_called()
+        # The final log call should have event_type="user_created" and response_status=201
+        final_call = mock_log.call_args_list[-1]
+        assert final_call[0][1] == "user_created"
+        assert final_call[1]["response_status"] == 201
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.provision_scim_user")
+    @patch(f"{_P}.can_add_account", return_value=True)
     def test_create_user_display_name_from_name_parts(
-        self, scim_client, scim_token, developer_role
+        self, mock_quota, mock_provision, mock_serialize, mock_log, scim_client
     ):
-        """If displayName is missing, build it from givenName + familyName."""
+        """If displayName is missing, _extract_user_fields builds it from name parts."""
+        scim_user = make_mock_scim_user(email="nodisp@example.com", display_name="Jane Doe")
+        mock_provision.return_value = scim_user
+        mock_serialize.return_value = _serialized_user(scim_user, display_name="Jane Doe")
+
         payload = {
             "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
             "externalId": "nodisp-ext",
@@ -266,12 +303,21 @@ def test_create_user_display_name_from_name_parts(
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 201
-        assert resp.json()["displayName"] == "Jane Doe"
+        call_kwargs = mock_provision.call_args[1]
+        assert call_kwargs["display_name"] == "Jane Doe"
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.provision_scim_user")
+    @patch(f"{_P}.can_add_account", return_value=True)
     def test_create_user_email_from_emails_array(
-        self, scim_client, scim_token, developer_role
+        self, mock_quota, mock_provision, mock_serialize, mock_log, scim_client
     ):
-        """If userName is empty, fall back to emails array."""
+        """If userName is empty, falls back to emails array."""
+        scim_user = make_mock_scim_user(email="fallback@example.com")
+        mock_provision.return_value = scim_user
+        mock_serialize.return_value = _serialized_user(scim_user, email="fallback@example.com")
+
         payload = {
             "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
             "externalId": "emails-ext",
@@ -285,7 +331,19 @@ def test_create_user_email_from_emails_array(
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 201
-        assert resp.json()["userName"] == "fallback@example.com"
+        call_kwargs = mock_provision.call_args[1]
+        assert call_kwargs["email"] == "fallback@example.com"
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.can_add_account", return_value=False)
+    def test_create_user_seat_limit_returns_403(self, mock_quota, mock_log, scim_client):
+        payload = make_scim_user_payload("over@example.com", "over-ext")
+        resp = scim_client.post(
+            USERS_URL,
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 403
 
 
 # ---------------------------------------------------------------------------
@@ -293,423 +351,564 @@ def test_create_user_email_from_emails_array(
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestGetUser:
 
-    def test_get_existing_user(self, scim_client, scim_user_alice):
-        resp = scim_client.get(user_url(scim_user_alice.id))
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_get_existing_user(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com", id="alice-id")
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice)
+
+        resp = scim_client.get(user_url("alice-id"))
         assert resp.status_code == 200
         data = resp.json()
-        assert data["id"] == str(scim_user_alice.id)
-        assert data["userName"] == "alice@example.com"
-        assert data["active"] is True
-        assert "/scim/v2/Users/" in data["meta"]["location"]
+        assert data["id"] == str(alice.id)
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.SCIMUser")
+    def test_get_nonexistent_user(self, MockSCIMUser, mock_log, scim_client):
+        MockSCIMUser.DoesNotExist = Exception
+        MockSCIMUser.objects.select_related.return_value.get.side_effect = Exception("not found")
 
-    def test_get_nonexistent_user(self, scim_client, scim_token):
         resp = scim_client.get(user_url("nonexistent-id"))
         assert resp.status_code == 404
 
-    def test_get_user_includes_name(self, scim_client, scim_user_alice):
-        resp = scim_client.get(user_url(scim_user_alice.id))
-        data = resp.json()
-        assert "name" in data
-        assert data["name"]["givenName"] == "Alice"
-
-    def test_get_user_includes_emails(self, scim_client, scim_user_alice):
-        resp = scim_client.get(user_url(scim_user_alice.id))
-        data = resp.json()
-        assert len(data["emails"]) == 1
-        assert data["emails"][0]["value"] == "alice@example.com"
-        assert data["emails"][0]["primary"] is True
-
 
 # ---------------------------------------------------------------------------
-# Replace (PUT — Okta's primary method)
+# Replace (PUT)
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestReplaceUser:
 
-    def test_update_display_name_via_put(self, scim_client, scim_user_alice):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_update_display_name_via_put(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com", display_name="Alice Test")
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, display_name="Alice Updated")
+
         payload = make_scim_user_payload(
-            "alice@example.com",
-            "alice-ext-id",
+            "alice@example.com", "alice-ext-id",
             display_name="Alice Updated",
-            given_name="Alice",
-            family_name="Updated",
         )
         resp = scim_client.put(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
         assert resp.json()["displayName"] == "Alice Updated"
-
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.display_name == "Alice Updated"
-
-    def test_deactivate_via_put_okta_style(self, scim_client, scim_user_alice):
-        """Okta sends PUT with active:false to deactivate users."""
-        payload = make_scim_user_payload(
-            "alice@example.com", "alice-ext-id", active=False
-        )
+        assert alice.display_name == "Alice Updated"
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_deactivate_via_put(self, MockSCIMUser, mock_deactivate, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=False)
+
+        payload = make_scim_user_payload("alice@example.com", "alice-ext-id", active=False)
         resp = scim_client.put(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
         assert resp.json()["active"] is False
+        mock_deactivate.assert_called_once_with(alice)
 
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.active is False
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.deleted_at is not None
-
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
     def test_deactivate_via_put_logs_correct_event_type(
-        self, scim_client, scim_user_alice
+        self, MockSCIMUser, mock_deactivate, mock_serialize, mock_log, scim_client
     ):
-        """PUT deactivation must log 'user_deactivated', not 'user_updated'."""
-        payload = make_scim_user_payload(
-            "alice@example.com", "alice-ext-id", active=False
-        )
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=False)
+
+        payload = make_scim_user_payload("alice@example.com", "alice-ext-id", active=False)
         scim_client.put(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
-        event = SCIMEvent.objects.filter(
-            resource_id=str(scim_user_alice.id)
-        ).order_by("-timestamp").first()
-        assert event.event_type == "user_deactivated"
+        log_call = mock_log.call_args_list[-1]
+        assert log_call[0][1] == "user_deactivated"
 
-    def test_reactivate_via_put(self, scim_client, scim_user_alice):
-        """PUT with active:true should reactivate a deactivated user."""
-        # First deactivate
-        from ee.authentication.scim.utils import deactivate_scim_user
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.reactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_reactivate_via_put(self, MockSCIMUser, mock_reactivate, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com", active=False)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=True)
 
-        deactivate_scim_user(scim_user_alice)
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.active is False
-
-        # Reactivate via PUT
-        payload = make_scim_user_payload(
-            "alice@example.com", "alice-ext-id", active=True
-        )
+        payload = make_scim_user_payload("alice@example.com", "alice-ext-id", active=True)
         resp = scim_client.put(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
         assert resp.json()["active"] is True
+        mock_reactivate.assert_called_once_with(alice)
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.reactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_reactivate_via_put_logs_correct_event_type(
+        self, MockSCIMUser, mock_reactivate, mock_serialize, mock_log, scim_client
+    ):
+        alice = make_mock_scim_user(email="alice@example.com", active=False)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=True)
 
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.active is True
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.deleted_at is None
-
-    def test_reactivate_via_put_logs_correct_event_type(self, scim_client, scim_user_alice):
-        from ee.authentication.scim.utils import deactivate_scim_user
-
-        deactivate_scim_user(scim_user_alice)
         payload = make_scim_user_payload("alice@example.com", "alice-ext-id", active=True)
         scim_client.put(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
-        event = SCIMEvent.objects.filter(
-            resource_id=str(scim_user_alice.id), event_type="user_reactivated"
-        ).first()
-        assert event is not None
+        log_call = mock_log.call_args_list[-1]
+        assert log_call[0][1] == "user_reactivated"
 
-    def test_update_email_via_put(self, scim_client, scim_user_alice):
-        payload = make_scim_user_payload(
-            "alice-new@example.com", "alice-ext-id"
-        )
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_update_email_via_put(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com")
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, email="alice-new@example.com")
+
+        payload = make_scim_user_payload("alice-new@example.com", "alice-ext-id")
         resp = scim_client.put(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.email == "alice-new@example.com"
-        scim_user_alice.user.refresh_from_db()
-        assert scim_user_alice.user.email == "alice-new@example.com"
+        assert alice.email == "alice-new@example.com"
+        alice.user.save.assert_called()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.SCIMUser")
+    def test_put_nonexistent_user_returns_404(self, MockSCIMUser, mock_log, scim_client):
+        MockSCIMUser.DoesNotExist = Exception
+        MockSCIMUser.objects.select_related.return_value.get.side_effect = Exception("not found")
+
+        payload = make_scim_user_payload("nobody@example.com", "nobody-ext")
+        resp = scim_client.put(
+            user_url("nonexistent"),
+            data=json.dumps(payload),
+            content_type=SCIM_CONTENT_TYPE,
+        )
+        assert resp.status_code == 404
 
 
 # ---------------------------------------------------------------------------
-# Partial update (PATCH — Entra ID's primary method)
+# Partial update (PATCH)
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestPatchUser:
 
-    def test_deactivate_via_patch_entra_style(self, scim_client, scim_user_alice):
-        """Entra ID sends PATCH with Replace active=False."""
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_deactivate_via_patch_entra_style(
+        self, MockSCIMUser, mock_deactivate, mock_serialize, mock_log, scim_client
+    ):
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=False)
+
         payload = make_patch_op([
             {"op": "Replace", "path": "active", "value": "False"},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
         assert resp.json()["active"] is False
+        mock_deactivate.assert_called_once_with(alice)
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_deactivate_via_patch_bool_value(
+        self, MockSCIMUser, mock_deactivate, mock_serialize, mock_log, scim_client
+    ):
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=False)
 
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.active is False
-
-    def test_deactivate_via_patch_bool_value(self, scim_client, scim_user_alice):
-        """Some IdPs send boolean false instead of string 'False'."""
         payload = make_patch_op([
             {"op": "Replace", "path": "active", "value": False},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert resp.json()["active"] is False
+        mock_deactivate.assert_called_once()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_deactivate_via_patch_valueless_replace(
+        self, MockSCIMUser, mock_deactivate, mock_serialize, mock_log, scim_client
+    ):
+        """Valueless replace with value as a dict."""
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=False)
 
-    def test_deactivate_via_patch_valueless_replace(self, scim_client, scim_user_alice):
-        """Some IdPs send replace without path, with value as a dict."""
         payload = make_patch_op([
             {"op": "Replace", "value": {"active": False}},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert resp.json()["active"] is False
+        mock_deactivate.assert_called_once()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_deactivate_via_patch_valueless_string_active(
+        self, MockSCIMUser, mock_deactivate, mock_serialize, mock_log, scim_client
+    ):
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=False)
 
-    def test_deactivate_via_patch_valueless_string_active(self, scim_client, scim_user_alice):
-        """Valueless replace with string 'false'."""
         payload = make_patch_op([
             {"op": "Replace", "value": {"active": "false"}},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert resp.json()["active"] is False
-
-    def test_reactivate_via_patch(self, scim_client, scim_user_alice):
-        from ee.authentication.scim.utils import deactivate_scim_user
-
-        deactivate_scim_user(scim_user_alice)
+        mock_deactivate.assert_called_once()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.reactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_reactivate_via_patch(
+        self, MockSCIMUser, mock_reactivate, mock_serialize, mock_log, scim_client
+    ):
+        alice = make_mock_scim_user(email="alice@example.com", active=False)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=True)
 
         payload = make_patch_op([
             {"op": "Replace", "path": "active", "value": "True"},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
         assert resp.json()["active"] is True
+        mock_reactivate.assert_called_once_with(alice)
 
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.active is True
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.deleted_at is None
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_patch_username(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com")
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, email="alice-renamed@example.com")
 
-    def test_patch_username(self, scim_client, scim_user_alice):
         payload = make_patch_op([
             {"op": "Replace", "path": "userName", "value": "alice-renamed@example.com"},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.email == "alice-renamed@example.com"
+        assert alice.email == "alice-renamed@example.com"
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_patch_display_name(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com", display_name="Alice Test")
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, display_name="Alice Wonderland")
 
-    def test_patch_display_name(self, scim_client, scim_user_alice):
         payload = make_patch_op([
             {"op": "Replace", "path": "displayName", "value": "Alice Wonderland"},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.display_name == "Alice Wonderland"
+        assert alice.display_name == "Alice Wonderland"
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_patch_name_given_name(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(
+            email="alice@example.com",
+            scim_data={"name": {"givenName": "Alice", "familyName": "Test"}},
+        )
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice)
 
-    def test_patch_name_given_name(self, scim_client, scim_user_alice):
         payload = make_patch_op([
             {"op": "Replace", "path": "name.givenName", "value": "Alicia"},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        scim_user_alice.refresh_from_db()
-        assert "Alicia" in scim_user_alice.display_name
+        assert "Alicia" in alice.display_name
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_patch_name_family_name(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(
+            email="alice@example.com",
+            scim_data={"name": {"givenName": "Alice", "familyName": "Test"}},
+        )
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice)
 
-    def test_patch_name_family_name(self, scim_client, scim_user_alice):
         payload = make_patch_op([
             {"op": "Replace", "path": "name.familyName", "value": "Wonderland"},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        scim_user_alice.refresh_from_db()
-        assert "Wonderland" in scim_user_alice.display_name
+        assert "Wonderland" in alice.display_name
 
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
     def test_patch_deactivate_logs_correct_event_type(
-        self, scim_client, scim_user_alice
+        self, MockSCIMUser, mock_deactivate, mock_serialize, mock_log, scim_client
     ):
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=False)
+
         payload = make_patch_op([
             {"op": "Replace", "path": "active", "value": "False"},
         ])
         scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
-        event = SCIMEvent.objects.filter(
-            resource_id=str(scim_user_alice.id), event_type="user_deactivated"
-        ).first()
-        assert event is not None
+        log_call = mock_log.call_args_list[-1]
+        assert log_call[0][1] == "user_deactivated"
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.SCIMUser")
+    def test_patch_no_operations_returns_400(self, MockSCIMUser, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com")
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
 
-    def test_patch_no_operations_returns_400(self, scim_client, scim_user_alice):
         payload = {
             "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
             "Operations": [],
         }
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 400
 
-    def test_patch_entra_multi_op(self, scim_client, scim_user_alice):
-        """Entra often sends multiple operations in a single PATCH (e.g. active + title)."""
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_patch_entra_multi_op(
+        self, MockSCIMUser, mock_deactivate, mock_serialize, mock_log, scim_client
+    ):
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice, active=False)
+
         payload = make_patch_op([
             {"op": "Replace", "path": "active", "value": "False"},
             {"op": "Add", "path": "title", "value": "Engineer"},
         ])
         resp = scim_client.patch(
-            user_url(scim_user_alice.id),
+            user_url(alice.id),
             data=json.dumps(payload),
             content_type=SCIM_CONTENT_TYPE,
         )
         assert resp.status_code == 200
-        assert resp.json()["active"] is False
+        mock_deactivate.assert_called_once()
 
 
 # ---------------------------------------------------------------------------
-# Delete (DELETE — hard-delete from some IdPs)
+# Delete (DELETE)
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestDeleteUser:
 
-    def test_delete_returns_204(self, scim_client, scim_user_alice):
-        resp = scim_client.delete(user_url(scim_user_alice.id))
-        assert resp.status_code == 204
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_delete_returns_204(self, MockSCIMUser, mock_deactivate, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
 
-    def test_delete_deactivates_user(self, scim_client, scim_user_alice):
-        scim_client.delete(user_url(scim_user_alice.id))
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.active is False
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.deleted_at is not None
+        resp = scim_client.delete(user_url(alice.id))
+        assert resp.status_code == 204
 
-    def test_delete_already_inactive_is_idempotent(self, scim_client, scim_user_alice):
-        from ee.authentication.scim.utils import deactivate_scim_user
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_delete_calls_deactivate(self, MockSCIMUser, mock_deactivate, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+
+        scim_client.delete(user_url(alice.id))
+        mock_deactivate.assert_called_once_with(alice)
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_delete_already_inactive_skips_deactivate(
+        self, MockSCIMUser, mock_deactivate, mock_log, scim_client
+    ):
+        alice = make_mock_scim_user(email="alice@example.com", active=False)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
 
-        deactivate_scim_user(scim_user_alice)
-        resp = scim_client.delete(user_url(scim_user_alice.id))
+        resp = scim_client.delete(user_url(alice.id))
         assert resp.status_code == 204
+        mock_deactivate.assert_not_called()
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.deactivate_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_delete_logs_event(self, MockSCIMUser, mock_deactivate, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com", active=True)
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+
+        scim_client.delete(user_url(alice.id))
+        mock_log.assert_called()
+        log_call = mock_log.call_args_list[-1]
+        assert log_call[0][1] == "user_deactivated"
+        assert log_call[1]["response_status"] == 204
+
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.SCIMUser")
+    def test_delete_nonexistent_returns_404(self, MockSCIMUser, mock_log, scim_client):
+        MockSCIMUser.DoesNotExist = Exception
+        MockSCIMUser.objects.select_related.return_value.get.side_effect = Exception("not found")
 
-    def test_delete_logs_event(self, scim_client, scim_user_alice):
-        scim_client.delete(user_url(scim_user_alice.id))
-        event = SCIMEvent.objects.filter(
-            event_type="user_deactivated",
-            resource_id=str(scim_user_alice.id),
-        ).first()
-        assert event is not None
-        assert event.response_status == 204
-
-    def test_delete_nonexistent_returns_404(self, scim_client, scim_token):
         resp = scim_client.delete(user_url("nonexistent-id"))
         assert resp.status_code == 404
 
-    def test_delete_clears_team_memberships(
-        self, scim_client, scim_user_alice, scim_group_engineering
-    ):
-        """Deleting a user should revoke keys and remove all team memberships."""
-        assert TeamMembership.objects.filter(
-            org_member=scim_user_alice.org_member
-        ).exists()
-
-        scim_client.delete(user_url(scim_user_alice.id))
-
-        assert not TeamMembership.objects.filter(
-            org_member=scim_user_alice.org_member
-        ).exists()
-
-    def test_delete_wipes_crypto_material(self, scim_client, scim_user_alice):
-        # Give the user some crypto material first
-        scim_user_alice.org_member.identity_key = "test-key"
-        scim_user_alice.org_member.wrapped_keyring = "test-keyring"
-        scim_user_alice.org_member.wrapped_recovery = "test-recovery"
-        scim_user_alice.org_member.save()
-
-        scim_client.delete(user_url(scim_user_alice.id))
-
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.identity_key == ""
-        assert scim_user_alice.org_member.wrapped_keyring == ""
-        assert scim_user_alice.org_member.wrapped_recovery == ""
-
 
 # ---------------------------------------------------------------------------
-# SCIM response format validation
+# Response format validation
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestUserResponseFormat:
 
-    def test_response_contains_schemas(self, scim_client, scim_user_alice):
-        resp = scim_client.get(user_url(scim_user_alice.id))
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_response_contains_schemas(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com")
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice)
+
+        resp = scim_client.get(user_url(alice.id))
         data = resp.json()
         assert "schemas" in data
         assert "urn:ietf:params:scim:schemas:core:2.0:User" in data["schemas"]
 
-    def test_response_meta_location_format(self, scim_client, scim_user_alice):
-        resp = scim_client.get(user_url(scim_user_alice.id))
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_response_meta_location_format(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        alice = make_mock_scim_user(email="alice@example.com")
+        MockSCIMUser.objects.select_related.return_value.get.return_value = alice
+        MockSCIMUser.DoesNotExist = Exception
+        mock_serialize.return_value = _serialized_user(alice)
+
+        resp = scim_client.get(user_url(alice.id))
         location = resp.json()["meta"]["location"]
-        assert location.startswith("https://")
         assert "/service/scim/v2/Users/" in location
 
-    def test_list_response_format(self, scim_client, scim_user_alice):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.serialize_scim_user")
+    @patch(f"{_P}.SCIMUser")
+    def test_list_response_format(self, MockSCIMUser, mock_serialize, mock_log, scim_client):
+        qs = MagicMock()
+        qs.count.return_value = 0
+        qs.__getitem__ = MagicMock(return_value=[])
+        MockSCIMUser.objects.filter.return_value.order_by.return_value = qs
+
         resp = scim_client.get(USERS_URL)
         data = resp.json()
         assert "urn:ietf:params:scim:api:messages:2.0:ListResponse" in data["schemas"]
@@ -718,7 +917,12 @@ def test_list_response_format(self, scim_client, scim_user_alice):
         assert "itemsPerPage" in data
         assert "Resources" in data
 
-    def test_error_response_format(self, scim_client, scim_token):
+    @patch(f"{_P}.log_scim_event")
+    @patch(f"{_P}.SCIMUser")
+    def test_error_response_format(self, MockSCIMUser, mock_log, scim_client):
+        MockSCIMUser.DoesNotExist = Exception
+        MockSCIMUser.objects.select_related.return_value.get.side_effect = Exception("not found")
+
         resp = scim_client.get(user_url("nonexistent"))
         data = resp.json()
         assert "urn:ietf:params:scim:api:messages:2.0:Error" in data["schemas"]
diff --git a/backend/tests/ee/authentication/scim/test_utils.py b/backend/tests/ee/authentication/scim/test_utils.py
index f95e4419a..c0313135d 100644
--- a/backend/tests/ee/authentication/scim/test_utils.py
+++ b/backend/tests/ee/authentication/scim/test_utils.py
@@ -1,23 +1,17 @@
-"""Tests for SCIM provisioning utility functions.
+"""Tests for SCIM provisioning utility functions — fully mocked, no database.
 
 Covers: provision_scim_user, deactivate_scim_user, reactivate_scim_user.
 """
 
+from unittest.mock import MagicMock, call, patch
+
 import pytest
 from django.utils import timezone
 
-from api.models import (
-    CustomUser,
-    OrganisationMember,
-    SCIMUser,
-    Team,
-    TeamMembership,
-)
-from ee.authentication.scim.utils import (
-    deactivate_scim_user,
-    provision_scim_user,
-    reactivate_scim_user,
-)
+from .conftest import make_mock_org_member, make_mock_organisation, make_mock_scim_user, make_mock_user
+
+# Patch targets — where names are looked up in utils.py
+_P = "ee.authentication.scim.utils"
 
 
 # ---------------------------------------------------------------------------
@@ -25,99 +19,207 @@
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestProvisionScimUser:
 
-    def test_creates_new_user_and_org_member(self, organisation, developer_role):
-        scim_user = provision_scim_user(
-            organisation=organisation,
-            external_id="new-ext-1",
-            email="newuser@example.com",
-            display_name="New User",
-        )
-        assert scim_user.email == "newuser@example.com"
-        assert scim_user.active is True
-        assert scim_user.user is not None
-        assert scim_user.org_member is not None
-        assert scim_user.org_member.role.name == "Developer"
-
-    def test_new_user_has_unusable_password(self, organisation, developer_role):
-        scim_user = provision_scim_user(
-            organisation=organisation,
-            external_id="pwd-ext",
-            email="nopwd@example.com",
-            display_name="No Pwd",
-        )
-        assert scim_user.user.has_usable_password() is False
-
-    def test_new_user_has_empty_crypto_material(self, organisation, developer_role):
-        scim_user = provision_scim_user(
-            organisation=organisation,
-            external_id="crypto-ext",
-            email="crypto@example.com",
-            display_name="Crypto Test",
-        )
-        assert scim_user.org_member.identity_key == ""
-        assert scim_user.org_member.wrapped_keyring == ""
-        assert scim_user.org_member.wrapped_recovery == ""
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.OrganisationMember")
+    @patch(f"{_P}.CustomUser")
+    @patch(f"{_P}.Role")
+    def test_creates_new_user_and_org_member(
+        self, MockRole, MockCustomUser, MockOrgMember, MockSCIMUser
+    ):
+        from ee.authentication.scim.utils import provision_scim_user
 
-    def test_email_normalized_to_lowercase(self, organisation, developer_role):
-        scim_user = provision_scim_user(
-            organisation=organisation,
-            external_id="case-ext",
-            email="UPPER@EXAMPLE.COM",
-            display_name="Case Test",
-        )
-        assert scim_user.email == "upper@example.com"
+        org = make_mock_organisation()
+        role = MagicMock(name="Developer")
+        MockRole.objects.get.return_value = role
+        MockCustomUser.objects.filter.return_value.first.return_value = None
+        MockOrgMember.objects.filter.return_value.first.return_value = None
 
-    def test_links_existing_custom_user(self, organisation, developer_role):
-        existing_user = CustomUser.objects.create(
-            username="existing@example.com",
-            email="existing@example.com",
-        )
-        scim_user = provision_scim_user(
-            organisation=organisation,
-            external_id="existing-ext",
-            email="existing@example.com",
-            display_name="Existing",
-        )
-        assert str(scim_user.user.userId) == str(existing_user.userId)
-        # Should not create a duplicate CustomUser
-        assert CustomUser.objects.filter(email="existing@example.com").count() == 1
+        new_user = make_mock_user(email="new@example.com")
+        MockCustomUser.objects.create.return_value = new_user
 
-    def test_reactivates_soft_deleted_org_member(self, organisation, developer_role):
-        user = CustomUser.objects.create(
-            username="softdel@example.com", email="softdel@example.com"
-        )
-        org_member = OrganisationMember.objects.create(
-            user=user,
-            organisation=organisation,
-            role=developer_role,
-            identity_key="old-key",
-            wrapped_keyring="old-keyring",
-            wrapped_recovery="old-recovery",
-            deleted_at=timezone.now(),
+        new_member = make_mock_org_member(user=new_user, organisation=org)
+        MockOrgMember.objects.create.return_value = new_member
+
+        scim_user = MagicMock()
+        MockSCIMUser.objects.create.return_value = scim_user
+
+        result = provision_scim_user(org, "ext-1", "new@example.com", "New User")
+
+        assert result is scim_user
+        MockCustomUser.objects.create.assert_called_once_with(
+            username="new@example.com", email="new@example.com"
         )
-        scim_user = provision_scim_user(
-            organisation=organisation,
-            external_id="softdel-ext",
-            email="softdel@example.com",
-            display_name="Soft Deleted",
+        MockOrgMember.objects.create.assert_called_once()
+        MockSCIMUser.objects.create.assert_called_once()
+
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.OrganisationMember")
+    @patch(f"{_P}.CustomUser")
+    @patch(f"{_P}.Role")
+    def test_new_user_has_unusable_password(
+        self, MockRole, MockCustomUser, MockOrgMember, MockSCIMUser
+    ):
+        from ee.authentication.scim.utils import provision_scim_user
+
+        org = make_mock_organisation()
+        MockRole.objects.get.return_value = MagicMock()
+        MockCustomUser.objects.filter.return_value.first.return_value = None
+        MockOrgMember.objects.filter.return_value.first.return_value = None
+
+        new_user = make_mock_user()
+        MockCustomUser.objects.create.return_value = new_user
+        MockOrgMember.objects.create.return_value = make_mock_org_member()
+        MockSCIMUser.objects.create.return_value = MagicMock()
+
+        provision_scim_user(org, "ext", "test@example.com", "Test")
+
+        new_user.set_unusable_password.assert_called_once()
+        new_user.save.assert_called_once()
+
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.OrganisationMember")
+    @patch(f"{_P}.CustomUser")
+    @patch(f"{_P}.Role")
+    def test_new_user_has_empty_crypto_material(
+        self, MockRole, MockCustomUser, MockOrgMember, MockSCIMUser
+    ):
+        from ee.authentication.scim.utils import provision_scim_user
+
+        org = make_mock_organisation()
+        MockRole.objects.get.return_value = MagicMock()
+        MockCustomUser.objects.filter.return_value.first.return_value = None
+        MockOrgMember.objects.filter.return_value.first.return_value = None
+
+        MockCustomUser.objects.create.return_value = make_mock_user()
+        MockOrgMember.objects.create.return_value = make_mock_org_member()
+        MockSCIMUser.objects.create.return_value = MagicMock()
+
+        provision_scim_user(org, "ext", "test@example.com", "Test")
+
+        create_kwargs = MockOrgMember.objects.create.call_args
+        assert create_kwargs[1]["identity_key"] == ""
+        assert create_kwargs[1]["wrapped_keyring"] == ""
+        assert create_kwargs[1]["wrapped_recovery"] == ""
+
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.OrganisationMember")
+    @patch(f"{_P}.CustomUser")
+    @patch(f"{_P}.Role")
+    def test_email_normalized_to_lowercase(
+        self, MockRole, MockCustomUser, MockOrgMember, MockSCIMUser
+    ):
+        from ee.authentication.scim.utils import provision_scim_user
+
+        org = make_mock_organisation()
+        MockRole.objects.get.return_value = MagicMock()
+        MockCustomUser.objects.filter.return_value.first.return_value = None
+        MockOrgMember.objects.filter.return_value.first.return_value = None
+        MockCustomUser.objects.create.return_value = make_mock_user()
+        MockOrgMember.objects.create.return_value = make_mock_org_member()
+        MockSCIMUser.objects.create.return_value = MagicMock()
+
+        provision_scim_user(org, "ext", "UPPER@EXAMPLE.COM", "Test")
+
+        create_kwargs = MockSCIMUser.objects.create.call_args
+        assert create_kwargs[1]["email"] == "upper@example.com"
+
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.OrganisationMember")
+    @patch(f"{_P}.CustomUser")
+    @patch(f"{_P}.Role")
+    def test_links_existing_custom_user(
+        self, MockRole, MockCustomUser, MockOrgMember, MockSCIMUser
+    ):
+        from ee.authentication.scim.utils import provision_scim_user
+
+        org = make_mock_organisation()
+        MockRole.objects.get.return_value = MagicMock()
+
+        existing_user = make_mock_user(email="existing@example.com")
+        MockCustomUser.objects.filter.return_value.first.return_value = existing_user
+        MockOrgMember.objects.filter.return_value.first.return_value = None
+        MockOrgMember.objects.create.return_value = make_mock_org_member(user=existing_user)
+        MockSCIMUser.objects.create.return_value = MagicMock()
+
+        provision_scim_user(org, "ext", "existing@example.com", "Existing")
+
+        MockCustomUser.objects.create.assert_not_called()
+        scim_create_kwargs = MockSCIMUser.objects.create.call_args[1]
+        assert scim_create_kwargs["user"] is existing_user
+
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.OrganisationMember")
+    @patch(f"{_P}.CustomUser")
+    @patch(f"{_P}.Role")
+    def test_reactivates_soft_deleted_org_member(
+        self, MockRole, MockCustomUser, MockOrgMember, MockSCIMUser
+    ):
+        from ee.authentication.scim.utils import provision_scim_user
+
+        org = make_mock_organisation()
+        MockRole.objects.get.return_value = MagicMock()
+
+        existing_user = make_mock_user(email="softdel@example.com")
+        MockCustomUser.objects.filter.return_value.first.return_value = existing_user
+
+        soft_deleted_member = make_mock_org_member(
+            user=existing_user, organisation=org, deleted_at=timezone.now()
         )
-        assert str(scim_user.org_member.id) == str(org_member.id)
-        org_member.refresh_from_db()
-        assert org_member.deleted_at is None
+        MockOrgMember.objects.filter.return_value.first.return_value = soft_deleted_member
+        MockSCIMUser.objects.create.return_value = MagicMock()
+
+        provision_scim_user(org, "ext", "softdel@example.com", "Soft Del")
+
+        assert soft_deleted_member.deleted_at is None
+        soft_deleted_member.save.assert_called_once_with(update_fields=["deleted_at"])
+        MockOrgMember.objects.create.assert_not_called()
+
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.OrganisationMember")
+    @patch(f"{_P}.CustomUser")
+    @patch(f"{_P}.Role")
+    def test_stores_scim_data(self, MockRole, MockCustomUser, MockOrgMember, MockSCIMUser):
+        from ee.authentication.scim.utils import provision_scim_user
+
+        org = make_mock_organisation()
+        MockRole.objects.get.return_value = MagicMock()
+        MockCustomUser.objects.filter.return_value.first.return_value = None
+        MockOrgMember.objects.filter.return_value.first.return_value = None
+        MockCustomUser.objects.create.return_value = make_mock_user()
+        MockOrgMember.objects.create.return_value = make_mock_org_member()
+        MockSCIMUser.objects.create.return_value = MagicMock()
 
-    def test_stores_scim_data(self, organisation, developer_role):
         scim_data = {"userName": "data@example.com", "custom": "field"}
-        scim_user = provision_scim_user(
-            organisation=organisation,
-            external_id="data-ext",
-            email="data@example.com",
-            display_name="Data Test",
-            scim_data=scim_data,
-        )
-        assert scim_user.scim_data == scim_data
+        provision_scim_user(org, "ext", "data@example.com", "Data", scim_data=scim_data)
+
+        create_kwargs = MockSCIMUser.objects.create.call_args[1]
+        assert create_kwargs["scim_data"] is scim_data
+
+    @patch(f"{_P}.SCIMUser")
+    @patch(f"{_P}.OrganisationMember")
+    @patch(f"{_P}.CustomUser")
+    @patch(f"{_P}.Role")
+    def test_default_role_is_developer(
+        self, MockRole, MockCustomUser, MockOrgMember, MockSCIMUser
+    ):
+        from ee.authentication.scim.utils import provision_scim_user
+
+        org = make_mock_organisation()
+        dev_role = MagicMock(name="Developer")
+        MockRole.objects.get.return_value = dev_role
+        MockCustomUser.objects.filter.return_value.first.return_value = None
+        MockOrgMember.objects.filter.return_value.first.return_value = None
+        MockCustomUser.objects.create.return_value = make_mock_user()
+        MockOrgMember.objects.create.return_value = make_mock_org_member()
+        MockSCIMUser.objects.create.return_value = MagicMock()
+
+        provision_scim_user(org, "ext", "test@example.com", "Test")
+
+        MockRole.objects.get.assert_called_once_with(organisation=org, name__iexact="developer")
+        create_kwargs = MockOrgMember.objects.create.call_args[1]
+        assert create_kwargs["role"] is dev_role
 
 
 # ---------------------------------------------------------------------------
@@ -125,56 +227,92 @@ def test_stores_scim_data(self, organisation, developer_role):
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestDeactivateScimUser:
 
-    def test_sets_active_false(self, scim_user_alice):
-        deactivate_scim_user(scim_user_alice)
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.active is False
-
-    def test_soft_deletes_org_member(self, scim_user_alice):
-        deactivate_scim_user(scim_user_alice)
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.deleted_at is not None
-
-    def test_wipes_crypto_material(self, scim_user_alice):
-        scim_user_alice.org_member.identity_key = "some-key"
-        scim_user_alice.org_member.wrapped_keyring = "some-keyring"
-        scim_user_alice.org_member.wrapped_recovery = "some-recovery"
-        scim_user_alice.org_member.save()
-
-        deactivate_scim_user(scim_user_alice)
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.identity_key == ""
-        assert scim_user_alice.org_member.wrapped_keyring == ""
-        assert scim_user_alice.org_member.wrapped_recovery == ""
-
-    def test_deletes_team_memberships(self, scim_user_alice, scim_group_engineering):
-        assert TeamMembership.objects.filter(
-            org_member=scim_user_alice.org_member
-        ).exists()
-
-        deactivate_scim_user(scim_user_alice)
-
-        assert not TeamMembership.objects.filter(
-            org_member=scim_user_alice.org_member
-        ).exists()
-
-    def test_does_not_delete_custom_user(self, scim_user_alice):
-        user_id = scim_user_alice.user.userId
-        deactivate_scim_user(scim_user_alice)
-        assert CustomUser.objects.filter(userId=user_id).exists()
-
-    def test_does_not_affect_other_members_team_membership(
-        self, scim_user_alice, scim_user_bob, scim_group_engineering
-    ):
-        """Deactivating Alice should not remove Bob from the team."""
-        deactivate_scim_user(scim_user_alice)
-        assert TeamMembership.objects.filter(
-            team=scim_group_engineering.team,
-            org_member=scim_user_bob.org_member,
-        ).exists()
+    def _empty_qs(self):
+        """Return a MagicMock that behaves like an empty queryset (iterable + .delete())."""
+        qs = MagicMock()
+        qs.__iter__ = MagicMock(return_value=iter([]))
+        return qs
+
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.TeamMembership")
+    def test_sets_active_false(self, MockTM, mock_revoke):
+        from ee.authentication.scim.utils import deactivate_scim_user
+
+        scim_user = make_mock_scim_user(active=True)
+        MockTM.objects.filter.return_value.select_related.return_value = self._empty_qs()
+
+        deactivate_scim_user(scim_user)
+
+        assert scim_user.active is False
+        scim_user.save.assert_called_with(update_fields=["active"])
+
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.TeamMembership")
+    def test_soft_deletes_org_member(self, MockTM, mock_revoke):
+        from ee.authentication.scim.utils import deactivate_scim_user
+
+        scim_user = make_mock_scim_user()
+        MockTM.objects.filter.return_value.select_related.return_value = self._empty_qs()
+
+        deactivate_scim_user(scim_user)
+
+        assert scim_user.org_member.deleted_at is not None
+        scim_user.org_member.save.assert_called()
+
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.TeamMembership")
+    def test_wipes_crypto_material(self, MockTM, mock_revoke):
+        from ee.authentication.scim.utils import deactivate_scim_user
+
+        scim_user = make_mock_scim_user()
+        scim_user.org_member.identity_key = "some-key"
+        scim_user.org_member.wrapped_keyring = "some-keyring"
+        scim_user.org_member.wrapped_recovery = "some-recovery"
+        MockTM.objects.filter.return_value.select_related.return_value = self._empty_qs()
+
+        deactivate_scim_user(scim_user)
+
+        assert scim_user.org_member.identity_key == ""
+        assert scim_user.org_member.wrapped_keyring == ""
+        assert scim_user.org_member.wrapped_recovery == ""
+
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.TeamMembership")
+    def test_revokes_keys_and_deletes_team_memberships(self, MockTM, mock_revoke):
+        from ee.authentication.scim.utils import deactivate_scim_user
+
+        scim_user = make_mock_scim_user()
+        team1 = MagicMock(name="Team1")
+        tm1 = MagicMock(team=team1)
+        team2 = MagicMock(name="Team2")
+        tm2 = MagicMock(team=team2)
+
+        qs = MagicMock()
+        qs.__iter__ = MagicMock(return_value=iter([tm1, tm2]))
+        MockTM.objects.filter.return_value.select_related.return_value = qs
+
+        deactivate_scim_user(scim_user)
+
+        mock_revoke.assert_any_call(team1, member=scim_user.org_member)
+        mock_revoke.assert_any_call(team2, member=scim_user.org_member)
+        assert mock_revoke.call_count == 2
+        qs.delete.assert_called_once()
+
+    @patch(f"{_P}.revoke_team_environment_keys")
+    @patch(f"{_P}.TeamMembership")
+    def test_no_org_member_is_safe(self, MockTM, mock_revoke):
+        """If org_member is None, deactivation should still set active=False."""
+        from ee.authentication.scim.utils import deactivate_scim_user
+
+        scim_user = make_mock_scim_user()
+        scim_user.org_member = None
+
+        deactivate_scim_user(scim_user)
+
+        assert scim_user.active is False
+        MockTM.objects.filter.assert_not_called()
 
 
 # ---------------------------------------------------------------------------
@@ -182,47 +320,48 @@ def test_does_not_affect_other_members_team_membership(
 # ---------------------------------------------------------------------------
 
 
-@pytest.mark.django_db
 class TestReactivateScimUser:
 
-    def test_sets_active_true(self, scim_user_alice):
-        deactivate_scim_user(scim_user_alice)
-        reactivate_scim_user(scim_user_alice)
-        scim_user_alice.refresh_from_db()
-        assert scim_user_alice.active is True
+    def test_sets_active_true(self):
+        from ee.authentication.scim.utils import reactivate_scim_user
 
-    def test_clears_deleted_at(self, scim_user_alice):
-        deactivate_scim_user(scim_user_alice)
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.deleted_at is not None
+        scim_user = make_mock_scim_user(active=False)
+        scim_user.org_member.deleted_at = "2025-01-01"
 
-        reactivate_scim_user(scim_user_alice)
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.deleted_at is None
+        reactivate_scim_user(scim_user)
 
-    def test_does_not_restore_team_memberships(
-        self, scim_user_alice, scim_group_engineering
-    ):
-        """After deactivation clears team memberships, reactivation should NOT restore them.
-        The IdP's group push will re-add the user to the correct teams."""
-        deactivate_scim_user(scim_user_alice)
-        assert not TeamMembership.objects.filter(
-            org_member=scim_user_alice.org_member
-        ).exists()
-
-        reactivate_scim_user(scim_user_alice)
-        # Still no team memberships — IdP must re-push
-        assert not TeamMembership.objects.filter(
-            org_member=scim_user_alice.org_member
-        ).exists()
-
-    def test_crypto_material_stays_empty(self, scim_user_alice):
-        """Reactivation should not restore crypto material — user must redo key ceremony."""
-        scim_user_alice.org_member.identity_key = "old-key"
-        scim_user_alice.org_member.save()
-
-        deactivate_scim_user(scim_user_alice)
-        reactivate_scim_user(scim_user_alice)
-
-        scim_user_alice.org_member.refresh_from_db()
-        assert scim_user_alice.org_member.identity_key == ""
+        assert scim_user.active is True
+        scim_user.save.assert_called_with(update_fields=["active"])
+
+    def test_clears_deleted_at(self):
+        from ee.authentication.scim.utils import reactivate_scim_user
+
+        scim_user = make_mock_scim_user(active=False)
+        scim_user.org_member.deleted_at = "2025-01-01"
+
+        reactivate_scim_user(scim_user)
+
+        assert scim_user.org_member.deleted_at is None
+        scim_user.org_member.save.assert_called_with(update_fields=["deleted_at"])
+
+    def test_no_op_if_org_member_not_deleted(self):
+        from ee.authentication.scim.utils import reactivate_scim_user
+
+        scim_user = make_mock_scim_user(active=False)
+        scim_user.org_member.deleted_at = None
+
+        reactivate_scim_user(scim_user)
+
+        assert scim_user.active is True
+        # org_member.save should NOT be called because deleted_at was already None
+        scim_user.org_member.save.assert_not_called()
+
+    def test_no_org_member_is_safe(self):
+        from ee.authentication.scim.utils import reactivate_scim_user
+
+        scim_user = make_mock_scim_user(active=False)
+        scim_user.org_member = None
+
+        reactivate_scim_user(scim_user)
+
+        assert scim_user.active is True

From 77a844cda694684dcf9caa2ac3aa5dcc59b5933a Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 8 Apr 2026 18:33:57 +0530
Subject: [PATCH 063/118] fix: bump python-version for backend build to 3.12

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .github/workflows/backend.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
index 550f9c063..f657d3b27 100644
--- a/.github/workflows/backend.yml
+++ b/.github/workflows/backend.yml
@@ -22,7 +22,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: '3.12'
           cache: 'pip'
 
       - name: Install dependencies

From cc6b6448d85d4065446eb5ad71c995aab5255331 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 8 Apr 2026 18:38:10 +0530
Subject: [PATCH 064/118] fix: conftest secrets

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/conftest.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/backend/conftest.py b/backend/conftest.py
index e801a6e0a..211f77815 100644
--- a/backend/conftest.py
+++ b/backend/conftest.py
@@ -20,6 +20,10 @@
 os.environ.setdefault("DATABASE_USER", "dummy_user")
 os.environ.setdefault("DATABASE_PASSWORD", "dummy_password")
 
+# Django requires SECRET_KEY for middleware (sessions, CSRF, etc.)
+os.environ.setdefault("SECRET_KEY", "dummy-secret-key-for-testing-only")
+os.environ.setdefault("SERVER_SECRET", "a" * 64)
+
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "backend.settings")
 
 

From edf69c039dc40fe5f8e2a9e33b6b96491f894057 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 15:29:38 +0530
Subject: [PATCH 065/118] chore: regen schema and types

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/apollo/gql.ts         | 36 ++++++++++------
 frontend/apollo/graphql.ts     | 76 ++++++++++++++++++++++++++++++----
 frontend/apollo/schema.graphql | 75 +++++++++++----------------------
 3 files changed, 117 insertions(+), 70 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 1c4306afd..2e0f6cb33 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -79,7 +79,7 @@ type Documents = {
     "mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}": typeof types.DeleteScimTokenOpDocument,
     "mutation ToggleSCIMOp($organisationId: ID!, $enabled: Boolean!) {\n  toggleScim(organisationId: $organisationId, enabled: $enabled) {\n    ok\n  }\n}": typeof types.ToggleScimOpDocument,
     "mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}": typeof types.ToggleScimTokenOpDocument,
-    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": typeof types.CreateServiceAccountOpDocument,
+    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": typeof types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": typeof types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": typeof types.DeleteServiceAccountOpDocument,
     "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}": typeof types.DeleteServiceAccountTokenOpDocument,
@@ -87,6 +87,7 @@ type Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": typeof types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": typeof types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOpDocument,
+    "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOwnershipOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewCfPagesSyncDocument,
@@ -113,6 +114,7 @@ type Documents = {
     "mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}": typeof types.DeleteTeamOpDocument,
     "mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}": typeof types.RemoveTeamAppOpDocument,
     "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": typeof types.RemoveTeamMemberOpDocument,
+    "mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}": typeof types.TransferTeamOwnershipOpDocument,
     "mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": typeof types.UpdateTeamOpDocument,
     "mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}": typeof types.UpdateTeamAppEnvironmentsOpDocument,
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": typeof types.CreateNewUserTokenDocument,
@@ -161,10 +163,10 @@ type Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": typeof types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": typeof types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": typeof types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": typeof types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": typeof types.GetServiceAccountTokensDocument,
-    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
+    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": typeof types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": typeof types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": typeof types.ValidateAwsAssumeRoleAuthDocument,
@@ -186,7 +188,7 @@ type Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": typeof types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": typeof types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": typeof types.GetVercelProjectsDocument,
-    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": typeof types.GetTeamsDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": typeof types.GetTeamsDocument,
     "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": typeof types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": typeof types.GetUserTokensDocument,
 };
@@ -256,7 +258,7 @@ const documents: Documents = {
     "mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}": types.DeleteScimTokenOpDocument,
     "mutation ToggleSCIMOp($organisationId: ID!, $enabled: Boolean!) {\n  toggleScim(organisationId: $organisationId, enabled: $enabled) {\n    ok\n  }\n}": types.ToggleScimOpDocument,
     "mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}": types.ToggleScimTokenOpDocument,
-    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": types.CreateServiceAccountOpDocument,
+    "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountOpDocument,
     "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountTokenOpDocument,
@@ -264,6 +266,7 @@ const documents: Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
+    "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOwnershipOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewCfPagesSyncDocument,
@@ -290,6 +293,7 @@ const documents: Documents = {
     "mutation DeleteTeamOp($teamId: ID!) {\n  deleteTeam(teamId: $teamId) {\n    ok\n  }\n}": types.DeleteTeamOpDocument,
     "mutation RemoveTeamAppOp($teamId: ID!, $appId: ID!) {\n  removeTeamApp(teamId: $teamId, appId: $appId) {\n    team {\n      id\n    }\n  }\n}": types.RemoveTeamAppOpDocument,
     "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}": types.RemoveTeamMemberOpDocument,
+    "mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}": types.TransferTeamOwnershipOpDocument,
     "mutation UpdateTeamOp($teamId: ID!, $name: String, $description: String, $memberRoleId: ID, $serviceAccountRoleId: ID) {\n  updateTeam(\n    teamId: $teamId\n    name: $name\n    description: $description\n    memberRoleId: $memberRoleId\n    serviceAccountRoleId: $serviceAccountRoleId\n  ) {\n    team {\n      id\n      name\n    }\n  }\n}": types.UpdateTeamOpDocument,
     "mutation UpdateTeamAppEnvironmentsOp($teamId: ID!, $appId: ID!, $envIds: [ID!]!) {\n  updateTeamAppEnvironments(teamId: $teamId, appId: $appId, envIds: $envIds) {\n    team {\n      id\n    }\n  }\n}": types.UpdateTeamAppEnvironmentsOpDocument,
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": types.CreateNewUserTokenDocument,
@@ -338,10 +342,10 @@ const documents: Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
-    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
+    "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": types.ValidateAwsAssumeRoleAuthDocument,
@@ -363,7 +367,7 @@ const documents: Documents = {
     "query GetRenderResources($credentialId: ID!) {\n  renderServices(credentialId: $credentialId) {\n    id\n    name\n    type\n  }\n  renderEnvgroups(credentialId: $credentialId) {\n    id\n    name\n  }\n}": types.GetRenderResourcesDocument,
     "query TestVaultAuth($credentialId: ID!) {\n  testVaultCreds(credentialId: $credentialId)\n}": types.TestVaultAuthDocument,
     "query GetVercelProjects($credentialId: ID!) {\n  vercelProjects(credentialId: $credentialId) {\n    id\n    teamName\n    projects {\n      id\n      name\n      environments {\n        id\n        name\n        slug\n        type\n      }\n    }\n  }\n}": types.GetVercelProjectsDocument,
-    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": types.GetTeamsDocument,
+    "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}": types.GetTeamsDocument,
     "query GetOrganisationMemberDetail($organisationId: ID!, $id: ID) {\n  organisationMembers(organisationId: $organisationId, memberId: $id) {\n    id\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    lastLogin\n    self\n    scimManaged\n    appMemberships {\n      id\n      name\n      sseEnabled\n      environments {\n        id\n        name\n      }\n    }\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetOrganisationMemberDetailDocument,
     "query GetUserTokens($organisationId: ID!) {\n  userTokens(organisationId: $organisationId) {\n    id\n    name\n    wrappedKeyShare\n    createdAt\n    expiresAt\n  }\n}": types.GetUserTokensDocument,
 };
@@ -645,7 +649,7 @@ export function graphql(source: "mutation ToggleSCIMTokenOp($tokenId: ID!, $isAc
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"): (typeof documents)["mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"];
+export function graphql(source: "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"): (typeof documents)["mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -674,6 +678,10 @@ export function graphql(source: "mutation UpdateServiceAccountHandlerKeys($orgId
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -778,6 +786,10 @@ export function graphql(source: "mutation RemoveTeamAppOp($teamId: ID!, $appId:
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation RemoveTeamMemberOp($teamId: ID!, $memberId: ID!, $memberType: MemberType) {\n  removeTeamMember(teamId: $teamId, memberId: $memberId, memberType: $memberType) {\n    team {\n      id\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}"): (typeof documents)["mutation TransferTeamOwnershipOp($teamId: ID!, $newOwnerId: ID!) {\n  transferTeamOwnership(teamId: $teamId, newOwnerId: $newOwnerId) {\n    team {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -973,7 +985,7 @@ export function graphql(source: "query GetServiceTokens($appId: ID!) {\n  servic
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"];
+export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -985,7 +997,7 @@ export function graphql(source: "query GetServiceAccountTokens($orgId: ID!, $id:
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"];
+export function graphql(source: "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -1073,7 +1085,7 @@ export function graphql(source: "query GetVercelProjects($credentialId: ID!) {\n
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"): (typeof documents)["query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"];
+export function graphql(source: "query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"): (typeof documents)["query GetTeams($organisationId: ID!, $teamId: ID) {\n  teams(organisationId: $organisationId, teamId: $teamId) {\n    id\n    name\n    description\n    memberRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    serviceAccountRole {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    isScimManaged\n    owner {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdBy {\n      id\n      fullName\n      email\n      avatarUrl\n    }\n    createdAt\n    updatedAt\n    memberCount\n    members {\n      id\n      orgMember {\n        id\n        identityKey\n        scimManaged\n        email\n        fullName\n        avatarUrl\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n      }\n      serviceAccount {\n        id\n        name\n        role {\n          id\n          name\n          description\n          color\n          permissions\n        }\n        team {\n          id\n          name\n        }\n      }\n      email\n      fullName\n      avatarUrl\n      createdAt\n    }\n    apps {\n      id\n      name\n      sseEnabled\n    }\n    appEnvironments {\n      id\n      app {\n        id\n        name\n      }\n      environment {\n        id\n        name\n        envType\n      }\n      createdAt\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index bac9c683e..74380151c 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -1123,6 +1123,7 @@ export type Mutation = {
    * The new owner must have global access (Admin role) to ensure they have all necessary keys.
    */
   transferOrganisationOwnership?: Maybe<TransferOrganisationOwnershipMutation>;
+  transferTeamOwnership?: Maybe<TransferTeamOwnershipMutation>;
   triggerSync?: Maybe<TriggerSync>;
   updateAccountNetworkAccessPolicies?: Maybe<UpdateAccountNetworkAccessPolicies>;
   updateAppInfo?: Maybe<UpdateAppInfoMutation>;
@@ -1137,6 +1138,15 @@ export type Mutation = {
   updateProviderCredentials?: Maybe<UpdateProviderCredentials>;
   updateServiceAccount?: Maybe<UpdateServiceAccountMutation>;
   updateServiceAccountHandlers?: Maybe<UpdateServiceAccountHandlersMutation>;
+  /**
+   * Transfer a service account between org-level and team ownership.
+   *
+   * - team_id=null: Promote team-owned SA to org-level (clears team FK).
+   * - team_id=<id>: Assign SA to a team (narrows visibility to team members).
+   *
+   * Requires global_access (Owner/Admin only).
+   */
+  updateServiceAccountOwnership?: Maybe<UpdateServiceAccountOwnershipMutation>;
   updateSyncAuthentication?: Maybe<UpdateSyncAuthentication>;
   updateTeam?: Maybe<UpdateTeamMutation>;
   updateTeamAppEnvironments?: Maybe<UpdateTeamAppEnvironmentsMutation>;
@@ -1451,6 +1461,7 @@ export type MutationCreateServiceAccountArgs = {
   roleId?: InputMaybe<Scalars['ID']['input']>;
   serverWrappedKeyring?: InputMaybe<Scalars['String']['input']>;
   serverWrappedRecovery?: InputMaybe<Scalars['String']['input']>;
+  teamId?: InputMaybe<Scalars['ID']['input']>;
 };
 
 
@@ -1761,6 +1772,12 @@ export type MutationTransferOrganisationOwnershipArgs = {
 };
 
 
+export type MutationTransferTeamOwnershipArgs = {
+  newOwnerId: Scalars['ID']['input'];
+  teamId: Scalars['ID']['input'];
+};
+
+
 export type MutationTriggerSyncArgs = {
   syncId?: InputMaybe<Scalars['ID']['input']>;
 };
@@ -1871,6 +1888,12 @@ export type MutationUpdateServiceAccountHandlersArgs = {
 };
 
 
+export type MutationUpdateServiceAccountOwnershipArgs = {
+  serviceAccountId: Scalars['ID']['input'];
+  teamId?: InputMaybe<Scalars['ID']['input']>;
+};
+
+
 export type MutationUpdateSyncAuthenticationArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
   syncId?: InputMaybe<Scalars['ID']['input']>;
@@ -2731,6 +2754,7 @@ export type ServiceAccountType = {
   networkPolicies?: Maybe<Array<NetworkAccessPolicyType>>;
   role?: Maybe<RoleType>;
   serverSideKeyManagementEnabled?: Maybe<Scalars['Boolean']['output']>;
+  team?: Maybe<TeamType>;
   tokens?: Maybe<Array<Maybe<ServiceAccountTokenType>>>;
   updatedAt: Scalars['DateTime']['output'];
 };
@@ -2829,6 +2853,7 @@ export type TeamType = {
   memberRole?: Maybe<RoleType>;
   members?: Maybe<Array<TeamMembershipType>>;
   name: Scalars['String']['output'];
+  owner?: Maybe<OrganisationMemberType>;
   serviceAccountRole?: Maybe<RoleType>;
   updatedAt: Scalars['DateTime']['output'];
 };
@@ -2868,6 +2893,11 @@ export type TransferOrganisationOwnershipMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
+export type TransferTeamOwnershipMutation = {
+  __typename?: 'TransferTeamOwnershipMutation';
+  team?: Maybe<TeamType>;
+};
+
 export type TriggerSync = {
   __typename?: 'TriggerSync';
   sync?: Maybe<EnvironmentSyncType>;
@@ -2940,6 +2970,19 @@ export type UpdateServiceAccountMutation = {
   serviceAccount?: Maybe<ServiceAccountType>;
 };
 
+/**
+ * Transfer a service account between org-level and team ownership.
+ *
+ * - team_id=null: Promote team-owned SA to org-level (clears team FK).
+ * - team_id=<id>: Assign SA to a team (narrows visibility to team members).
+ *
+ * Requires global_access (Owner/Admin only).
+ */
+export type UpdateServiceAccountOwnershipMutation = {
+  __typename?: 'UpdateServiceAccountOwnershipMutation';
+  serviceAccount?: Maybe<ServiceAccountType>;
+};
+
 export type UpdateSubscriptionResponse = {
   __typename?: 'UpdateSubscriptionResponse';
   cancelledAt?: Maybe<Scalars['String']['output']>;
@@ -3608,6 +3651,7 @@ export type CreateServiceAccountOpMutationVariables = Exact<{
   handlers?: InputMaybe<Array<InputMaybe<ServiceAccountHandlerInput>> | InputMaybe<ServiceAccountHandlerInput>>;
   serverWrappedKeyring?: InputMaybe<Scalars['String']['input']>;
   serverWrappedRecovery?: InputMaybe<Scalars['String']['input']>;
+  teamId?: InputMaybe<Scalars['ID']['input']>;
 }>;
 
 
@@ -3673,6 +3717,14 @@ export type UpdateServiceAccountOpMutationVariables = Exact<{
 
 export type UpdateServiceAccountOpMutation = { __typename?: 'Mutation', updateServiceAccount?: { __typename?: 'UpdateServiceAccountMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string }> | null } | null } | null };
 
+export type UpdateServiceAccountOwnershipOpMutationVariables = Exact<{
+  serviceAccountId: Scalars['ID']['input'];
+  teamId?: InputMaybe<Scalars['ID']['input']>;
+}>;
+
+
+export type UpdateServiceAccountOwnershipOpMutation = { __typename?: 'Mutation', updateServiceAccountOwnership?: { __typename?: 'UpdateServiceAccountOwnershipMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, team?: { __typename?: 'TeamType', id: string, name: string } | null } | null } | null };
+
 export type CreateNewAwsSecretsSyncMutationVariables = Exact<{
   envId: Scalars['ID']['input'];
   path: Scalars['String']['input'];
@@ -3936,6 +3988,14 @@ export type RemoveTeamMemberOpMutationVariables = Exact<{
 
 export type RemoveTeamMemberOpMutation = { __typename?: 'Mutation', removeTeamMember?: { __typename?: 'RemoveTeamMemberMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
 
+export type TransferTeamOwnershipOpMutationVariables = Exact<{
+  teamId: Scalars['ID']['input'];
+  newOwnerId: Scalars['ID']['input'];
+}>;
+
+
+export type TransferTeamOwnershipOpMutation = { __typename?: 'Mutation', transferTeamOwnership?: { __typename?: 'TransferTeamOwnershipMutation', team?: { __typename?: 'TeamType', id: string } | null } | null };
+
 export type UpdateTeamOpMutationVariables = Exact<{
   teamId: Scalars['ID']['input'];
   name?: InputMaybe<Scalars['String']['input']>;
@@ -4315,7 +4375,7 @@ export type GetServiceAccountDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
+export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, team?: { __typename?: 'TeamType', id: string, name: string } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
 
 export type GetServiceAccountHandlersQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -4338,7 +4398,7 @@ export type GetServiceAccountsQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountsQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null } | null> | null };
+export type GetServiceAccountsQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null } | null, team?: { __typename?: 'TeamType', id: string, name: string } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null } | null> | null };
 
 export type GetOrganisationSyncsQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -4490,7 +4550,7 @@ export type GetTeamsQueryVariables = Exact<{
 }>;
 
 
-export type GetTeamsQuery = { __typename?: 'Query', teams?: Array<{ __typename?: 'TeamType', id: string, name: string, description?: string | null, isScimManaged: boolean, createdAt?: any | null, updatedAt: any, memberCount?: number | null, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, serviceAccountRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, members?: Array<{ __typename?: 'TeamMembershipType', id: string, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, orgMember?: { __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, scimManaged?: boolean | null, email?: string | null, fullName?: string | null, avatarUrl?: string | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null }> | null, apps?: Array<{ __typename?: 'AppType', id: string, name: string, sseEnabled: boolean }> | null, appEnvironments?: Array<{ __typename?: 'TeamAppEnvironmentType', id: string, createdAt?: any | null, app: { __typename?: 'AppMembershipType', id: string, name: string }, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices } }> | null } | null> | null };
+export type GetTeamsQuery = { __typename?: 'Query', teams?: Array<{ __typename?: 'TeamType', id: string, name: string, description?: string | null, isScimManaged: boolean, createdAt?: any | null, updatedAt: any, memberCount?: number | null, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, serviceAccountRole?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, owner?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, createdBy?: { __typename?: 'OrganisationMemberType', id: string, fullName?: string | null, email?: string | null, avatarUrl?: string | null } | null, members?: Array<{ __typename?: 'TeamMembershipType', id: string, email?: string | null, fullName?: string | null, avatarUrl?: string | null, createdAt?: any | null, orgMember?: { __typename?: 'OrganisationMemberType', id: string, identityKey?: string | null, scimManaged?: boolean | null, email?: string | null, fullName?: string | null, avatarUrl?: string | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null, serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, team?: { __typename?: 'TeamType', id: string, name: string } | null } | null }> | null, apps?: Array<{ __typename?: 'AppType', id: string, name: string, sseEnabled: boolean }> | null, appEnvironments?: Array<{ __typename?: 'TeamAppEnvironmentType', id: string, createdAt?: any | null, app: { __typename?: 'AppMembershipType', id: string, name: string }, environment: { __typename?: 'EnvironmentType', id: string, name: string, envType: ApiEnvironmentEnvTypeChoices } }> | null } | null> | null };
 
 export type GetOrganisationMemberDetailQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
@@ -4573,7 +4633,7 @@ export const CreateScimTokenOpDocument = {"kind":"Document","definitions":[{"kin
 export const DeleteScimTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteSCIMTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteScimToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteScimTokenOpMutation, DeleteScimTokenOpMutationVariables>;
 export const ToggleScimOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"ToggleSCIMOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"toggleScim"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"enabled"},"value":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<ToggleScimOpMutation, ToggleScimOpMutationVariables>;
 export const ToggleScimTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"ToggleSCIMTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"isActive"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"toggleScimToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}},{"kind":"Argument","name":{"kind":"Name","value":"isActive"},"value":{"kind":"Variable","name":{"kind":"Name","value":"isActive"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<ToggleScimTokenOpMutation, ToggleScimTokenOpMutationVariables>;
-export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateServiceAccountOpMutation, CreateServiceAccountOpMutationVariables>;
+export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateServiceAccountOpMutation, CreateServiceAccountOpMutationVariables>;
 export const CreateSaTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSAToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSaTokenMutation, CreateSaTokenMutationVariables>;
 export const DeleteServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountOpMutation, DeleteServiceAccountOpMutationVariables>;
 export const DeleteServiceAccountTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountTokenOpMutation, DeleteServiceAccountTokenOpMutationVariables>;
@@ -4581,6 +4641,7 @@ export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitio
 export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
 export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}},"type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
+export const UpdateServiceAccountOwnershipOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOwnershipOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOwnershipOpMutation, UpdateServiceAccountOwnershipOpMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
 export const CreateNewAzureKeyVaultSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAzureKeyVaultSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAzureKeyVaultSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"vaultUri"},"value":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}}},{"kind":"Argument","name":{"kind":"Name","value":"syncMode"},"value":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAzureKeyVaultSyncMutation, CreateNewAzureKeyVaultSyncMutationVariables>;
 export const CreateNewCfPagesSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewCfPagesSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createCloudflarePagesSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}}},{"kind":"Argument","name":{"kind":"Name","value":"deploymentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectEnv"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewCfPagesSyncMutation, CreateNewCfPagesSyncMutationVariables>;
@@ -4607,6 +4668,7 @@ export const CreateTeamOpDocument = {"kind":"Document","definitions":[{"kind":"O
 export const DeleteTeamOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteTeamOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteTeam"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteTeamOpMutation, DeleteTeamOpMutationVariables>;
 export const RemoveTeamAppOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveTeamAppOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeTeamApp"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveTeamAppOpMutation, RemoveTeamAppOpMutationVariables>;
 export const RemoveTeamMemberOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveTeamMemberOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeTeamMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveTeamMemberOpMutation, RemoveTeamMemberOpMutationVariables>;
+export const TransferTeamOwnershipOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"TransferTeamOwnershipOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"transferTeamOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"newOwnerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<TransferTeamOwnershipOpMutation, TransferTeamOwnershipOpMutationVariables>;
 export const UpdateTeamOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateTeamOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateTeam"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberRoleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountRoleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountRoleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateTeamOpMutation, UpdateTeamOpMutationVariables>;
 export const UpdateTeamAppEnvironmentsOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateTeamAppEnvironmentsOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envIds"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateTeamAppEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateTeamAppEnvironmentsOpMutation, UpdateTeamAppEnvironmentsOpMutationVariables>;
 export const CreateNewUserTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewUserToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createUserToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<CreateNewUserTokenMutation, CreateNewUserTokenMutationVariables>;
@@ -4655,10 +4717,10 @@ export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind"
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
 export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"type"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
-export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
+export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
-export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
+export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
 export const GetOrganisationSyncsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationSyncs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"completedAt"}},{"kind":"Field","name":{"kind":"Name","value":"meta"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"expectedCredentials"}},{"kind":"Field","name":{"kind":"Name","value":"optionalCredentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationSyncsQuery, GetOrganisationSyncsQueryVariables>;
 export const GetAwsSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"arn"}}]}}]}}]} as unknown as DocumentNode<GetAwsSecretsQuery, GetAwsSecretsQueryVariables>;
 export const ValidateAwsAssumeRoleAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"ValidateAWSAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateAwsAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"valid"}},{"kind":"Field","name":{"kind":"Name","value":"message"}},{"kind":"Field","name":{"kind":"Name","value":"method"}},{"kind":"Field","name":{"kind":"Name","value":"error"}}]}}]}}]} as unknown as DocumentNode<ValidateAwsAssumeRoleAuthQuery, ValidateAwsAssumeRoleAuthQueryVariables>;
@@ -4680,6 +4742,6 @@ export const GetRailwayProjectsDocument = {"kind":"Document","definitions":[{"ki
 export const GetRenderResourcesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetRenderResources"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"renderServices"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}},{"kind":"Field","name":{"kind":"Name","value":"renderEnvgroups"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]} as unknown as DocumentNode<GetRenderResourcesQuery, GetRenderResourcesQueryVariables>;
 export const TestVaultAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"TestVaultAuth"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"testVaultCreds"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}]}]}}]} as unknown as DocumentNode<TestVaultAuthQuery, TestVaultAuthQueryVariables>;
 export const GetVercelProjectsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetVercelProjects"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"vercelProjects"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"teamName"}},{"kind":"Field","name":{"kind":"Name","value":"projects"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"slug"}},{"kind":"Field","name":{"kind":"Name","value":"type"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetVercelProjectsQuery, GetVercelProjectsQueryVariables>;
-export const GetTeamsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetTeams"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"teams"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"memberCount"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"scimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<GetTeamsQuery, GetTeamsQueryVariables>;
+export const GetTeamsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetTeams"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"teams"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccountRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"owner"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"memberCount"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"scimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<GetTeamsQuery, GetTeamsQueryVariables>;
 export const GetOrganisationMemberDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationMemberDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastLogin"}},{"kind":"Field","name":{"kind":"Name","value":"self"}},{"kind":"Field","name":{"kind":"Name","value":"scimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationMemberDetailQuery, GetOrganisationMemberDetailQueryVariables>;
 export const GetUserTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetUserTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyShare"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]} as unknown as DocumentNode<GetUserTokensQuery, GetUserTokensQueryVariables>;
\ No newline at end of file
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index f39044e65..d0d9a9513 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -308,6 +308,7 @@ type ServiceAccountType {
   id: String!
   name: String!
   role: RoleType
+  team: TeamType
   identityKey: String
   createdAt: DateTime
   updatedAt: DateTime!
@@ -668,56 +669,6 @@ type UserTokenType {
   createdBy: OrganisationMemberType
 }
 
-type TeamType {
-  id: String!
-  name: String!
-  description: String
-  memberRole: RoleType
-  serviceAccountRole: RoleType
-  isScimManaged: Boolean!
-  createdBy: OrganisationMemberType
-  createdAt: DateTime
-  updatedAt: DateTime!
-  members: [TeamMembershipType!]
-  apps: [AppType!]
-  appEnvironments: [TeamAppEnvironmentType!]
-  memberCount: Int
-}
-
-type TeamMembershipType {
-  id: String!
-  orgMember: OrganisationMemberType
-  serviceAccount: ServiceAccountType
-  createdAt: DateTime
-  email: String
-  fullName: String
-  avatarUrl: String
-}
-
-type AppType {
-  id: String!
-  name: String!
-  description: String
-  identityKey: String!
-  appVersion: Int!
-  appToken: String!
-  appSeed: String!
-  wrappedKeyShare: String!
-  createdAt: DateTime
-  updatedAt: DateTime!
-  sseEnabled: Boolean!
-  serviceAccounts: [ServiceAccountType]!
-  environments: [EnvironmentType]!
-  members: [OrganisationMemberType]!
-}
-
-type TeamAppEnvironmentType {
-  id: String!
-  app: AppMembershipType!
-  environment: EnvironmentType!
-  createdAt: DateTime
-}
-
 type SCIMTokenType {
   id: String!
   name: String!
@@ -1223,7 +1174,7 @@ type Mutation {
 
   """Per-provider toggle: enable/disable a single SCIM token."""
   toggleScimToken(isActive: Boolean!, tokenId: ID!): ToggleSCIMTokenMutation
-  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
+  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String, teamId: ID): CreateServiceAccountMutation
   enableServiceAccountServerSideKeyManagement(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountServerSideKeyManagementMutation
   enableServiceAccountClientSideKeyManagement(serviceAccountId: ID): EnableServiceAccountClientSideKeyManagementMutation
   updateServiceAccountHandlers(handlers: [ServiceAccountHandlerInput], organisationId: ID): UpdateServiceAccountHandlersMutation
@@ -1231,6 +1182,16 @@ type Mutation {
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
   createServiceAccountToken(expiry: BigInt, identityKey: String!, name: String!, serviceAccountId: ID, token: String!, wrappedKeyShare: String!): CreateServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
+
+  """
+  Transfer a service account between org-level and team ownership.
+  
+  - team_id=null: Promote team-owned SA to org-level (clears team FK).
+  - team_id=<id>: Assign SA to a team (narrows visibility to team members).
+  
+  Requires global_access (Owner/Admin only).
+  """
+  updateServiceAccountOwnership(serviceAccountId: ID!, teamId: ID): UpdateServiceAccountOwnershipMutation
   initEnvSync(appId: ID, envKeys: [EnvironmentKeyInput]): InitEnvSync
   deleteEnvSync(syncId: ID): DeleteSync
   triggerSync(syncId: ID): TriggerSync
@@ -1567,6 +1528,18 @@ type DeleteServiceAccountTokenMutation {
   ok: Boolean
 }
 
+"""
+Transfer a service account between org-level and team ownership.
+
+- team_id=null: Promote team-owned SA to org-level (clears team FK).
+- team_id=<id>: Assign SA to a team (narrows visibility to team members).
+
+Requires global_access (Owner/Admin only).
+"""
+type UpdateServiceAccountOwnershipMutation {
+  serviceAccount: ServiceAccountType
+}
+
 type InitEnvSync {
   app: AppType
 }

From 953338789760758f092d1636868ebcf386b456d2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 21:35:40 +0530
Subject: [PATCH 066/118] chore: clean up migration graph

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../migrations/0122_serviceaccount_team.py    | 23 ---------
 ..._scim_models.py => 0122_teams_and_scim.py} | 51 ++++++++++++++++++-
 backend/api/migrations/0123_add_team_owner.py | 19 -------
 ...m_owner.py => 0123_populate_team_owner.py} |  4 +-
 backend/api/migrations/0123_scim_phase2.py    | 51 -------------------
 5 files changed, 51 insertions(+), 97 deletions(-)
 delete mode 100644 backend/api/migrations/0122_serviceaccount_team.py
 rename backend/api/migrations/{0122_add_scim_models.py => 0122_teams_and_scim.py} (54%)
 delete mode 100644 backend/api/migrations/0123_add_team_owner.py
 rename backend/api/migrations/{0124_populate_team_owner.py => 0123_populate_team_owner.py} (86%)
 delete mode 100644 backend/api/migrations/0123_scim_phase2.py

diff --git a/backend/api/migrations/0122_serviceaccount_team.py b/backend/api/migrations/0122_serviceaccount_team.py
deleted file mode 100644
index fe8422006..000000000
--- a/backend/api/migrations/0122_serviceaccount_team.py
+++ /dev/null
@@ -1,23 +0,0 @@
-from django.db import migrations, models
-import django.db.models.deletion
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("api", "0121_backfill_environment_key_grants"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="serviceaccount",
-            name="team",
-            field=models.ForeignKey(
-                blank=True,
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="owned_service_accounts",
-                to="api.team",
-            ),
-        ),
-    ]
diff --git a/backend/api/migrations/0122_add_scim_models.py b/backend/api/migrations/0122_teams_and_scim.py
similarity index 54%
rename from backend/api/migrations/0122_add_scim_models.py
rename to backend/api/migrations/0122_teams_and_scim.py
index 694bcd027..fb51ae07a 100644
--- a/backend/api/migrations/0122_add_scim_models.py
+++ b/backend/api/migrations/0122_teams_and_scim.py
@@ -1,4 +1,4 @@
-# Generated by Django 4.2.29 on 2026-03-31 14:24
+# Generated by Django 4.2.29 on 2026-04-14 15:57
 
 from django.conf import settings
 from django.db import migrations, models
@@ -13,6 +13,21 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
+        migrations.AddField(
+            model_name='organisation',
+            name='scim_enabled',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='serviceaccount',
+            name='team',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='owned_service_accounts', to='api.team'),
+        ),
+        migrations.AddField(
+            model_name='team',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='owned_teams', to='api.organisationmember'),
+        ),
         migrations.CreateModel(
             name='SCIMUser',
             fields=[
@@ -39,6 +54,7 @@ class Migration(migrations.Migration):
                 ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
                 ('expires_at', models.DateTimeField(blank=True, null=True)),
                 ('last_used_at', models.DateTimeField(blank=True, null=True)),
+                ('is_active', models.BooleanField(default=True)),
                 ('deleted_at', models.DateTimeField(blank=True, null=True)),
                 ('created_by', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='api.organisationmember')),
                 ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_tokens', to='api.organisation')),
@@ -57,6 +73,31 @@ class Migration(migrations.Migration):
                 ('team', models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='scim_group', to='api.team')),
             ],
         ),
+        migrations.CreateModel(
+            name='SCIMEvent',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('event_type', models.CharField(choices=[('user_created', 'User Created'), ('user_updated', 'User Updated'), ('user_deactivated', 'User Deactivated'), ('user_reactivated', 'User Reactivated'), ('group_created', 'Group Created'), ('group_updated', 'Group Updated'), ('group_deleted', 'Group Deleted'), ('member_added', 'Member Added to Group'), ('member_removed', 'Member Removed from Group')], max_length=32)),
+                ('status', models.CharField(choices=[('success', 'Success'), ('error', 'Error')], default='success', max_length=8)),
+                ('resource_type', models.CharField(choices=[('user', 'User'), ('group', 'Group')], max_length=16)),
+                ('resource_id', models.TextField(blank=True)),
+                ('resource_name', models.CharField(blank=True, max_length=255)),
+                ('detail', models.JSONField(default=dict)),
+                ('request_method', models.CharField(blank=True, max_length=8)),
+                ('request_path', models.TextField(blank=True)),
+                ('request_body', models.JSONField(blank=True, null=True)),
+                ('response_status', models.IntegerField(blank=True, null=True)),
+                ('response_body', models.JSONField(blank=True, null=True)),
+                ('ip_address', models.GenericIPAddressField(blank=True, null=True)),
+                ('user_agent', models.TextField(blank=True, null=True)),
+                ('timestamp', models.DateTimeField(auto_now_add=True)),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_events', to='api.organisation')),
+                ('scim_token', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='events', to='api.scimtoken')),
+            ],
+            options={
+                'ordering': ['-timestamp'],
+            },
+        ),
         migrations.AddConstraint(
             model_name='scimuser',
             constraint=models.UniqueConstraint(fields=('external_id', 'organisation'), name='unique_scim_user_external_id'),
@@ -69,4 +110,12 @@ class Migration(migrations.Migration):
             model_name='scimgroup',
             constraint=models.UniqueConstraint(fields=('external_id', 'organisation'), name='unique_scim_group_external_id'),
         ),
+        migrations.AddIndex(
+            model_name='scimevent',
+            index=models.Index(fields=['organisation', '-timestamp'], name='scim_event_org_ts_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='scimevent',
+            index=models.Index(fields=['scim_token', '-timestamp'], name='scim_event_token_ts_idx'),
+        ),
     ]
diff --git a/backend/api/migrations/0123_add_team_owner.py b/backend/api/migrations/0123_add_team_owner.py
deleted file mode 100644
index f8bef1e83..000000000
--- a/backend/api/migrations/0123_add_team_owner.py
+++ /dev/null
@@ -1,19 +0,0 @@
-# Generated by Django 4.2.29 on 2026-04-14 14:22
-
-from django.db import migrations, models
-import django.db.models.deletion
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('api', '0122_serviceaccount_team'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='team',
-            name='owner',
-            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='owned_teams', to='api.organisationmember'),
-        ),
-    ]
diff --git a/backend/api/migrations/0124_populate_team_owner.py b/backend/api/migrations/0123_populate_team_owner.py
similarity index 86%
rename from backend/api/migrations/0124_populate_team_owner.py
rename to backend/api/migrations/0123_populate_team_owner.py
index 48e2f2a8b..439c709e1 100644
--- a/backend/api/migrations/0124_populate_team_owner.py
+++ b/backend/api/migrations/0123_populate_team_owner.py
@@ -1,5 +1,3 @@
-# Generated by Django 4.2.29 on 2026-04-14 14:22
-
 from django.db import migrations, models
 
 
@@ -19,7 +17,7 @@ def reverse(apps, schema_editor):
 class Migration(migrations.Migration):
 
     dependencies = [
-        ('api', '0123_add_team_owner'),
+        ('api', '0122_teams_and_scim'),
     ]
 
     operations = [
diff --git a/backend/api/migrations/0123_scim_phase2.py b/backend/api/migrations/0123_scim_phase2.py
deleted file mode 100644
index a6a876ebf..000000000
--- a/backend/api/migrations/0123_scim_phase2.py
+++ /dev/null
@@ -1,51 +0,0 @@
-# Generated by Django 4.2.29 on 2026-04-01 17:02
-
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('api', '0122_add_scim_models'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='organisation',
-            name='scim_enabled',
-            field=models.BooleanField(default=False),
-        ),
-        migrations.AddField(
-            model_name='scimtoken',
-            name='is_active',
-            field=models.BooleanField(default=True),
-        ),
-        migrations.CreateModel(
-            name='SCIMEvent',
-            fields=[
-                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
-                ('event_type', models.CharField(choices=[('user_created', 'User Created'), ('user_updated', 'User Updated'), ('user_deactivated', 'User Deactivated'), ('user_reactivated', 'User Reactivated'), ('group_created', 'Group Created'), ('group_updated', 'Group Updated'), ('group_deleted', 'Group Deleted'), ('member_added', 'Member Added to Group'), ('member_removed', 'Member Removed from Group')], max_length=32)),
-                ('status', models.CharField(choices=[('success', 'Success'), ('error', 'Error')], default='success', max_length=8)),
-                ('resource_type', models.CharField(choices=[('user', 'User'), ('group', 'Group')], max_length=16)),
-                ('resource_id', models.TextField(blank=True)),
-                ('resource_name', models.CharField(blank=True, max_length=255)),
-                ('detail', models.JSONField(default=dict)),
-                ('request_method', models.CharField(blank=True, max_length=8)),
-                ('request_path', models.TextField(blank=True)),
-                ('request_body', models.JSONField(blank=True, null=True)),
-                ('response_status', models.IntegerField(blank=True, null=True)),
-                ('response_body', models.JSONField(blank=True, null=True)),
-                ('ip_address', models.GenericIPAddressField(blank=True, null=True)),
-                ('user_agent', models.TextField(blank=True, null=True)),
-                ('timestamp', models.DateTimeField(auto_now_add=True)),
-                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_events', to='api.organisation')),
-                ('scim_token', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='events', to='api.scimtoken')),
-            ],
-            options={
-                'ordering': ['-timestamp'],
-                'indexes': [models.Index(fields=['organisation', '-timestamp'], name='scim_event_org_ts_idx'), models.Index(fields=['scim_token', '-timestamp'], name='scim_event_token_ts_idx')],
-            },
-        ),
-    ]

From ce59169eb21e693c8ca0e54b1ede901999ae2cbf Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 14 Apr 2026 21:36:01 +0530
Subject: [PATCH 067/118] fix: user profiles in transfer team ownership dialog

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/TransferTeamOwnershipDialog.tsx        | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/frontend/app/[team]/access/teams/[teamId]/_components/TransferTeamOwnershipDialog.tsx b/frontend/app/[team]/access/teams/[teamId]/_components/TransferTeamOwnershipDialog.tsx
index ccd9d7fd9..3e8a2acaa 100644
--- a/frontend/app/[team]/access/teams/[teamId]/_components/TransferTeamOwnershipDialog.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/_components/TransferTeamOwnershipDialog.tsx
@@ -39,7 +39,7 @@ export const TransferTeamOwnershipDialog = ({ team }: { team: TeamType }) => {
       })
       const newOwner = humanMembers.find((m) => m.orgMember.id === selectedMemberId)
       toast.success(
-        `Transferred ownership to ${newOwner?.fullName || newOwner?.email || 'member'}`
+        `Transferred ownership to ${newOwner?.orgMember.fullName || newOwner?.orgMember.email || 'member'}`
       )
       setSelectedMemberId(null)
       dialogRef.current?.closeModal()
@@ -67,7 +67,7 @@ export const TransferTeamOwnershipDialog = ({ team }: { team: TeamType }) => {
             : 'This team has no owner. Select a team member to assign as owner.'}
         </p>
 
-        <div className="max-h-64 overflow-y-auto space-y-1">
+        <div className="max-h-[60vh] overflow-y-auto space-y-1">
           {humanMembers.map((membership) => {
             const isCurrentOwner = team.owner?.id === membership.orgMember.id
             const isSelected = selectedMemberId === membership.orgMember.id
@@ -89,11 +89,7 @@ export const TransferTeamOwnershipDialog = ({ team }: { team: TeamType }) => {
               >
                 <div className="grid grid-cols-[1fr_auto_auto] items-center gap-3 w-full">
                   <ProfileCard
-                    user={{
-                      name: membership.fullName,
-                      email: membership.email,
-                      image: membership.avatarUrl,
-                    }}
+                    member={membership.orgMember}
                     size="md"
                   />
                   <div>

From 8f97a914ac8d9297cac869d42c1e341c10bdd372 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 15 Apr 2026 15:43:50 +0530
Subject: [PATCH 068/118] feat: team-owned service account backend support

---
 .../graphene/mutations/service_accounts.py    | 252 +++++++++++++-----
 backend/backend/graphene/mutations/teams.py   |   4 +-
 .../graphene/queries/service_accounts.py      |  38 ++-
 backend/backend/graphene/types.py             |   8 +-
 backend/backend/schema.py                     |   2 +
 backend/ee/authentication/scim/filters.py     |   4 +-
 6 files changed, 225 insertions(+), 83 deletions(-)

diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index 40b3f35a1..c262eabca 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -2,6 +2,7 @@
 from django.db import transaction
 from graphql import GraphQLError
 from api.models import (
+    App,
     Organisation,
     OrganisationMember,
     Role,
@@ -9,29 +10,76 @@
     ServiceAccountHandler,
     ServiceAccountToken,
     Team,
+    TeamAppEnvironment,
     TeamMembership,
     Identity,
 )
+from api.utils.keys import provision_team_environment_keys
 from api.utils.access.permissions import (
     role_has_global_access,
+    role_has_permission,
     user_has_permission,
     user_is_org_member,
-    user_is_team_member,
 )
 from backend.graphene.types import ServiceAccountTokenType, ServiceAccountType
 from datetime import datetime
 from django.conf import settings
 
 
-def _check_team_sa_access(user, service_account):
-    """For team-owned SAs, verify the user is a team member or has global access.
-    Org-level SAs (team=null) pass through — existing permission checks are sufficient."""
+def _check_sa_permission(user, service_account, action, resource):
+    """
+    Unified permission check for service account operations.
+
+    For team-owned SAs, resolves the effective role using the team's member_role override:
+    - Team owner → always allowed
+    - Global access (Owner/Admin) → always allowed
+    - Team member → uses team member_role if set, else falls back to org role
+    - Non-team member → denied
+
+    For org-level SAs: uses standard org permission check.
+    """
+    org = service_account.organisation
+
     if service_account.team is None:
+        # Org-level SA: standard permission check
+        if not user_has_permission(user, action, resource, org):
+            raise GraphQLError(
+                f"You don't have the permissions required to {action} {resource} in this organisation"
+            )
         return
 
-    if not user_is_team_member(user.userId, service_account.team_id):
+    # Team-owned SA
+    try:
+        org_member = OrganisationMember.objects.get(
+            user=user, organisation=org, deleted_at=None
+        )
+    except OrganisationMember.DoesNotExist:
         raise GraphQLError("You don't have access to this Service Account")
 
+    # Global access users (Owner/Admin) always allowed
+    if role_has_global_access(org_member.role):
+        return
+
+    # Team owner always allowed
+    if service_account.team.owner_id is not None and service_account.team.owner_id == org_member.id:
+        return
+
+    # Check team membership
+    if not TeamMembership.objects.filter(
+        team=service_account.team,
+        org_member=org_member,
+        team__deleted_at__isnull=True,
+    ).exists():
+        raise GraphQLError("You don't have access to this Service Account")
+
+    # Resolve effective role: team member_role if set, else org role
+    effective_role = service_account.team.member_role or org_member.role
+
+    if not role_has_permission(effective_role, action, resource):
+        raise GraphQLError(
+            f"You don't have the permissions required to {action} {resource}"
+        )
+
 
 class ServiceAccountHandlerInput(graphene.InputObjectType):
     service_account_id = graphene.ID(required=False)
@@ -70,11 +118,38 @@ def mutate(
         user = info.context.user
         org = Organisation.objects.get(id=organisation_id)
 
-        if not user_has_permission(user, "create", "ServiceAccounts", org):
-            raise GraphQLError(
-                "You don't have the permissions required to create Service Accounts in this organisation"
+        # Permission check: team-owned SAs use team member_role override
+        team = None
+        if team_id:
+            team = Team.objects.get(id=team_id, organisation=org, deleted_at__isnull=True)
+            org_member = OrganisationMember.objects.get(
+                user=user, organisation=org, deleted_at=None
             )
 
+            if not role_has_global_access(org_member.role):
+                is_team_owner = team.owner_id is not None and team.owner_id == org_member.id
+
+                if not is_team_owner:
+                    # Must be a team member
+                    if not TeamMembership.objects.filter(
+                        team=team, org_member=org_member
+                    ).exists():
+                        raise GraphQLError(
+                            "You must be a member of the team to create a team-owned Service Account"
+                        )
+
+                    # Check effective role: team member_role if set, else org role
+                    effective_role = team.member_role or org_member.role
+                    if not role_has_permission(effective_role, "create", "ServiceAccounts"):
+                        raise GraphQLError(
+                            "You don't have the permissions required to create Service Accounts"
+                        )
+        else:
+            if not user_has_permission(user, "create", "ServiceAccounts", org):
+                raise GraphQLError(
+                    "You don't have the permissions required to create Service Accounts in this organisation"
+                )
+
         if handlers is None or len(handlers) == 0:
             raise GraphQLError("At least one service account handler must be provided")
 
@@ -85,22 +160,6 @@ def mutate(
                 f"Service Accounts cannot be assigned the '{role.name}' role."
             )
 
-        # Validate team ownership if creating a team-owned SA
-        team = None
-        if team_id:
-            team = Team.objects.get(id=team_id, organisation=org, deleted_at__isnull=True)
-            org_member = OrganisationMember.objects.get(
-                user=user, organisation=org, deleted_at=None
-            )
-            # User must be a member of the team (or have global access)
-            if not role_has_global_access(org_member.role):
-                if not TeamMembership.objects.filter(
-                    team=team, org_member=org_member
-                ).exists():
-                    raise GraphQLError(
-                        "You must be a member of the team to create a team-owned Service Account"
-                    )
-
         with transaction.atomic():
             service_account = ServiceAccount.objects.create(
                 name=name,
@@ -122,10 +181,23 @@ def mutate(
 
             # Auto-add team-owned SA as a member of the team
             if team:
-                TeamMembership.objects.get_or_create(
+                membership, _ = TeamMembership.objects.get_or_create(
                     team=team, service_account=service_account
                 )
 
+                # Provision environment keys for the SA on all team apps
+                app_ids = (
+                    TeamAppEnvironment.objects.filter(team=team)
+                    .values_list("app_id", flat=True)
+                    .distinct()
+                )
+                for app_id in app_ids:
+                    app = App.objects.get(id=app_id)
+                    if app.sse_enabled:
+                        provision_team_environment_keys(
+                            team, app, members=[membership]
+                        )
+
         if settings.APP_HOST == "cloud":
             from ee.billing.stripe import update_stripe_subscription_seats
 
@@ -154,14 +226,7 @@ def mutate(
         user = info.context.user
         service_account = ServiceAccount.objects.get(id=service_account_id)
 
-        if not user_has_permission(
-            user, "update", "ServiceAccounts", service_account.organisation
-        ):
-            raise GraphQLError(
-                "You don't have the permissions required to update Service Accounts in this organisation"
-            )
-
-        _check_team_sa_access(user, service_account)
+        _check_sa_permission(user, service_account, "update", "ServiceAccounts")
 
         service_account.server_wrapped_keyring = server_wrapped_keyring
         service_account.server_wrapped_recovery = server_wrapped_recovery
@@ -183,14 +248,7 @@ def mutate(cls, root, info, service_account_id):
         user = info.context.user
         service_account = ServiceAccount.objects.get(id=service_account_id)
 
-        if not user_has_permission(
-            user, "update", "ServiceAccounts", service_account.organisation
-        ):
-            raise GraphQLError(
-                "You don't have the permissions required to update Service Accounts in this organisation"
-            )
-
-        _check_team_sa_access(user, service_account)
+        _check_sa_permission(user, service_account, "update", "ServiceAccounts")
 
         # Delete server-wrapped keys to disable server-side key management
         service_account.server_wrapped_keyring = None
@@ -216,14 +274,7 @@ def mutate(cls, root, info, service_account_id, name, role_id, identity_ids=None
         user = info.context.user
         service_account = ServiceAccount.objects.get(id=service_account_id)
 
-        if not user_has_permission(
-            user, "update", "ServiceAccounts", service_account.organisation
-        ):
-            raise GraphQLError(
-                "You don't have the permissions required to update Service Accounts in this organisation"
-            )
-
-        _check_team_sa_access(user, service_account)
+        _check_sa_permission(user, service_account, "update", "ServiceAccounts")
 
         role = Role.objects.get(id=role_id, organisation=service_account.organisation)
 
@@ -291,14 +342,7 @@ def mutate(cls, root, info, service_account_id):
         user = info.context.user
         service_account = ServiceAccount.objects.get(id=service_account_id)
 
-        if not user_has_permission(
-            user, "delete", "ServiceAccounts", service_account.organisation
-        ):
-            raise GraphQLError(
-                "You don't have the permissions required to delete Service Accounts in this organisation"
-            )
-
-        _check_team_sa_access(user, service_account)
+        _check_sa_permission(user, service_account, "delete", "ServiceAccounts")
 
         service_account.delete()
 
@@ -339,14 +383,7 @@ def mutate(
             user=user, organisation=service_account.organisation, deleted_at=None
         )
 
-        if not user_has_permission(
-            user, "create", "ServiceAccountTokens", service_account.organisation
-        ):
-            raise GraphQLError(
-                "You don't have the permissions required to create Service Tokens in this organisation"
-            )
-
-        _check_team_sa_access(user, service_account)
+        _check_sa_permission(user, service_account, "create", "ServiceAccountTokens")
 
         if expiry is not None:
             expires_at = datetime.fromtimestamp(expiry / 1000)
@@ -377,18 +414,89 @@ def mutate(cls, root, info, token_id):
         user = info.context.user
         token = ServiceAccountToken.objects.get(id=token_id)
 
-        if not user_has_permission(
-            user, "delete", "ServiceAccountTokens", token.service_account.organisation
-        ):
+        _check_sa_permission(user, token.service_account, "delete", "ServiceAccountTokens")
+
+        token.delete()
+
+        return DeleteServiceAccountTokenMutation(ok=True)
+
+
+class CreateServerSideServiceAccountTokenMutation(graphene.Mutation):
+    """Create a service account token using server-side key management.
+
+    The server decrypts the SA keyring, generates a token with key splitting,
+    and returns the full token string. Requires SSK to be enabled on the SA.
+    This allows team members who are not SA handlers to create tokens.
+    """
+
+    class Arguments:
+        service_account_id = graphene.ID(required=True)
+        name = graphene.String(required=True)
+        expiry = graphene.BigInt(required=False)
+
+    token_string = graphene.String()
+    token = graphene.Field(ServiceAccountTokenType)
+
+    @classmethod
+    def mutate(cls, root, info, service_account_id, name, expiry=None):
+        import json
+        from api.utils.crypto import (
+            get_server_keypair,
+            decrypt_asymmetric,
+            split_secret_hex,
+            wrap_share_hex,
+            random_hex,
+            ed25519_to_kx,
+        )
+
+        user = info.context.user
+        service_account = ServiceAccount.objects.get(id=service_account_id)
+        org_member = OrganisationMember.objects.get(
+            user=user, organisation=service_account.organisation, deleted_at=None
+        )
+
+        _check_sa_permission(user, service_account, "create", "ServiceAccountTokens")
+
+        if not service_account.server_wrapped_keyring:
             raise GraphQLError(
-                "You don't have the permissions required to delete Service Tokens in this organisation"
+                "Server-side key management must be enabled to create tokens this way"
             )
 
-        _check_team_sa_access(user, token.service_account)
+        # Decrypt SA keyring using server keypair
+        pk, sk = get_server_keypair()
+        keyring_json = decrypt_asymmetric(
+            service_account.server_wrapped_keyring, sk.hex(), pk.hex()
+        )
+        keyring = json.loads(keyring_json)
+        kx_pub, kx_priv = ed25519_to_kx(keyring["publicKey"], keyring["privateKey"])
 
-        token.delete()
+        # Generate token material
+        wrap_key = random_hex(32)
+        token_value = random_hex(32)
+        share_a, share_b = split_secret_hex(kx_priv)
+        wrapped_share_b = wrap_share_hex(share_b, wrap_key)
 
-        return DeleteServiceAccountTokenMutation(ok=True)
+        if expiry is not None:
+            expires_at = datetime.fromtimestamp(expiry / 1000)
+        else:
+            expires_at = None
+
+        token = ServiceAccountToken.objects.create(
+            service_account=service_account,
+            name=name,
+            identity_key=kx_pub,
+            token=token_value,
+            wrapped_key_share=wrapped_share_b,
+            created_by=org_member,
+            expires_at=expires_at,
+        )
+
+        full_token = f"pss_service:v2:{token_value}:{kx_pub}:{share_a}:{wrap_key}"
+
+        return CreateServerSideServiceAccountTokenMutation(
+            token_string=full_token,
+            token=token,
+        )
 
 
 class UpdateServiceAccountOwnershipMutation(graphene.Mutation):
diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index b6b24d8a5..3f9b5f0c4 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -288,7 +288,7 @@ def mutate(cls, root, info, team_id, member_ids, member_type=MemberType.USER):
 
         _check_team_membership(user, team)
 
-        if team.is_scim_managed:
+        if team.is_scim_managed and member_type == MemberType.USER:
             raise GraphQLError(
                 "This team is managed by SCIM. Members cannot be manually added."
             )
@@ -354,7 +354,7 @@ def mutate(cls, root, info, team_id, member_id, member_type=MemberType.USER):
 
         _check_team_membership(user, team)
 
-        if team.is_scim_managed:
+        if team.is_scim_managed and member_type == MemberType.USER:
             raise GraphQLError(
                 "This team is managed by SCIM. Members cannot be manually removed."
             )
diff --git a/backend/backend/graphene/queries/service_accounts.py b/backend/backend/graphene/queries/service_accounts.py
index d8fd778a9..ba7466915 100644
--- a/backend/backend/graphene/queries/service_accounts.py
+++ b/backend/backend/graphene/queries/service_accounts.py
@@ -12,8 +12,32 @@
 
 def resolve_service_accounts(root, info, org_id, service_account_id=None):
     org = Organisation.objects.get(id=org_id)
-    if user_has_permission(info.context.user.userId, "read", "ServiceAccounts", org):
 
+    has_org_permission = user_has_permission(info.context.user.userId, "read", "ServiceAccounts", org)
+
+    # Team-based access: if requesting a specific SA, allow access if user shares a team with it
+    has_team_access = False
+    if not has_org_permission and service_account_id is not None:
+        try:
+            org_member = OrganisationMember.objects.get(
+                user=info.context.user, organisation=org, deleted_at=None
+            )
+            user_team_ids = TeamMembership.objects.filter(
+                org_member=org_member,
+                team__deleted_at__isnull=True,
+            ).values_list("team_id", flat=True)
+            has_team_access = ServiceAccount.objects.filter(
+                id=service_account_id,
+                deleted_at=None,
+                team_id__in=user_team_ids,
+            ).exists() or TeamMembership.objects.filter(
+                service_account_id=service_account_id,
+                team_id__in=user_team_ids,
+            ).exists()
+        except OrganisationMember.DoesNotExist:
+            pass
+
+    if has_org_permission or has_team_access:
         filter = {"organisation": org, "deleted_at": None}
 
         if service_account_id is not None:
@@ -21,7 +45,7 @@ def resolve_service_accounts(root, info, org_id, service_account_id=None):
 
         qs = ServiceAccount.objects.filter(**filter)
 
-        # Team-owned SAs: only visible to team members + global_access users
+        # Non-global-access users: scope to org-level SAs + SAs in their teams
         org_member = OrganisationMember.objects.get(
             user=info.context.user, organisation=org, deleted_at=None
         )
@@ -30,7 +54,15 @@ def resolve_service_accounts(root, info, org_id, service_account_id=None):
                 org_member=org_member,
                 team__deleted_at__isnull=True,
             ).values_list("team_id", flat=True)
-            qs = qs.filter(Q(team__isnull=True) | Q(team_id__in=user_team_ids))
+            if has_org_permission:
+                # Org permission: see org-level + team-scoped SAs in user's teams
+                qs = qs.filter(Q(team__isnull=True) | Q(team_id__in=user_team_ids))
+            else:
+                # Team access only: only see SAs that are in shared teams
+                qs = qs.filter(
+                    Q(team_id__in=user_team_ids) |
+                    Q(team_memberships__team_id__in=user_team_ids)
+                ).distinct()
 
         return qs
 
diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index d4af74876..00c6c76f5 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -1217,9 +1217,9 @@ def resolve_members(self, info):
         return self.memberships.select_related(
             "org_member__user", "service_account"
         ).exclude(
-            org_member__deleted_at__isnull=False,
+            org_member__isnull=False, org_member__deleted_at__isnull=False,
         ).exclude(
-            service_account__deleted_at__isnull=False,
+            service_account__isnull=False, service_account__deleted_at__isnull=False,
         )
 
     def resolve_apps(self, info):
@@ -1233,9 +1233,9 @@ def resolve_app_environments(self, info):
 
     def resolve_member_count(self, info):
         return self.memberships.exclude(
-            org_member__deleted_at__isnull=False,
+            org_member__isnull=False, org_member__deleted_at__isnull=False,
         ).exclude(
-            service_account__deleted_at__isnull=False,
+            service_account__isnull=False, service_account__deleted_at__isnull=False,
         ).count()
 
 
diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index 025f278ca..ac5c85d77 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -28,6 +28,7 @@
 from backend.graphene.mutations.service_accounts import (
     CreateServiceAccountMutation,
     CreateServiceAccountTokenMutation,
+    CreateServerSideServiceAccountTokenMutation,
     DeleteServiceAccountMutation,
     DeleteServiceAccountTokenMutation,
     EnableServiceAccountClientSideKeyManagementMutation,
@@ -1234,6 +1235,7 @@ class Mutation(graphene.ObjectType):
     update_service_account = UpdateServiceAccountMutation.Field()
     delete_service_account = DeleteServiceAccountMutation.Field()
     create_service_account_token = CreateServiceAccountTokenMutation.Field()
+    create_server_side_service_account_token = CreateServerSideServiceAccountTokenMutation.Field()
     delete_service_account_token = DeleteServiceAccountTokenMutation.Field()
     update_service_account_ownership = UpdateServiceAccountOwnershipMutation.Field()
 
diff --git a/backend/ee/authentication/scim/filters.py b/backend/ee/authentication/scim/filters.py
index 549dbe145..c4a3a6a8c 100644
--- a/backend/ee/authentication/scim/filters.py
+++ b/backend/ee/authentication/scim/filters.py
@@ -48,12 +48,12 @@ def parse_patch_path_filter(path):
     "username": "email__iexact",
     "externalid": "external_id",
     "emails.value": "email__iexact",
-    "displayname": "display_name__icontains",
+    "displayname": "display_name__iexact",
 }
 
 # Maps SCIM group attribute names to Django ORM lookups
 SCIM_GROUP_ATTR_MAP = {
-    "displayname": "display_name__icontains",
+    "displayname": "display_name__iexact",
     "externalid": "external_id",
 }
 

From 529ddda0f08f02fa925bf8e6148c03be44a724a9 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 15 Apr 2026 15:44:01 +0530
Subject: [PATCH 069/118] fix: SA auth error handling, soft-delete filter, and
 union permission semantics

---
 backend/api/auth.py                     | 20 +++++++-----------
 backend/api/utils/access/permissions.py | 27 ++++++++++++++-----------
 2 files changed, 22 insertions(+), 25 deletions(-)

diff --git a/backend/api/auth.py b/backend/api/auth.py
index 190d9308f..c14e863d3 100644
--- a/backend/api/auth.py
+++ b/backend/api/auth.py
@@ -164,24 +164,18 @@ def authenticate(self, request):
                     raise exceptions.AuthenticationFailed(
                         "Service account cannot access this environment"
                     )
+            except (exceptions.AuthenticationFailed, exceptions.NotFound):
+                raise  # Let DRF exceptions propagate with their specific messages
             except Exception as ex:
-                # Distinguish between ServiceAccount not found and other potential errors
+                logger.debug(f"ServiceAccount authentication error: {ex}")
+                # Distinguish between ServiceAccount not found and other errors
                 ServiceAccount = apps.get_model("api", "ServiceAccount")
                 try:
-                    # Attempt to get the service account again to confirm if it exists
                     get_service_account_from_token(auth_token)
-                    # If it exists, the error was likely the environment access check
-                    raise exceptions.AuthenticationFailed(
-                        "Service account cannot access this environment"
-                    )
                 except ServiceAccount.DoesNotExist:
                     raise exceptions.NotFound("Service account not found")
-                except (
-                    Exception
-                ) as ex:  # Catch any other unexpected error during the re-check
-                    logger.debug(f"Authentication error: {ex}")
-                    raise exceptions.AuthenticationFailed(
-                        f"Authentication error. Please check your authentication token or App / Environment access."
-                    )
+                raise exceptions.AuthenticationFailed(
+                    "Authentication error. Please check your authentication token or App / Environment access."
+                )
 
         return (user, auth)
diff --git a/backend/api/utils/access/permissions.py b/backend/api/utils/access/permissions.py
index 7cd1e000c..47471c22f 100644
--- a/backend/api/utils/access/permissions.py
+++ b/backend/api/utils/access/permissions.py
@@ -66,7 +66,9 @@ def service_account_can_access_environment(account_id, env_id):
         organisation=env.app.organisation, id=account_id, deleted_at=None
     )
     return EnvironmentKey.objects.filter(
-        service_account=service_account, environment_id=env_id
+        service_account=service_account,
+        environment_id=env_id,
+        deleted_at__isnull=True,
     ).exists()
 
 
@@ -123,10 +125,10 @@ def _check_app_permission(account, action, resource, app, is_service_account=Fal
     """
     Check app-level permission considering both individual and team access.
 
-    - Individual access: uses org role's app_permissions
-    - Team access: uses team role's app_permissions (override model)
-    - Multiple teams: union — if ANY team role grants the permission, allow it
-    - Team role is null: uses org role (team is purely an access group)
+    Union semantics: if ANY access grant (individual or team) permits the
+    action, the user is allowed.  Individual access uses the org role;
+    each team uses its role override (or falls back to the org role when
+    no override is set).
     """
     Team = apps.get_model("api", "Team")
 
@@ -141,9 +143,10 @@ def _check_app_permission(account, action, resource, app, is_service_account=Fal
         role_field = "member_role"
         membership_filter = {"memberships__org_member": account}
 
-    # Individual access → org role, no team override
+    # Individual access → check org role (one grant in the union)
     if has_individual:
-        return role_has_permission(org_role, action, resource, is_app_resource=True)
+        if role_has_permission(org_role, action, resource, is_app_resource=True):
+            return True
 
     # Team access — find all teams granting access to this app
     teams = Team.objects.filter(
@@ -152,20 +155,20 @@ def _check_app_permission(account, action, resource, app, is_service_account=Fal
         **membership_filter,
     ).distinct()
 
-    if not teams.exists():
-        return False  # No access
-
-    # Union: if ANY team role grants this permission, allow it
     for team in teams:
         team_role = getattr(team, role_field)
         if team_role is None:
-            # No team role → use org role (most permissive possible)
+            # No team role → use org role
             if role_has_permission(org_role, action, resource, is_app_resource=True):
                 return True
         else:
             if role_has_permission(team_role, action, resource, is_app_resource=True):
                 return True
 
+    # Must have at least one access grant to reach here with a chance of True
+    if not has_individual and not teams.exists():
+        return False
+
     return False
 
 

From 761491dc832622eaa12e0e43b428a455ee1a40c0 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 15 Apr 2026 15:44:29 +0530
Subject: [PATCH 070/118] feat: effective permissions and server-side token
 generation for team SAs

---
 .../CreateServiceAccountTokenDialog.tsx       | 141 ++++++++++++------
 .../DeleteServiceAccountTokenDialog.tsx       |   7 +-
 .../_components/ServiceAccountTokens.tsx      |  26 +++-
 .../service-accounts/[account]/page.tsx       | 132 ++++++++--------
 .../service-accounts/KeyManagementDialog.tsx  |   7 +-
 .../createServerSideServiceAccountToken.gql   |  16 ++
 .../getServiceAccountDetail.gql               |  13 ++
 7 files changed, 210 insertions(+), 132 deletions(-)
 create mode 100644 frontend/graphql/mutations/service-accounts/createServerSideServiceAccountToken.gql

diff --git a/frontend/app/[team]/access/service-accounts/[account]/_components/CreateServiceAccountTokenDialog.tsx b/frontend/app/[team]/access/service-accounts/[account]/_components/CreateServiceAccountTokenDialog.tsx
index 05ad682e6..96972b929 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/_components/CreateServiceAccountTokenDialog.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/_components/CreateServiceAccountTokenDialog.tsx
@@ -11,6 +11,7 @@ import { forwardRef, Fragment, useContext, useImperativeHandle, useRef, useState
 import { FaCheckCircle, FaCircle, FaExternalLinkSquareAlt, FaPlus } from 'react-icons/fa'
 import { GetServiceAccountTokens } from '@/graphql/queries/service-accounts/getServiceAccountTokens.gql'
 import { CreateSAToken } from '@/graphql/mutations/service-accounts/createServiceAccountToken.gql'
+import { CreateServerSideSAToken } from '@/graphql/mutations/service-accounts/createServerSideServiceAccountToken.gql'
 import { organisationContext } from '@/contexts/organisationContext'
 import {
   getUserKxPublicKey,
@@ -35,17 +36,18 @@ const CreateServiceAccountTokenDialog = forwardRef(
   (
     {
       serviceAccount,
+      effectivePermissions,
     }: {
       serviceAccount: ServiceAccountType
+      effectivePermissions?: string | null
     },
     ref
   ) => {
     const { activeOrganisation: organisation } = useContext(organisationContext)
     const { keyring } = useContext(KeyringContext)
 
-    const userCanCreateTokens = organisation
-      ? userHasPermission(organisation.role?.permissions, 'ServiceAccountTokens', 'create')
-      : false
+    const perms = effectivePermissions ?? organisation?.role?.permissions
+    const userCanCreateTokens = userHasPermission(perms, 'ServiceAccountTokens', 'create')
 
     const serviceAccountHandler = serviceAccount.handlers?.find(
       (handler) => handler?.user.self === true
@@ -61,6 +63,7 @@ const CreateServiceAccountTokenDialog = forwardRef(
     const [createPending, setCreatePending] = useState(false)
 
     const [createToken] = useMutation(CreateSAToken)
+    const [createServerSideToken] = useMutation(CreateServerSideSAToken)
 
     const reset = () => {
       setName('')
@@ -78,6 +81,9 @@ const CreateServiceAccountTokenDialog = forwardRef(
       openModal,
     }))
 
+    const canUseClientSide = !!serviceAccountHandler && !!keyring
+    const canUseServerSide = serviceAccount.serverSideKeyManagementEnabled === true
+
     const handleCreateNewSAToken = async (event: { preventDefault: () => void }) => {
       return new Promise<boolean>(async (resolve, reject) => {
         event.preventDefault()
@@ -85,58 +91,99 @@ const CreateServiceAccountTokenDialog = forwardRef(
         if (name.length === 0) {
           toast.error('You must enter a name for the token')
           reject()
+          return
         }
 
-        if (serviceAccountHandler && keyring) {
-          setCreatePending(true)
-          const wrappedKeyring = serviceAccountHandler.wrappedKeyring
-
-          const userKxKeys = {
-            publicKey: await getUserKxPublicKey(keyring.publicKey),
-            privateKey: await getUserKxPrivateKey(keyring.privateKey),
-          }
-
-          const serviceAccountKeyringString = await decryptAsymmetric(
-            wrappedKeyring,
-            userKxKeys.privateKey,
-            userKxKeys.publicKey
-          )
-
-          const serviceAccountKeys = JSON.parse(serviceAccountKeyringString) as OrganisationKeyring
-
-          const saKxKeys = {
-            publicKey: await getUserKxPublicKey(serviceAccountKeys.publicKey),
-            privateKey: await getUserKxPrivateKey(serviceAccountKeys.privateKey),
-          }
-
-          const { pssService, mutationPayload } = await generateSAToken(
-            serviceAccount.id,
-            saKxKeys,
-            name,
-            expiry.getExpiry()
-          )
-
-          await createToken({
-            variables: mutationPayload,
-            refetchQueries: [
-              {
-                query: GetServiceAccountTokens,
-                variables: {
-                  orgId: organisation!.id,
-                  id: serviceAccount.id,
+        setCreatePending(true)
+
+        try {
+          if (canUseClientSide) {
+            // Client-side token generation: user is a handler and has the keyring
+            const wrappedKeyring = serviceAccountHandler!.wrappedKeyring
+
+            const userKxKeys = {
+              publicKey: await getUserKxPublicKey(keyring!.publicKey),
+              privateKey: await getUserKxPrivateKey(keyring!.privateKey),
+            }
+
+            const serviceAccountKeyringString = await decryptAsymmetric(
+              wrappedKeyring,
+              userKxKeys.privateKey,
+              userKxKeys.publicKey
+            )
+
+            const serviceAccountKeys = JSON.parse(
+              serviceAccountKeyringString
+            ) as OrganisationKeyring
+
+            const saKxKeys = {
+              publicKey: await getUserKxPublicKey(serviceAccountKeys.publicKey),
+              privateKey: await getUserKxPrivateKey(serviceAccountKeys.privateKey),
+            }
+
+            const { pssService, mutationPayload } = await generateSAToken(
+              serviceAccount.id,
+              saKxKeys,
+              name,
+              expiry.getExpiry()
+            )
+
+            await createToken({
+              variables: mutationPayload,
+              refetchQueries: [
+                {
+                  query: GetServiceAccountTokens,
+                  variables: {
+                    orgId: organisation!.id,
+                    id: serviceAccount.id,
+                  },
                 },
+              ],
+            })
+
+            setCliSAToken(pssService)
+            setApiSAToken(`ServiceAccount ${mutationPayload.token}`)
+          } else if (canUseServerSide) {
+            // Server-side token generation: SA has SSK enabled (e.g. team-owned SA)
+            const result = await createServerSideToken({
+              variables: {
+                serviceAccountId: serviceAccount.id,
+                name,
+                expiry: expiry.getExpiry(),
               },
-            ],
-          })
+              refetchQueries: [
+                {
+                  query: GetServiceAccountTokens,
+                  variables: {
+                    orgId: organisation!.id,
+                    id: serviceAccount.id,
+                  },
+                },
+              ],
+            })
+
+            const tokenString =
+              result.data.createServerSideServiceAccountToken.tokenString
+            const tokenValue = tokenString.split(':')[2]
+
+            setCliSAToken(tokenString)
+            setApiSAToken(`ServiceAccount ${tokenValue}`)
+          } else {
+            toast.error(
+              'Cannot create token: you are not a handler for this service account and server-side key management is not enabled.'
+            )
+            setCreatePending(false)
+            reject()
+            return
+          }
 
-          setCliSAToken(pssService)
-          setApiSAToken(`ServiceAccount ${mutationPayload.token}`)
           setCreatePending(false)
           toast.success('Created new service account token!')
           resolve(true)
-        } else {
-          console.log('keyring unavailable')
-          reject()
+        } catch (error) {
+          setCreatePending(false)
+          toast.error('Failed to create token')
+          reject(error)
         }
       })
     }
diff --git a/frontend/app/[team]/access/service-accounts/[account]/_components/DeleteServiceAccountTokenDialog.tsx b/frontend/app/[team]/access/service-accounts/[account]/_components/DeleteServiceAccountTokenDialog.tsx
index 248668e9e..4af031d90 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/_components/DeleteServiceAccountTokenDialog.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/_components/DeleteServiceAccountTokenDialog.tsx
@@ -14,15 +14,16 @@ import { userHasPermission } from '@/utils/access/permissions'
 export const DeleteServiceAccountTokenDialog = ({
   token,
   serviceAccountId,
+  effectivePermissions,
 }: {
   token: ServiceAccountTokenType
   serviceAccountId: string
+  effectivePermissions?: string | null
 }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
-  const userCanDeleteTokens = organisation
-    ? userHasPermission(organisation.role?.permissions, 'ServiceAccountTokens', 'delete')
-    : false
+  const perms = effectivePermissions ?? organisation?.role?.permissions
+  const userCanDeleteTokens = userHasPermission(perms, 'ServiceAccountTokens', 'delete')
 
   const dialogRef = useRef<{ closeModal: () => void }>(null)
 
diff --git a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountTokens.tsx b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountTokens.tsx
index b08c01021..b5af4361d 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountTokens.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountTokens.tsx
@@ -15,12 +15,18 @@ import { GetServiceAccountTokens } from '@/graphql/queries/service-accounts/getS
 import { useQuery } from '@apollo/client'
 import Spinner from '@/components/common/Spinner'
 
-export const ServiceAccountTokens = ({ account }: { account: ServiceAccountType }) => {
+export const ServiceAccountTokens = ({
+  account,
+  effectivePermissions,
+}: {
+  account: ServiceAccountType
+  effectivePermissions: string | null
+}) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
-  const userCanReadTokens = organisation
-    ? userHasPermission(organisation.role?.permissions, 'ServiceAccountTokens', 'read')
-    : false
+  // Use effective permissions (team role override) if provided, otherwise fall back to org role
+  const perms = effectivePermissions ?? organisation?.role?.permissions
+  const userCanReadTokens = userHasPermission(perms, 'ServiceAccountTokens', 'read')
 
   const tokenDialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
 
@@ -41,7 +47,11 @@ export const ServiceAccountTokens = ({ account }: { account: ServiceAccountType
         <div className="text-neutral-500 text-sm">Manage access tokens for this Service Account</div>
       </div>
 
-      <CreateServiceAccountTokenDialog serviceAccount={account} ref={tokenDialogRef} />
+      <CreateServiceAccountTokenDialog
+        serviceAccount={account}
+        ref={tokenDialogRef}
+        effectivePermissions={effectivePermissions}
+      />
 
       {tokens?.length! > 0 && (
         <div className="flex items-center justify-end">
@@ -142,7 +152,11 @@ export const ServiceAccountTokens = ({ account }: { account: ServiceAccountType
 
                   {/* Delete Button*/}
                   <div className="md:col-span-1 flex justify-end opacity-0 group-hover:opacity-100 transition ease">
-                    <DeleteServiceAccountTokenDialog token={token!} serviceAccountId={account.id} />
+                    <DeleteServiceAccountTokenDialog
+                      token={token!}
+                      serviceAccountId={account.id}
+                      effectivePermissions={effectivePermissions}
+                    />
                   </div>
                 </div>
               )
diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index dfbb700fc..f7070838f 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -52,26 +52,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
   const [savingOwnership, setSavingOwnership] = useState(false)
   const ownershipDialogRef = useRef<{ closeModal: () => void }>(null)
 
-  const userCanReadSA = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'read')
-    : false
-
-  const userCanReadAppMemberships = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'read', true)
-    : false
-
-  const userCanViewNetworkAccess = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'NetworkAccessPolicies', 'read')
-    : false
-
-  const userCanUpdateSA = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'update')
-    : false
-
-  const userCanDeleteSA = organisation
-    ? userHasPermission(organisation?.role?.permissions, 'ServiceAccounts', 'delete')
-    : false
-
+  // Org-level permissions (always use org role, not overridden by team)
   const userCanReadTeams = organisation
     ? userHasPermission(organisation.role!.permissions, 'Teams', 'read')
     : false
@@ -80,9 +61,14 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
     ? userHasGlobalAccess(organisation.role!.permissions)
     : false
 
+  const userCanViewNetworkAccess = organisation
+    ? userHasPermission(organisation?.role?.permissions, 'NetworkAccessPolicies', 'read')
+    : false
+
+  // Always attempt the query — backend will return data if user has team-based access
   const { data, loading } = useQuery(GetServiceAccountDetail, {
     variables: { orgId: organisation?.id, id: params.account },
-    skip: !organisation || !userCanReadSA,
+    skip: !organisation,
     fetchPolicy: 'cache-and-network',
   })
 
@@ -97,6 +83,37 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
   const account: ServiceAccountType = data?.serviceAccounts[0]
   const isTeamOwned = !!account?.team
 
+  // Team membership and ownership (from SA query's team data — no GetTeams dependency)
+  const isTeamOwner = isTeamOwned && account?.team?.owner?.id === organisation?.memberId
+  const isTeamMember =
+    isTeamOwned &&
+    (account?.team?.members?.some((m) => m.orgMember?.id === organisation?.memberId) ?? false)
+
+  // Effective permissions for SA-related checks.
+  // For team-owned SAs: team memberRole if set, else org role.
+  // For org-level SAs: org role.
+  // Team owner bypasses all permission checks via isTeamOwner.
+  const effectivePermissions = useMemo(() => {
+    if (!organisation?.role?.permissions) return null
+    if (!isTeamOwned || !account?.team) return organisation.role!.permissions
+    if (isTeamMember && account.team.memberRole?.permissions) {
+      return account.team.memberRole.permissions
+    }
+    return organisation.role!.permissions
+  }, [organisation, isTeamOwned, isTeamMember, account])
+
+  // Whether user has basic access to this team-owned SA
+  const hasTeamAccess = !isTeamOwned || isTeamOwner || isTeamMember || userIsGlobalAccess
+
+  // SA-related permissions (team role override applies, team owner gets full access)
+  const effectiveCanUpdateSA =
+    isTeamOwner || userHasPermission(effectivePermissions, 'ServiceAccounts', 'update')
+  const effectiveCanDeleteSA =
+    isTeamOwner || userHasPermission(effectivePermissions, 'ServiceAccounts', 'delete')
+  const effectiveCanReadAppMemberships =
+    isTeamOwner || userHasPermission(effectivePermissions, 'ServiceAccounts', 'read', true)
+
+  // Teams this SA belongs to (for the teams section list)
   const accountTeams = useMemo(() => {
     if (!teamsData?.teams || !account) return []
     return (teamsData.teams as TeamType[]).filter((team) =>
@@ -106,21 +123,10 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
 
   const isMultiTeamOrg = !isTeamOwned && accountTeams.length > 1
 
-  // Ownership can be changed by global_access users, or the creator of the owning team
-  const ownerTeam = useMemo(() => {
-    if (!account?.team || !teamsData?.teams) return null
-    return (teamsData.teams as TeamType[]).find((t) => t.id === account.team?.id) || null
-  }, [teamsData, account])
-
-  const userCanManageOwnership = useMemo(() => {
-    if (userIsGlobalAccess) return true
-    if (ownerTeam?.owner?.id && organisation?.memberId) {
-      return ownerTeam.owner.id === organisation.memberId
-    }
-    return false
-  }, [userIsGlobalAccess, ownerTeam, organisation])
+  // Ownership management: global access or team owner
+  const userCanManageOwnership = userIsGlobalAccess || isTeamOwner
 
-  // Non global-access users only see teams they're a member of
+  // Non global-access users only see teams they're a member of (for ownership dialog)
   const availableTeams = useMemo(() => {
     if (!teamsData?.teams) return []
     const allTeams = teamsData.teams as TeamType[]
@@ -130,18 +136,11 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
     )
   }, [teamsData, userIsGlobalAccess, organisation])
 
-  // For team-owned SAs, only team members + global_access can manage
-  const userCanManageTeamSA = useMemo(() => {
-    if (!isTeamOwned) return true // org-level SAs use existing permission checks
-    if (userIsGlobalAccess) return true
-    return ownerTeam?.members?.some((m) => m.orgMember?.id === organisation?.memberId) ?? false
-  }, [isTeamOwned, userIsGlobalAccess, ownerTeam, organisation])
-
   const nameUpdated = account ? account.name !== name : false
 
   const updateName = async () => {
-    if (!userCanUpdateSA) {
-      toast.error("You don't have the permissions requried to update Service Accounts")
+    if (!effectiveCanUpdateSA) {
+      toast.error("You don't have the permissions required to update Service Accounts")
     }
     await updateAccount({
       variables: {
@@ -194,23 +193,6 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
     if (account) setName(account.name)
   }, [account])
 
-  if (!userCanReadSA)
-    return (
-      <section>
-        <EmptyState
-          title="Access restricted"
-          subtitle="You don't have the permissions required to view service accounts in this organisation."
-          graphic={
-            <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
-              <FaBan />
-            </div>
-          }
-        >
-          <></>
-        </EmptyState>
-      </section>
-    )
-
   if (loading)
     return (
       <div>
@@ -255,7 +237,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                   className="custom bg-transparent hover:bg-neutral-500/10 rounded-lg transition ease w-full text-base font-medium"
                   value={name}
                   onChange={(e) => setName(e.target.value)}
-                  readOnly={!userCanUpdateSA}
+                  readOnly={!effectiveCanUpdateSA}
                   maxLength={64}
                 />
                 {nameUpdated ? (
@@ -312,8 +294,12 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
             <span className="font-medium text-sm text-zinc-900 dark:text-zinc-100">
               {account.serverSideKeyManagementEnabled ? 'Server-side' : 'Client-side'} KMS
             </span>
-            {userCanUpdateSA && userCanManageTeamSA && (
-              <KeyManagementDialog serviceAccount={account} buttonVariant={'secondary'} />
+            {effectiveCanUpdateSA && hasTeamAccess && (
+              <KeyManagementDialog
+                serviceAccount={account}
+                buttonVariant={'secondary'}
+                effectivePermissions={effectivePermissions}
+              />
             )}
           </div>
         </div>
@@ -330,7 +316,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
             <div className="text-sm w-max flex items-center gap-2">
               <ServiceAccountRoleSelector
                 account={account}
-                displayOnly={!userCanUpdateSA || isTeamOwned}
+                displayOnly={!effectiveCanUpdateSA || isTeamOwned}
               />
               {isTeamOwned && <span className="text-2xs text-neutral-500">(managed by team)</span>}
             </div>
@@ -556,7 +542,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                 )}
               </div>
             </div>
-            {!isTeamOwned && userCanReadAppMemberships && account.appMemberships?.length! > 0 && (
+            {!isTeamOwned && effectiveCanReadAppMemberships && account.appMemberships?.length! > 0 && (
               <AddAppButton
                 serviceAccountId={params.account}
                 appMemberships={account.appMemberships ?? []}
@@ -564,7 +550,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
             )}
           </div>
 
-          {userCanReadAppMemberships ? (
+          {effectiveCanReadAppMemberships ? (
             <div className="space-y-2 divide-y divide-neutral-500/20 py-4">
               {account.appMemberships && account.appMemberships.length > 0 ? (
                 account.appMemberships.map((appMembership) => (
@@ -630,7 +616,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                       </div>
                     }
                   >
-                    {!isTeamOwned && userCanReadAppMemberships && (
+                    {!isTeamOwned && effectiveCanReadAppMemberships && (
                       <AddAppButton
                         serviceAccountId={params.account}
                         appMemberships={account.appMemberships ?? []}
@@ -669,12 +655,12 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                   Manage the network access policy for this Account
                 </div>
               </div>
-              {userCanManageTeamSA && account.networkPolicies?.length! > 0 && (
+              {hasTeamAccess && account.networkPolicies?.length! > 0 && (
                 <UpdateAccountNetworkPolicies account={account} />
               )}
             </div>
 
-            {!userCanManageTeamSA ? (
+            {!hasTeamAccess ? (
               <div className="py-6 text-center text-neutral-500 text-sm">
                 You must be a member of the{' '}
                 <Link
@@ -726,8 +712,8 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           </div>
         )}
 
-        {userCanManageTeamSA ? (
-          <ServiceAccountTokens account={account} />
+        {hasTeamAccess ? (
+          <ServiceAccountTokens account={account} effectivePermissions={effectivePermissions} />
         ) : (
           <div className="py-4 space-y-3">
             <div>
@@ -747,7 +733,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           </div>
         )}
 
-        {userCanDeleteSA && userCanManageTeamSA && (
+        {effectiveCanDeleteSA && hasTeamAccess && (
           <div className="space-y-2 py-4">
             <div>
               <div className="text-base font-medium">Danger Zone</div>
diff --git a/frontend/components/service-accounts/KeyManagementDialog.tsx b/frontend/components/service-accounts/KeyManagementDialog.tsx
index c40c415cb..039ee893f 100644
--- a/frontend/components/service-accounts/KeyManagementDialog.tsx
+++ b/frontend/components/service-accounts/KeyManagementDialog.tsx
@@ -25,11 +25,13 @@ import GenericDialog from '../common/GenericDialog'
 interface KeyManagementDialogProps {
   serviceAccount: ServiceAccountType
   buttonVariant?: ButtonVariant
+  effectivePermissions?: string | null
 }
 
 export const KeyManagementDialog = ({
   serviceAccount,
   buttonVariant = 'primary',
+  effectivePermissions,
 }: KeyManagementDialogProps) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
   const { keyring } = useContext(KeyringContext)
@@ -40,9 +42,8 @@ export const KeyManagementDialog = ({
   const [enableSSE, { loading: enableLoading }] = useMutation(EnableServerSide)
   const [disableSSE, { loading: disableLoading }] = useMutation(EnableClientSide)
 
-  const userCanManageKeys = organisation
-    ? userHasPermission(organisation.role?.permissions, 'ServiceAccounts', 'update')
-    : false
+  const perms = effectivePermissions ?? organisation?.role?.permissions
+  const userCanManageKeys = userHasPermission(perms, 'ServiceAccounts', 'update')
 
   const [selectedMode, setSelectedMode] = useState<'client' | 'server'>(
     serviceAccount.serverSideKeyManagementEnabled ? 'server' : 'client'
diff --git a/frontend/graphql/mutations/service-accounts/createServerSideServiceAccountToken.gql b/frontend/graphql/mutations/service-accounts/createServerSideServiceAccountToken.gql
new file mode 100644
index 000000000..4683ddb45
--- /dev/null
+++ b/frontend/graphql/mutations/service-accounts/createServerSideServiceAccountToken.gql
@@ -0,0 +1,16 @@
+mutation CreateServerSideSAToken(
+  $serviceAccountId: ID!
+  $name: String!
+  $expiry: BigInt
+) {
+  createServerSideServiceAccountToken(
+    serviceAccountId: $serviceAccountId
+    name: $name
+    expiry: $expiry
+  ) {
+    tokenString
+    token {
+      id
+    }
+  }
+}
diff --git a/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql b/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
index b5a865cf9..56d00ac4f 100644
--- a/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
+++ b/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
@@ -38,6 +38,19 @@ query GetServiceAccountDetail($orgId: ID!, $id: ID) {
     team {
       id
       name
+      memberRole {
+        id
+        name
+        permissions
+      }
+      owner {
+        id
+      }
+      members {
+        orgMember {
+          id
+        }
+      }
     }
     identities { id provider name description }
   }

From 6e68b0835fccb76c8b9f3a4e8b4cf7d311157865 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 15 Apr 2026 15:44:44 +0530
Subject: [PATCH 071/118] fix: refetch team data on SA create and delete

---
 .../CreateServiceAccountDialog.tsx            | 14 ++++++--
 .../DeleteServiceAccountDialog.tsx            | 34 +++++++++++++++----
 .../app/[team]/access/teams/[teamId]/page.tsx |  6 ++--
 .../teams/_components/CreateTeamDialog.tsx    |  2 +-
 4 files changed, 43 insertions(+), 13 deletions(-)

diff --git a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
index d6df64e6e..2015c4d82 100644
--- a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
+++ b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
@@ -4,6 +4,7 @@ import { Alert } from '@/components/common/Alert'
 import { Fragment, useContext, useEffect, useRef, useState } from 'react'
 import { FaChevronDown, FaPlus, FaUsersCog } from 'react-icons/fa'
 import { GetServiceAccounts } from '@/graphql/queries/service-accounts/getServiceAccounts.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { GetServiceAccountHandlers } from '@/graphql/queries/service-accounts/getServiceAccountHandlers.gql'
 import { GetRoles } from '@/graphql/queries/organisation/getRoles.gql'
 import { GetServerKey } from '@/graphql/queries/syncing/getServerKey.gql'
@@ -104,9 +105,10 @@ export const CreateServiceAccountDialog = ({
         const accountSeed = await organisationSeed(mnemonic, organisation!.id)
         const keyring = await organisationKeyring(accountSeed)
 
-        // Wrap keys for server if required
+        // Wrap keys for server if required.
+        // Team-owned SAs always enable SSK so all team members can generate tokens server-side.
         let serverKeys = undefined
-        if (thirdParty) {
+        if (thirdParty || isTeamContext) {
           const serverKey = serverKeyData.serverPublicKey
 
           const serverEncryptedKeyring = await encryptAsymmetric(JSON.stringify(keyring), serverKey)
@@ -151,6 +153,14 @@ export const CreateServiceAccountDialog = ({
               query: GetServiceAccounts,
               variables: { orgId: organisation!.id },
             },
+            ...(teamId
+              ? [
+                  {
+                    query: GetTeams,
+                    variables: { organisationId: organisation!.id, teamId },
+                  },
+                ]
+              : []),
           ],
         })
 
diff --git a/frontend/app/[team]/access/service-accounts/_components/DeleteServiceAccountDialog.tsx b/frontend/app/[team]/access/service-accounts/_components/DeleteServiceAccountDialog.tsx
index 6f761d41f..38ce9ee75 100644
--- a/frontend/app/[team]/access/service-accounts/_components/DeleteServiceAccountDialog.tsx
+++ b/frontend/app/[team]/access/service-accounts/_components/DeleteServiceAccountDialog.tsx
@@ -1,6 +1,7 @@
 import { FaTrash, FaTrashAlt } from 'react-icons/fa'
 import { DeleteServiceAccountOp } from '@/graphql/mutations/service-accounts/deleteServiceAccount.gql'
 import { GetServiceAccounts } from '@/graphql/queries/service-accounts/getServiceAccounts.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { useMutation } from '@apollo/client'
 import { toast } from 'react-toastify'
 import { useContext, useRef } from 'react'
@@ -10,31 +11,50 @@ import { Button } from '@/components/common/Button'
 import GenericDialog from '@/components/common/GenericDialog'
 import { useRouter } from 'next/navigation'
 
-export const DeleteServiceAccountDialog = ({ account }: { account: ServiceAccountType }) => {
+export const DeleteServiceAccountDialog = ({
+  account,
+  onDelete,
+}: {
+  account: ServiceAccountType
+  onDelete?: () => void
+}) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
   const dialogRef = useRef<{ closeModal: () => void }>(null)
 
   const [deleteAccount, { loading }] = useMutation(DeleteServiceAccountOp)
 
+  const router = useRouter()
+
   const handleDelete = async () => {
+    const refetchQueries: any[] = [
+      { query: GetServiceAccounts, variables: { orgId: organisation!.id } },
+    ]
+
+    if (account.team?.id) {
+      refetchQueries.push({
+        query: GetTeams,
+        variables: { organisationId: organisation!.id, teamId: account.team.id },
+      })
+    }
+
     const deleted = await deleteAccount({
       variables: { id: account.id },
-      refetchQueries: [{ query: GetServiceAccounts, variables: { orgId: organisation!.id } }],
+      refetchQueries,
     })
     if (deleted.data.deleteServiceAccount.ok) {
       toast.success('Deleted service account!')
       if (dialogRef.current) {
         dialogRef.current.closeModal()
       }
-      handleRedirect()
+      if (onDelete) {
+        onDelete()
+      } else {
+        router.push(`/${organisation?.name}/access/service-accounts`)
+      }
     }
   }
 
-  const router = useRouter()
-
-  const handleRedirect = () => router.push(`/${organisation?.name}/access/service-accounts`)
-
   return (
     <GenericDialog
       title={`Delete ${account.name}`}
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index 10e17eb73..d6b3b7d51 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -293,7 +293,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
               </div>
             </div>
             <div className="flex items-center gap-2">
-              {canUpdateTeam && !team.isScimManaged && (
+              {canUpdateTeam && (
                 <AddTeamMembersDialog teamId={team.id} existingMembers={team.members || []} mode="service-accounts" buttonVariant="secondary" />
               )}
               {canCreateSA && (
@@ -354,10 +354,10 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                         </Link>
                         {isTeamOwned ? (
                           canUpdateTeam && (
-                            <DeleteServiceAccountDialog account={sa} />
+                            <DeleteServiceAccountDialog account={sa} onDelete={() => {}} />
                           )
                         ) : (
-                          canUpdateTeam && !team.isScimManaged && (
+                          canUpdateTeam && (
                             <RemoveTeamMemberDialog
                               teamId={team.id}
                               memberId={sa.id}
diff --git a/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx b/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx
index b8eac97c0..1f41741ad 100644
--- a/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx
+++ b/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx
@@ -119,7 +119,7 @@ export const CreateTeamDialog = () => {
     setSaRole(null)
   }
 
-  const roleOptions = roleData?.roles || []
+  const roleOptions = roleData?.roles?.filter((role: RoleType) => role.name?.toLowerCase() !== 'owner') || []
 
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault()

From 216dd49d0ee64b934d06e80ec0cd2e18d23b22c3 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 15 Apr 2026 15:44:51 +0530
Subject: [PATCH 072/118] chore: regen schema and types

---
 frontend/apollo/gql.ts         | 12 +++++++---
 frontend/apollo/graphql.ts     | 42 ++++++++++++++++++++++++++++++++--
 frontend/apollo/schema.graphql | 21 +++++++++++++++++
 3 files changed, 70 insertions(+), 5 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 2e0f6cb33..b682da954 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -79,6 +79,7 @@ type Documents = {
     "mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}": typeof types.DeleteScimTokenOpDocument,
     "mutation ToggleSCIMOp($organisationId: ID!, $enabled: Boolean!) {\n  toggleScim(organisationId: $organisationId, enabled: $enabled) {\n    ok\n  }\n}": typeof types.ToggleScimOpDocument,
     "mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}": typeof types.ToggleScimTokenOpDocument,
+    "mutation CreateServerSideSAToken($serviceAccountId: ID!, $name: String!, $expiry: BigInt) {\n  createServerSideServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    expiry: $expiry\n  ) {\n    tokenString\n    token {\n      id\n    }\n  }\n}": typeof types.CreateServerSideSaTokenDocument,
     "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": typeof types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": typeof types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": typeof types.DeleteServiceAccountOpDocument,
@@ -163,7 +164,7 @@ type Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": typeof types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": typeof types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": typeof types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n      memberRole {\n        id\n        name\n        permissions\n      }\n      owner {\n        id\n      }\n      members {\n        orgMember {\n          id\n        }\n      }\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": typeof types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": typeof types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": typeof types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
@@ -258,6 +259,7 @@ const documents: Documents = {
     "mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}": types.DeleteScimTokenOpDocument,
     "mutation ToggleSCIMOp($organisationId: ID!, $enabled: Boolean!) {\n  toggleScim(organisationId: $organisationId, enabled: $enabled) {\n    ok\n  }\n}": types.ToggleScimOpDocument,
     "mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}": types.ToggleScimTokenOpDocument,
+    "mutation CreateServerSideSAToken($serviceAccountId: ID!, $name: String!, $expiry: BigInt) {\n  createServerSideServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    expiry: $expiry\n  ) {\n    tokenString\n    token {\n      id\n    }\n  }\n}": types.CreateServerSideSaTokenDocument,
     "mutation CreateServiceAccountOp($name: String!, $orgId: ID!, $roleId: ID!, $identityKey: String!, $handlers: [ServiceAccountHandlerInput], $serverWrappedKeyring: String, $serverWrappedRecovery: String, $teamId: ID) {\n  createServiceAccount(\n    name: $name\n    organisationId: $orgId\n    roleId: $roleId\n    identityKey: $identityKey\n    handlers: $handlers\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n    }\n  }\n}": types.CreateServiceAccountOpDocument,
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountOpDocument,
@@ -342,7 +344,7 @@ const documents: Documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    type\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      id\n      name\n      sseEnabled\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n  dynamicSecrets(envId: $envId, path: $path) {\n    id\n    name\n    path\n    description\n    provider\n    keyMap {\n      id\n      keyName\n      masked\n    }\n    config {\n      ... on AWSConfigType {\n        usernameTemplate\n        groups\n        iamPath\n        permissionBoundaryArn\n        policyArns\n        policyDocument\n      }\n    }\n    defaultTtlSeconds\n    maxTtlSeconds\n    authentication {\n      id\n      name\n    }\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n      memberRole {\n        id\n        name\n        permissions\n      }\n      owner {\n        id\n      }\n      members {\n        orgMember {\n          id\n        }\n      }\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
@@ -646,6 +648,10 @@ export function graphql(source: "mutation ToggleSCIMOp($organisationId: ID!, $en
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}"): (typeof documents)["mutation ToggleSCIMTokenOp($tokenId: ID!, $isActive: Boolean!) {\n  toggleScimToken(tokenId: $tokenId, isActive: $isActive) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation CreateServerSideSAToken($serviceAccountId: ID!, $name: String!, $expiry: BigInt) {\n  createServerSideServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    expiry: $expiry\n  ) {\n    tokenString\n    token {\n      id\n    }\n  }\n}"): (typeof documents)["mutation CreateServerSideSAToken($serviceAccountId: ID!, $name: String!, $expiry: BigInt) {\n  createServerSideServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    expiry: $expiry\n  ) {\n    tokenString\n    token {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -985,7 +991,7 @@ export function graphql(source: "query GetServiceTokens($appId: ID!) {\n  servic
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"];
+export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n      memberRole {\n        id\n        name\n        permissions\n      }\n      owner {\n        id\n      }\n      members {\n        orgMember {\n          id\n        }\n      }\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    team {\n      id\n      name\n      memberRole {\n        id\n        name\n        permissions\n      }\n      owner {\n        id\n      }\n      members {\n        orgMember {\n          id\n        }\n      }\n    }\n    identities {\n      id\n      provider\n      name\n      description\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 74380151c..47ca245ee 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -540,6 +540,19 @@ export type CreateSecretTagMutation = {
   tag?: Maybe<SecretTagType>;
 };
 
+/**
+ * Create a service account token using server-side key management.
+ *
+ * The server decrypts the SA keyring, generates a token with key splitting,
+ * and returns the full token string. Requires SSK to be enabled on the SA.
+ * This allows team members who are not SA handlers to create tokens.
+ */
+export type CreateServerSideServiceAccountTokenMutation = {
+  __typename?: 'CreateServerSideServiceAccountTokenMutation';
+  token?: Maybe<ServiceAccountTokenType>;
+  tokenString?: Maybe<Scalars['String']['output']>;
+};
+
 export type CreateServiceAccountMutation = {
   __typename?: 'CreateServiceAccountMutation';
   serviceAccount?: Maybe<ServiceAccountType>;
@@ -1066,6 +1079,14 @@ export type Mutation = {
   createSecretFolder?: Maybe<CreateSecretFolderMutation>;
   createSecretTag?: Maybe<CreateSecretTagMutation>;
   createSecrets?: Maybe<BulkCreateSecretMutation>;
+  /**
+   * Create a service account token using server-side key management.
+   *
+   * The server decrypts the SA keyring, generates a token with key splitting,
+   * and returns the full token string. Requires SSK to be enabled on the SA.
+   * This allows team members who are not SA handlers to create tokens.
+   */
+  createServerSideServiceAccountToken?: Maybe<CreateServerSideServiceAccountTokenMutation>;
   createServiceAccount?: Maybe<CreateServiceAccountMutation>;
   createServiceAccountToken?: Maybe<CreateServiceAccountTokenMutation>;
   createServiceToken?: Maybe<CreateServiceTokenMutation>;
@@ -1453,6 +1474,13 @@ export type MutationCreateSecretsArgs = {
 };
 
 
+export type MutationCreateServerSideServiceAccountTokenArgs = {
+  expiry?: InputMaybe<Scalars['BigInt']['input']>;
+  name: Scalars['String']['input'];
+  serviceAccountId: Scalars['ID']['input'];
+};
+
+
 export type MutationCreateServiceAccountArgs = {
   handlers?: InputMaybe<Array<InputMaybe<ServiceAccountHandlerInput>>>;
   identityKey?: InputMaybe<Scalars['String']['input']>;
@@ -3643,6 +3671,15 @@ export type ToggleScimTokenOpMutationVariables = Exact<{
 
 export type ToggleScimTokenOpMutation = { __typename?: 'Mutation', toggleScimToken?: { __typename?: 'ToggleSCIMTokenMutation', ok?: boolean | null } | null };
 
+export type CreateServerSideSaTokenMutationVariables = Exact<{
+  serviceAccountId: Scalars['ID']['input'];
+  name: Scalars['String']['input'];
+  expiry?: InputMaybe<Scalars['BigInt']['input']>;
+}>;
+
+
+export type CreateServerSideSaTokenMutation = { __typename?: 'Mutation', createServerSideServiceAccountToken?: { __typename?: 'CreateServerSideServiceAccountTokenMutation', tokenString?: string | null, token?: { __typename?: 'ServiceAccountTokenType', id: string } | null } | null };
+
 export type CreateServiceAccountOpMutationVariables = Exact<{
   name: Scalars['String']['input'];
   orgId: Scalars['ID']['input'];
@@ -4375,7 +4412,7 @@ export type GetServiceAccountDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, team?: { __typename?: 'TeamType', id: string, name: string } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
+export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, team?: { __typename?: 'TeamType', id: string, name: string, memberRole?: { __typename?: 'RoleType', id: string, name?: string | null, permissions?: any | null } | null, owner?: { __typename?: 'OrganisationMemberType', id: string } | null, members?: Array<{ __typename?: 'TeamMembershipType', orgMember?: { __typename?: 'OrganisationMemberType', id: string } | null }> | null } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null }> | null } | null> | null };
 
 export type GetServiceAccountHandlersQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -4633,6 +4670,7 @@ export const CreateScimTokenOpDocument = {"kind":"Document","definitions":[{"kin
 export const DeleteScimTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteSCIMTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteScimToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteScimTokenOpMutation, DeleteScimTokenOpMutationVariables>;
 export const ToggleScimOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"ToggleSCIMOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"toggleScim"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"enabled"},"value":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<ToggleScimOpMutation, ToggleScimOpMutationVariables>;
 export const ToggleScimTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"ToggleSCIMTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"isActive"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"toggleScimToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}},{"kind":"Argument","name":{"kind":"Name","value":"isActive"},"value":{"kind":"Variable","name":{"kind":"Name","value":"isActive"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<ToggleScimTokenOpMutation, ToggleScimTokenOpMutationVariables>;
+export const CreateServerSideSaTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateServerSideSAToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServerSideServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tokenString"}},{"kind":"Field","name":{"kind":"Name","value":"token"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateServerSideSaTokenMutation, CreateServerSideSaTokenMutationVariables>;
 export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateServiceAccountOpMutation, CreateServiceAccountOpMutationVariables>;
 export const CreateSaTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSAToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSaTokenMutation, CreateSaTokenMutationVariables>;
 export const DeleteServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountOpMutation, DeleteServiceAccountOpMutationVariables>;
@@ -4717,7 +4755,7 @@ export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind"
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
 export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"type"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"dynamicSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"keyMap"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"keyName"}},{"kind":"Field","name":{"kind":"Name","value":"masked"}}]}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AWSConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"usernameTemplate"}},{"kind":"Field","name":{"kind":"Name","value":"groups"}},{"kind":"Field","name":{"kind":"Name","value":"iamPath"}},{"kind":"Field","name":{"kind":"Name","value":"permissionBoundaryArn"}},{"kind":"Field","name":{"kind":"Name","value":"policyArns"}},{"kind":"Field","name":{"kind":"Name","value":"policyDocument"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
-export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
+export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"memberRole"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"owner"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
 export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index d0d9a9513..4850f8f8d 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -1181,6 +1181,15 @@ type Mutation {
   updateServiceAccount(identityIds: [ID!], name: String, roleId: ID, serviceAccountId: ID): UpdateServiceAccountMutation
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
   createServiceAccountToken(expiry: BigInt, identityKey: String!, name: String!, serviceAccountId: ID, token: String!, wrappedKeyShare: String!): CreateServiceAccountTokenMutation
+
+  """
+  Create a service account token using server-side key management.
+  
+  The server decrypts the SA keyring, generates a token with key splitting,
+  and returns the full token string. Requires SSK to be enabled on the SA.
+  This allows team members who are not SA handlers to create tokens.
+  """
+  createServerSideServiceAccountToken(expiry: BigInt, name: String!, serviceAccountId: ID!): CreateServerSideServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
 
   """
@@ -1524,6 +1533,18 @@ type CreateServiceAccountTokenMutation {
   token: ServiceAccountTokenType
 }
 
+"""
+Create a service account token using server-side key management.
+
+The server decrypts the SA keyring, generates a token with key splitting,
+and returns the full token string. Requires SSK to be enabled on the SA.
+This allows team members who are not SA handlers to create tokens.
+"""
+type CreateServerSideServiceAccountTokenMutation {
+  tokenString: String
+  token: ServiceAccountTokenType
+}
+
 type DeleteServiceAccountTokenMutation {
   ok: Boolean
 }

From 6a392082fe034c34031779d07d6ed794e3e21802 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 15 Apr 2026 15:57:04 +0530
Subject: [PATCH 073/118] fix: prevent team-owned service accounts for being
 changed to client-side kms

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/graphene/mutations/service_accounts.py      | 6 ++++++
 .../app/[team]/access/service-accounts/[account]/page.tsx   | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index c262eabca..079a392cc 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -250,6 +250,12 @@ def mutate(cls, root, info, service_account_id):
 
         _check_sa_permission(user, service_account, "update", "ServiceAccounts")
 
+        # Team-owned SAs must always use server-side KMS
+        if service_account.team is not None:
+            raise GraphQLError(
+                "Team-owned service accounts require server-side key management and cannot be switched to client-side."
+            )
+
         # Delete server-wrapped keys to disable server-side key management
         service_account.server_wrapped_keyring = None
         service_account.server_wrapped_recovery = None
diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index f7070838f..9456a0281 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -294,7 +294,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
             <span className="font-medium text-sm text-zinc-900 dark:text-zinc-100">
               {account.serverSideKeyManagementEnabled ? 'Server-side' : 'Client-side'} KMS
             </span>
-            {effectiveCanUpdateSA && hasTeamAccess && (
+            {effectiveCanUpdateSA && hasTeamAccess && !account.team?.id && (
               <KeyManagementDialog
                 serviceAccount={account}
                 buttonVariant={'secondary'}

From 8c7079f225ff71eb35a1fe6ac8bfc79b6b79ffe5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 20:28:00 +0530
Subject: [PATCH 074/118] fix: preserve environment key grants on individual
 creation and scope updates

---
 .../backend/graphene/mutations/environment.py | 33 +++++++++++++++----
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/backend/backend/graphene/mutations/environment.py b/backend/backend/graphene/mutations/environment.py
index abeb5c0f7..32c08d0aa 100644
--- a/backend/backend/graphene/mutations/environment.py
+++ b/backend/backend/graphene/mutations/environment.py
@@ -19,6 +19,7 @@
     App,
     Environment,
     EnvironmentKey,
+    EnvironmentKeyGrant,
     EnvironmentSync,
     EnvironmentToken,
     Organisation,
@@ -164,23 +165,31 @@ def mutate(
             )
 
             # Add the org owner to the environment
-            EnvironmentKey.objects.create(
+            owner_key = EnvironmentKey.objects.create(
                 environment=environment,
                 user=org_owner,
                 identity_key=environment_data.identity_key,
                 wrapped_seed=environment_data.wrapped_seed,
                 wrapped_salt=environment_data.wrapped_salt,
             )
+            EnvironmentKeyGrant.objects.create(
+                environment_key=owner_key,
+                grant_type="individual",
+            )
 
             # Add admins to the environment
             for key in admin_keys:
-                EnvironmentKey.objects.create(
+                admin_key = EnvironmentKey.objects.create(
                     environment=environment,
                     user_id=key.user_id,
                     wrapped_seed=key.wrapped_seed,
                     wrapped_salt=key.wrapped_salt,
                     identity_key=key.identity_key,
                 )
+                EnvironmentKeyGrant.objects.create(
+                    environment_key=admin_key,
+                    grant_type="individual",
+                )
 
             # Add Server keys if provided
             if wrapped_seed and wrapped_salt:
@@ -351,6 +360,10 @@ def mutate(
             wrapped_seed=wrapped_seed,
             wrapped_salt=wrapped_salt,
         )
+        EnvironmentKeyGrant.objects.create(
+            environment_key=environment_key,
+            grant_type="individual",
+        )
 
         return CreateEnvironmentKeyMutation(environment_key=environment_key)
 
@@ -403,13 +416,14 @@ def mutate(
                 )
 
         with transaction.atomic():
-            # delete all existing keys for this member
-            EnvironmentKey.objects.filter(**key_to_delete_filter).delete()
+            # Soft-delete existing keys (preserves grant history, avoids CASCADE)
+            old_keys = EnvironmentKey.objects.filter(**key_to_delete_filter)
+            EnvironmentKeyGrant.objects.filter(environment_key__in=old_keys).delete()
+            old_keys.update(deleted_at=timezone.now())
 
-            # set new keys
+            # Create new keys with individual grants
             for key in env_keys:
-
-                EnvironmentKey.objects.create(
+                new_key = EnvironmentKey.objects.create(
                     environment_id=key.env_id,
                     user_id=key.user_id if member_type == MemberType.USER else None,
                     service_account_id=(
@@ -419,6 +433,11 @@ def mutate(
                     wrapped_salt=key.wrapped_salt,
                     identity_key=key.identity_key,
                 )
+                EnvironmentKeyGrant.objects.create(
+                    environment_key=new_key,
+                    grant_type="individual",
+                    team=None,
+                )
 
         return UpdateMemberEnvScopeMutation(app=app)
 

From a59850c8214f867ac28be3cab3b19608106a4bca Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 20:28:21 +0530
Subject: [PATCH 075/118] fix: filter soft-deleted keys in
 user_can_access_environment

---
 backend/api/utils/access/permissions.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/api/utils/access/permissions.py b/backend/api/utils/access/permissions.py
index 47471c22f..e2c47f284 100644
--- a/backend/api/utils/access/permissions.py
+++ b/backend/api/utils/access/permissions.py
@@ -52,7 +52,7 @@ def user_can_access_environment(user_id, env_id):
         organisation=env.app.organisation, user_id=user_id, deleted_at=None
     )
     return EnvironmentKey.objects.filter(
-        user_id=org_member, environment_id=env_id
+        user_id=org_member, environment_id=env_id, deleted_at__isnull=True
     ).exists()
 
 

From 82e96897ad5f89e659429d6a8379e690be4d41c9 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 20:28:25 +0530
Subject: [PATCH 076/118] fix: scope UpdateServiceAccountHandlers deletes and
 require SA update permission

---
 .../graphene/mutations/service_accounts.py     | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index 079a392cc..4b20922fa 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -319,10 +319,24 @@ def mutate(cls, root, info, organisation_id, handlers):
                 "You are not a member of this organisation and cannot perform this operation"
             )
 
-        ServiceAccountHandler.objects.filter(service_account__organisation=org).delete()
+        if not user_has_permission(user, "update", "ServiceAccounts", org):
+            raise GraphQLError(
+                "You don't have permission to manage service accounts"
+            )
+
+        # Only delete handlers for SAs referenced in the incoming list.
+        # This prevents wiping handlers for team-owned SAs the caller can't see.
+        sa_ids = set(h.service_account_id for h in handlers)
+        ServiceAccountHandler.objects.filter(
+            service_account__organisation=org,
+            service_account_id__in=sa_ids,
+            service_account__deleted_at__isnull=True,
+        ).delete()
 
         for handler in handlers:
-            service_account = ServiceAccount.objects.get(id=handler.service_account_id)
+            service_account = ServiceAccount.objects.get(
+                id=handler.service_account_id, deleted_at__isnull=True
+            )
 
             if not ServiceAccountHandler.objects.filter(
                 service_account=service_account, user_id=handler.member_id

From 9320103b12771ece2543d15196eb3b93516385a3 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 20:28:29 +0530
Subject: [PATCH 077/118] fix: skip service accounts without a self handler
 during handler re-wrap

---
 frontend/utils/crypto/service-accounts.ts | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/frontend/utils/crypto/service-accounts.ts b/frontend/utils/crypto/service-accounts.ts
index 81ed02bb5..414a9d111 100644
--- a/frontend/utils/crypto/service-accounts.ts
+++ b/frontend/utils/crypto/service-accounts.ts
@@ -75,28 +75,33 @@ export const updateServiceAccountHandlers = async (orgId: string, userKeyring: O
     let handlerInputs: ServiceAccountHandlerInput[] = [] 
 
     const handlerInputPromises = serviceAccounts.map(async (account: ServiceAccountType) => {
-  
+
       // Get the account wrapped keys for the current user
-      const selfHandler: ServiceAccountHandlerType = account.handlers?.find(
+      const selfHandler: ServiceAccountHandlerType | undefined = account.handlers?.find(
         (handler) => handler?.user.self === true
-      )!
-      
+      ) ?? undefined
+
+      // Skip accounts the current user can't unwrap:
+      // - Team-owned SAs use server-side KMS and have no handlers
+      // - Org-level SAs where the current user isn't a handler belong to someone else
+      if (!selfHandler) return []
+
       // Unwrap the keyring and recovery for this account
       const serviceAccountKeyringString = await decryptAsymmetric(
         selfHandler.wrappedKeyring,
         userKxKeys.privateKey,
         userKxKeys.publicKey
       )
-    
+
       const serviceAccountRecoveryString = await decryptAsymmetric(
         selfHandler.wrappedRecovery,
         userKxKeys.privateKey,
         userKxKeys.publicKey
       )
-    
+
       // Wrap the keyring and recovery for each handler
       const handlerWrappingPromises = handlers.map(async (handler: OrganisationMemberType) => {
-        
+
         const kxKey = await getUserKxPublicKey(handler.identityKey!)
         const wrappedKeyring = await encryptAsymmetric(serviceAccountKeyringString, kxKey)
         const wrappedRecovery = await encryptAsymmetric(serviceAccountRecoveryString, kxKey)
@@ -107,9 +112,9 @@ export const updateServiceAccountHandlers = async (orgId: string, userKeyring: O
           wrappedRecovery,
         }
       })
-    
+
       const handlerKeys = await Promise.all(handlerWrappingPromises)
-      
+
       return handlerKeys // Return the result of this async operation
     })
 

From fd7f23f6a6e4a4e318c82f2ee41dfdab1145bece Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 20:28:34 +0530
Subject: [PATCH 078/118] fix: await team refetch on SA create and gate delete
 by SA permission

---
 .../_components/CreateServiceAccountDialog.tsx                | 1 +
 frontend/app/[team]/access/teams/[teamId]/page.tsx            | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
index 2015c4d82..b471953f7 100644
--- a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
+++ b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
@@ -162,6 +162,7 @@ export const CreateServiceAccountDialog = ({
                 ]
               : []),
           ],
+          awaitRefetchQueries: true,
         })
 
         setCreatePending(false)
diff --git a/frontend/app/[team]/access/teams/[teamId]/page.tsx b/frontend/app/[team]/access/teams/[teamId]/page.tsx
index d6b3b7d51..89c861b60 100644
--- a/frontend/app/[team]/access/teams/[teamId]/page.tsx
+++ b/frontend/app/[team]/access/teams/[teamId]/page.tsx
@@ -116,6 +116,8 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
     userIsGlobalAccess || isTeamOwner || userHasPermission(effectivePermissions, 'Teams', 'delete')
   const canCreateSA =
     userIsGlobalAccess || isTeamOwner || userHasPermission(effectivePermissions, 'ServiceAccounts', 'create')
+  const canDeleteSA =
+    userIsGlobalAccess || isTeamOwner || userHasPermission(effectivePermissions, 'ServiceAccounts', 'delete')
 
   if (!userIsMember)
     return (
@@ -353,7 +355,7 @@ export default function TeamDetail({ params }: { params: { team: string; teamId:
                           </Button>
                         </Link>
                         {isTeamOwned ? (
-                          canUpdateTeam && (
+                          canDeleteSA && (
                             <DeleteServiceAccountDialog account={sa} onDelete={() => {}} />
                           )
                         ) : (

From 186d6a765e9a872855ba74b0c2b131aa7e546bdf Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 20:30:07 +0530
Subject: [PATCH 079/118] feat: team owners retain org role for team-accessed
 apps

---
 backend/api/utils/access/permissions.py | 11 +++++++++--
 frontend/hooks/useAppPermissions.ts     |  8 +++++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/backend/api/utils/access/permissions.py b/backend/api/utils/access/permissions.py
index e2c47f284..ab1416f36 100644
--- a/backend/api/utils/access/permissions.py
+++ b/backend/api/utils/access/permissions.py
@@ -157,8 +157,15 @@ def _check_app_permission(account, action, resource, app, is_service_account=Fal
 
     for team in teams:
         team_role = getattr(team, role_field)
-        if team_role is None:
-            # No team role → use org role
+        # Team owners retain their full org role for team-accessed apps —
+        # they manage the team and its access grants, so overrides don't apply to them.
+        is_team_owner = (
+            not is_service_account
+            and team.owner_id is not None
+            and team.owner_id == account.id
+        )
+        if team_role is None or is_team_owner:
+            # No team role, or user is team owner → use org role
             if role_has_permission(org_role, action, resource, is_app_resource=True):
                 return True
         else:
diff --git a/frontend/hooks/useAppPermissions.ts b/frontend/hooks/useAppPermissions.ts
index 084b42d83..d5f38822b 100644
--- a/frontend/hooks/useAppPermissions.ts
+++ b/frontend/hooks/useAppPermissions.ts
@@ -69,7 +69,13 @@ export function useAppPermissions(appId: string) {
 
       hasTeamAccess = true
 
-      if (team.memberRole?.permissions) {
+      // Team owners retain their full org role for their team's apps —
+      // they manage the team and its access grants, so the role override doesn't restrict them.
+      const isTeamOwner = team.owner?.id === organisation.memberId
+
+      if (isTeamOwner) {
+        sources.push(organisation.role!.permissions!)
+      } else if (team.memberRole?.permissions) {
         // Team has a role override → it REPLACES the org role for this access path
         sources.push(team.memberRole.permissions)
       } else {

From 80114830950054b9e2d025dc556e90d9fc411000 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 20:30:26 +0530
Subject: [PATCH 080/118] fix: exclude team-owned service accounts from app add
 dialog

---
 .../access/service-accounts/_components/AddAccountDialog.tsx    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
index 172fc1d51..f7d73e4e8 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
@@ -97,6 +97,8 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
 
   const accountOptions =
     serviceAccountsData?.serviceAccounts
+      // Team-owned SAs can only be granted app access via their owning team
+      .filter((account: ServiceAccountType) => !account.team)
       .filter(
         (account: ServiceAccountType) =>
           !data?.appServiceAccounts

From bf09ef67e2aab93563a6f52badbcdbf21d2fa412 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 20:30:39 +0530
Subject: [PATCH 081/118] feat: surface existing team-based app access in add
 member and SA dialogs

---
 .../members/_components/AddMemberDialog.tsx   | 57 +++++++++++++++++-
 .../_components/AddAccountDialog.tsx          | 60 +++++++++++++++++--
 frontend/components/teams/TeamLabel.tsx       | 24 +++++++-
 3 files changed, 132 insertions(+), 9 deletions(-)

diff --git a/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx b/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
index f45af479d..79ac676ae 100644
--- a/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
@@ -3,14 +3,16 @@ import { BulkAddMembersToApp } from '@/graphql/mutations/apps/bulkAddAppMembers.
 import GetAppMembers from '@/graphql/queries/apps/getAppMembers.gql'
 import { GetAppEnvironments } from '@/graphql/queries/secrets/getAppEnvironments.gql'
 import { GetEnvironmentKey } from '@/graphql/queries/secrets/getEnvironmentKey.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { useLazyQuery, useMutation, useQuery } from '@apollo/client'
 import { Fragment, useContext, useEffect, useMemo, useRef, useState } from 'react'
-import { OrganisationMemberType, EnvironmentType, MemberType } from '@/apollo/graphql'
+import { OrganisationMemberType, EnvironmentType, MemberType, TeamType } from '@/apollo/graphql'
 import { Button } from '@/components/common/Button'
 import { Listbox, Menu, Transition } from '@headlessui/react'
 import {
   FaArrowRight,
   FaBan,
+  FaCheck,
   FaCheckCircle,
   FaChevronDown,
   FaCircle,
@@ -33,7 +35,8 @@ import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
 import { MdSearchOff } from 'react-icons/md'
 import { RoleLabel } from '@/components/users/RoleLabel'
-import { useSearchParams } from 'next/navigation'
+import { TeamLabel } from '@/components/teams/TeamLabel'
+import { useSearchParams, useParams } from 'next/navigation'
 
 type MemberWithEnvScope = OrganisationMemberType & {
   scope: Partial<EnvironmentType>[]
@@ -41,6 +44,7 @@ type MemberWithEnvScope = OrganisationMemberType & {
 
 export const AddMemberDialog = ({ appId }: { appId: string }) => {
   const searchParams = useSearchParams()
+  const routeParams = useParams<{ team: string }>()
   const preselectedAccountId = searchParams?.get('new') ?? null
 
   const { keyring } = useContext(KeyringContext)
@@ -55,6 +59,7 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
 
   const userCanReadAppMembers = hasPermission('Members', 'read', true)
   const userCanReadEnvironments = hasPermission('Environments', 'read', true)
+  const userCanReadTeams = hasPermission('Teams', 'read')
 
   // AppMembers:create + OrgMembers: read
   const userCanAddAppMembers =
@@ -68,6 +73,28 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
     skip: !organisation || !userCanAddAppMembers,
   })
 
+  const { data: teamsData } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadTeams || !userCanAddAppMembers,
+  })
+
+  // Map member ID → teams that already grant access to this app
+  const memberTeamsMap = useMemo(() => {
+    const map = new Map<string, { id: string; name: string }[]>()
+    if (!teamsData?.teams) return map
+    for (const team of teamsData.teams as TeamType[]) {
+      const hasApp = team.apps?.some((a) => a!.id === appId)
+      if (!hasApp) continue
+      for (const m of team.members || []) {
+        if (!m.orgMember) continue
+        const list = map.get(m.orgMember.id) || []
+        list.push({ id: team.id, name: team.name })
+        map.set(m.orgMember.id, list)
+      }
+    }
+    return map
+  }, [teamsData, appId])
+
   const { data, loading } = useQuery(GetAppMembers, {
     variables: { appId: appId },
     skip: !userCanReadAppMembers,
@@ -313,7 +340,7 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
                           >
                             <div className="flex items-center gap-2">
                               <Avatar member={member} size="md" />
-                              <div>
+                              <div className="flex flex-col gap-1">
                                 <div className="font-semibold text-zinc-900 dark:text-zinc-100">
                                   {member.fullName || member.email}
                                 </div>
@@ -322,6 +349,21 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
                                     {member.email}
                                   </div>
                                 )}
+                                {memberTeamsMap.get(member.id) && (
+                                  <div className="flex items-center gap-1 flex-wrap">
+                                    {memberTeamsMap.get(member.id)!.map((t) => (
+                                      <TeamLabel
+                                        key={t.id}
+                                        teamId={t.id}
+                                        teamName={t.name}
+                                        orgSlug={routeParams?.team ?? ''}
+                                        variant="info"
+                                        icon={FaCheck}
+                                        title={`Already has access to this app via ${t.name}`}
+                                      />
+                                    ))}
+                                  </div>
+                                )}
                               </div>
                             </div>
                             <div className="max-w-28 shrink-0">
@@ -525,6 +567,15 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
               ))}
             </div>
 
+            {selectedMembers.some((m) => memberTeamsMap.has(m.id)) && (
+              <Alert variant="warning" icon={true} size="sm">
+                <div className="text-sm">
+                  One or more selected members already have access to this app via a team. Adding
+                  them directly will grant them individual access on top of their team-based access.
+                </div>
+              </Alert>
+            )}
+
             <div className="flex w-full">
               <SelectMemberMenu />
             </div>
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
index f7d73e4e8..e66edd6bf 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
@@ -3,15 +3,17 @@ import { BulkAddMembersToApp } from '@/graphql/mutations/apps/bulkAddAppMembers.
 import { GetAppServiceAccounts } from '@/graphql/queries/apps/getAppServiceAccounts.gql'
 import { GetAppEnvironments } from '@/graphql/queries/secrets/getAppEnvironments.gql'
 import { GetEnvironmentKey } from '@/graphql/queries/secrets/getEnvironmentKey.gql'
+import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { useLazyQuery, useMutation, useQuery } from '@apollo/client'
-import { Fragment, useContext, useEffect, useRef, useState } from 'react'
-import { EnvironmentType, ServiceAccountType, MemberType } from '@/apollo/graphql'
+import { Fragment, useContext, useEffect, useMemo, useRef, useState } from 'react'
+import { EnvironmentType, ServiceAccountType, MemberType, TeamType } from '@/apollo/graphql'
 import { Button } from '@/components/common/Button'
 import { organisationContext } from '@/contexts/organisationContext'
 import { Listbox, Menu, Transition } from '@headlessui/react'
 import {
   FaArrowRight,
   FaBan,
+  FaCheck,
   FaCheckCircle,
   FaChevronDown,
   FaCircle,
@@ -27,13 +29,14 @@ import { useAppPermissions } from '@/hooks/useAppPermissions'
 import { Alert } from '@/components/common/Alert'
 import Link from 'next/link'
 import { unwrapEnvSecretsForUser, wrapEnvSecretsForAccount } from '@/utils/crypto'
-import { useSearchParams } from 'next/navigation'
+import { useSearchParams, useParams } from 'next/navigation'
 import GenericDialog from '@/components/common/GenericDialog'
 import { EmptyState } from '@/components/common/EmptyState'
 import Spinner from '@/components/common/Spinner'
 import { MdSearchOff } from 'react-icons/md'
 import { Avatar } from '@/components/common/Avatar'
 import { RoleLabel } from '@/components/users/RoleLabel'
+import { TeamLabel } from '@/components/teams/TeamLabel'
 
 type AccountWithEnvScope = ServiceAccountType & {
   scope: Partial<EnvironmentType>[]
@@ -41,6 +44,7 @@ type AccountWithEnvScope = ServiceAccountType & {
 
 export const AddAccountDialog = ({ appId }: { appId: string }) => {
   const searchParams = useSearchParams()
+  const routeParams = useParams<{ team: string }>()
   const preselectedAccountId = searchParams?.get('new') ?? null
 
   const { keyring } = useContext(KeyringContext)
@@ -55,6 +59,7 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
 
   const userCanReadAppSA = hasPermission('ServiceAccounts', 'read', true)
   const userCanReadEnvironments = hasPermission('Environments', 'read', true)
+  const userCanReadTeams = hasPermission('Teams', 'read')
 
   // AppServiceAccounts:create + ServiceAccounts: read
   const userCanAddAppSA =
@@ -67,6 +72,28 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
     skip: !organisation || !userCanAddAppSA,
   })
 
+  const { data: teamsData } = useQuery(GetTeams, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !userCanReadTeams || !userCanAddAppSA,
+  })
+
+  // Map service account ID → teams that already grant access to this app
+  const accountTeamsMap = useMemo(() => {
+    const map = new Map<string, { id: string; name: string }[]>()
+    if (!teamsData?.teams) return map
+    for (const team of teamsData.teams as TeamType[]) {
+      const hasApp = team.apps?.some((a) => a!.id === appId)
+      if (!hasApp) continue
+      for (const m of team.members || []) {
+        if (!m.serviceAccount) continue
+        const list = map.get(m.serviceAccount.id) || []
+        list.push({ id: team.id, name: team.name })
+        map.set(m.serviceAccount.id, list)
+      }
+    }
+    return map
+  }, [teamsData, appId])
+
   const { data, loading } = useQuery(GetAppServiceAccounts, {
     variables: { appId: appId },
     skip: !userCanReadAppSA,
@@ -314,13 +341,28 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
                           >
                             <div className="flex items-center gap-2">
                               <Avatar serviceAccount={account} />
-                              <div>
+                              <div className="flex flex-col gap-1">
                                 <div className="font-semibold text-zinc-900 dark:text-zinc-100">
                                   {account.name}
                                 </div>
                                 <div className="text-neutral-500 text-2xs leading-4 font-mono">
                                   {account.id}
                                 </div>
+                                {accountTeamsMap.get(account.id) && (
+                                  <div className="flex items-center gap-1 flex-wrap">
+                                    {accountTeamsMap.get(account.id)!.map((t) => (
+                                      <TeamLabel
+                                        key={t.id}
+                                        teamId={t.id}
+                                        teamName={t.name}
+                                        orgSlug={routeParams?.team ?? ''}
+                                        variant="info"
+                                        icon={FaCheck}
+                                        title={`Already has access to this app via ${t.name}`}
+                                      />
+                                    ))}
+                                  </div>
+                                )}
                               </div>
                             </div>
                             <div className="max-w-28 shrink-0">
@@ -523,6 +565,16 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
               ))}
             </div>
 
+            {selectedAccounts.some((a) => accountTeamsMap.has(a.id)) && (
+              <Alert variant="warning" icon={true} size="sm">
+                <div className="text-sm">
+                  One or more selected service accounts already have access to this app via a team.
+                  Adding them directly will grant them individual access on top of their team-based
+                  access.
+                </div>
+              </Alert>
+            )}
+
             <div className="flex w-full">
               <SelectAccountMenu />
             </div>
diff --git a/frontend/components/teams/TeamLabel.tsx b/frontend/components/teams/TeamLabel.tsx
index 455e928d8..0601e077e 100644
--- a/frontend/components/teams/TeamLabel.tsx
+++ b/frontend/components/teams/TeamLabel.tsx
@@ -1,20 +1,40 @@
+import clsx from 'clsx'
 import Link from 'next/link'
+import { ComponentType } from 'react'
 import { FaUsers } from 'react-icons/fa'
 
+type Variant = 'default' | 'info'
+
+const variantClasses: Record<Variant, string> = {
+  default:
+    'bg-zinc-300/70 dark:bg-zinc-800 text-zinc-600 dark:text-zinc-400 hover:bg-zinc-300 dark:hover:bg-zinc-700',
+  info: 'bg-blue-500/15 text-blue-600 dark:text-blue-400 hover:bg-blue-500/25 dark:hover:bg-blue-500/25',
+}
+
 export const TeamLabel = ({
   teamId,
   teamName,
   orgSlug,
+  variant = 'default',
+  title,
+  icon: Icon = FaUsers,
 }: {
   teamId: string
   teamName: string
   orgSlug: string
+  variant?: Variant
+  title?: string
+  icon?: ComponentType<{ className?: string }>
 }) => (
   <Link
     href={`/${orgSlug}/access/teams/${teamId}`}
-    className="inline-flex items-center gap-1 text-[10px] font-semibold px-1.5 py-0.5 rounded-full bg-zinc-300/70 dark:bg-zinc-800 text-zinc-600 dark:text-zinc-400 hover:bg-zinc-300 dark:hover:bg-zinc-700 transition"
+    title={title}
+    className={clsx(
+      'inline-flex items-center gap-1 text-3xs font-semibold px-1 py-0 rounded-full transition',
+      variantClasses[variant]
+    )}
   >
-    <FaUsers className="text-[9px] shrink-0" />
+    <Icon className="text-[8px] shrink-0" />
     {teamName}
   </Link>
 )

From 9afc796a0913bd11fb7577972e6295896368fe83 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 21:08:17 +0530
Subject: [PATCH 082/118] fix: clean up team-owned service accounts on SCIM
 group deletion

---
 .../ee/authentication/scim/views/groups.py    | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/backend/ee/authentication/scim/views/groups.py b/backend/ee/authentication/scim/views/groups.py
index 1e6927334..7f806bfc3 100644
--- a/backend/ee/authentication/scim/views/groups.py
+++ b/backend/ee/authentication/scim/views/groups.py
@@ -19,6 +19,8 @@
 from api.models import (
     SCIMGroup,
     SCIMUser,
+    ServiceAccount,
+    ServiceAccountToken,
     Team,
     TeamAppEnvironment,
     TeamMembership,
@@ -386,9 +388,22 @@ def _delete_group(request, scim_group):
         response_status=204,
     )
     if scim_group.team:
-        revoke_team_environment_keys(scim_group.team)
         from django.utils import timezone
-        scim_group.team.deleted_at = timezone.now()
+        now = timezone.now()
+
+        revoke_team_environment_keys(scim_group.team)
+
+        # Soft-delete team-owned service accounts and their tokens — mirrors DeleteTeamMutation
+        for sa in ServiceAccount.objects.filter(
+            team=scim_group.team, deleted_at__isnull=True
+        ):
+            sa.deleted_at = now
+            sa.save()
+            ServiceAccountToken.objects.filter(
+                service_account=sa, deleted_at__isnull=True
+            ).update(deleted_at=now)
+
+        scim_group.team.deleted_at = now
         scim_group.team.save(update_fields=["deleted_at"])
 
     scim_group.delete()

From 90e7c47deb149b681d4db6e91ee01c113023d898 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 21:08:22 +0530
Subject: [PATCH 083/118] fix: recover from concurrent environment key creation
 races

---
 backend/api/utils/keys.py | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/backend/api/utils/keys.py b/backend/api/utils/keys.py
index e30f3608c..7fcd2a36a 100644
--- a/backend/api/utils/keys.py
+++ b/backend/api/utils/keys.py
@@ -6,6 +6,7 @@
 """
 
 from django.apps import apps
+from django.db import IntegrityError, transaction
 from django.utils import timezone
 from nacl.bindings import crypto_sign_ed25519_pk_to_curve25519
 from api.utils.crypto import (
@@ -96,12 +97,22 @@ def provision_team_environment_keys(team, app, members=None):
                 wrapped_seed, wrapped_salt = server_wrap_env_key_for_member(
                     env, account.identity_key
                 )
-                env_key = EnvironmentKey.objects.create(
-                    **key_filter,
-                    identity_key=account.identity_key,
-                    wrapped_seed=wrapped_seed,
-                    wrapped_salt=wrapped_salt,
-                )
+                # Nested atomic + IntegrityError recovery: a concurrent provisioning
+                # (e.g. simultaneous AddTeamApps and AddTeamMembers, or SCIM sync races)
+                # may insert the key between our filter and create. The unique
+                # constraint catches it — re-fetch instead of propagating the error.
+                try:
+                    with transaction.atomic():
+                        env_key = EnvironmentKey.objects.create(
+                            **key_filter,
+                            identity_key=account.identity_key,
+                            wrapped_seed=wrapped_seed,
+                            wrapped_salt=wrapped_salt,
+                        )
+                except IntegrityError:
+                    env_key = EnvironmentKey.objects.get(
+                        deleted_at__isnull=True, **key_filter
+                    )
 
             EnvironmentKeyGrant.objects.get_or_create(
                 environment_key=env_key,

From 9a232b015bfdef7de410222f257dfbd492212abd Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 21:08:26 +0530
Subject: [PATCH 084/118] fix: wrap multi-step team mutations in atomic
 transactions

---
 backend/backend/graphene/mutations/teams.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index 3f9b5f0c4..02547eae2 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -1,5 +1,6 @@
 import graphene
 from graphql import GraphQLError
+from django.db import transaction
 from django.utils import timezone
 from api.models import (
     App,
@@ -59,6 +60,7 @@ class Arguments:
     team = graphene.Field(TeamType)
 
     @classmethod
+    @transaction.atomic
     def mutate(
         cls,
         root,
@@ -230,6 +232,7 @@ class Arguments:
     ok = graphene.Boolean()
 
     @classmethod
+    @transaction.atomic
     def mutate(cls, root, info, team_id):
         user = info.context.user
         team = Team.objects.get(id=team_id, deleted_at__isnull=True)
@@ -275,6 +278,7 @@ class Arguments:
     team = graphene.Field(TeamType)
 
     @classmethod
+    @transaction.atomic
     def mutate(cls, root, info, team_id, member_ids, member_type=MemberType.USER):
         user = info.context.user
         team = Team.objects.get(id=team_id, deleted_at__isnull=True)
@@ -341,6 +345,7 @@ class Arguments:
     team = graphene.Field(TeamType)
 
     @classmethod
+    @transaction.atomic
     def mutate(cls, root, info, team_id, member_id, member_type=MemberType.USER):
         user = info.context.user
         team = Team.objects.get(id=team_id, deleted_at__isnull=True)
@@ -394,6 +399,7 @@ class Arguments:
     team = graphene.Field(TeamType)
 
     @classmethod
+    @transaction.atomic
     def mutate(cls, root, info, team_id, app_envs):
         user = info.context.user
         team = Team.objects.get(id=team_id, deleted_at__isnull=True)
@@ -449,6 +455,7 @@ class Arguments:
     team = graphene.Field(TeamType)
 
     @classmethod
+    @transaction.atomic
     def mutate(cls, root, info, team_id, app_id):
         user = info.context.user
         team = Team.objects.get(id=team_id, deleted_at__isnull=True)
@@ -487,6 +494,7 @@ class Arguments:
     team = graphene.Field(TeamType)
 
     @classmethod
+    @transaction.atomic
     def mutate(cls, root, info, team_id, app_id, env_ids):
         user = info.context.user
         team = Team.objects.get(id=team_id, deleted_at__isnull=True)

From b584bb6e77609ed20ac11d18ef651b9a416fa4d1 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 21:08:31 +0530
Subject: [PATCH 085/118] refactor: remove service account ownership transfer
 due to crypto and access inconsistencies

---
 .../graphene/mutations/service_accounts.py    |  54 -----
 backend/backend/schema.py                     |   2 -
 frontend/apollo/gql.ts                        |   6 -
 frontend/apollo/graphql.ts                    |  37 ----
 frontend/apollo/schema.graphql                |  22 --
 .../service-accounts/[account]/page.tsx       | 191 +-----------------
 .../updateServiceAccountOwnership.gql         |  11 -
 7 files changed, 1 insertion(+), 322 deletions(-)
 delete mode 100644 frontend/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql

diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index 4b20922fa..c024c7c4f 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -519,57 +519,3 @@ def mutate(cls, root, info, service_account_id, name, expiry=None):
         )
 
 
-class UpdateServiceAccountOwnershipMutation(graphene.Mutation):
-    """Transfer a service account between org-level and team ownership.
-
-    - team_id=null: Promote team-owned SA to org-level (clears team FK).
-    - team_id=<id>: Assign SA to a team (narrows visibility to team members).
-
-    Requires global_access (Owner/Admin only).
-    """
-
-    class Arguments:
-        service_account_id = graphene.ID(required=True)
-        team_id = graphene.ID(required=False)
-
-    service_account = graphene.Field(ServiceAccountType)
-
-    @classmethod
-    def mutate(cls, root, info, service_account_id, team_id=None):
-        user = info.context.user
-        service_account = ServiceAccount.objects.get(
-            id=service_account_id, deleted_at__isnull=True
-        )
-        org = service_account.organisation
-
-        # Only Owner/Admin can transfer ownership
-        org_member = OrganisationMember.objects.get(
-            user=user, organisation=org, deleted_at=None
-        )
-        if not role_has_global_access(org_member.role):
-            raise GraphQLError(
-                "Only organisation owners and admins can transfer service account ownership"
-            )
-
-        old_team = service_account.team
-
-        if team_id is None:
-            # Promote to org-level
-            service_account.team = None
-            service_account.save()
-        else:
-            # Assign to team
-            new_team = Team.objects.get(
-                id=team_id, organisation=org, deleted_at__isnull=True
-            )
-            service_account.team = new_team
-            service_account.save()
-
-            # Ensure SA is a member of the new team
-            TeamMembership.objects.get_or_create(
-                team=new_team, service_account=service_account
-            )
-
-        return UpdateServiceAccountOwnershipMutation(
-            service_account=service_account
-        )
diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index ac5c85d77..03191d914 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -35,7 +35,6 @@
     EnableServiceAccountServerSideKeyManagementMutation,
     UpdateServiceAccountHandlersMutation,
     UpdateServiceAccountMutation,
-    UpdateServiceAccountOwnershipMutation,
 )
 from api.utils.syncing.vercel.main import VercelTeamProjectsType
 from .graphene.queries.syncing import (
@@ -1237,7 +1236,6 @@ class Mutation(graphene.ObjectType):
     create_service_account_token = CreateServiceAccountTokenMutation.Field()
     create_server_side_service_account_token = CreateServerSideServiceAccountTokenMutation.Field()
     delete_service_account_token = DeleteServiceAccountTokenMutation.Field()
-    update_service_account_ownership = UpdateServiceAccountOwnershipMutation.Field()
 
     init_env_sync = InitEnvSync.Field()
     delete_env_sync = DeleteSync.Field()
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index b682da954..7b4fae66e 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -88,7 +88,6 @@ type Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": typeof types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": typeof types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOpDocument,
-    "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOwnershipOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewCfPagesSyncDocument,
@@ -268,7 +267,6 @@ const documents: Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
-    "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOwnershipOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewCfPagesSyncDocument,
@@ -684,10 +682,6 @@ export function graphql(source: "mutation UpdateServiceAccountHandlerKeys($orgId
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"];
-/**
- * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
- */
-export function graphql(source: "mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {\n  updateServiceAccountOwnership(\n    serviceAccountId: $serviceAccountId\n    teamId: $teamId\n  ) {\n    serviceAccount {\n      id\n      team {\n        id\n        name\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 47ca245ee..d05b72d7e 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -1159,15 +1159,6 @@ export type Mutation = {
   updateProviderCredentials?: Maybe<UpdateProviderCredentials>;
   updateServiceAccount?: Maybe<UpdateServiceAccountMutation>;
   updateServiceAccountHandlers?: Maybe<UpdateServiceAccountHandlersMutation>;
-  /**
-   * Transfer a service account between org-level and team ownership.
-   *
-   * - team_id=null: Promote team-owned SA to org-level (clears team FK).
-   * - team_id=<id>: Assign SA to a team (narrows visibility to team members).
-   *
-   * Requires global_access (Owner/Admin only).
-   */
-  updateServiceAccountOwnership?: Maybe<UpdateServiceAccountOwnershipMutation>;
   updateSyncAuthentication?: Maybe<UpdateSyncAuthentication>;
   updateTeam?: Maybe<UpdateTeamMutation>;
   updateTeamAppEnvironments?: Maybe<UpdateTeamAppEnvironmentsMutation>;
@@ -1916,12 +1907,6 @@ export type MutationUpdateServiceAccountHandlersArgs = {
 };
 
 
-export type MutationUpdateServiceAccountOwnershipArgs = {
-  serviceAccountId: Scalars['ID']['input'];
-  teamId?: InputMaybe<Scalars['ID']['input']>;
-};
-
-
 export type MutationUpdateSyncAuthenticationArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
   syncId?: InputMaybe<Scalars['ID']['input']>;
@@ -2998,19 +2983,6 @@ export type UpdateServiceAccountMutation = {
   serviceAccount?: Maybe<ServiceAccountType>;
 };
 
-/**
- * Transfer a service account between org-level and team ownership.
- *
- * - team_id=null: Promote team-owned SA to org-level (clears team FK).
- * - team_id=<id>: Assign SA to a team (narrows visibility to team members).
- *
- * Requires global_access (Owner/Admin only).
- */
-export type UpdateServiceAccountOwnershipMutation = {
-  __typename?: 'UpdateServiceAccountOwnershipMutation';
-  serviceAccount?: Maybe<ServiceAccountType>;
-};
-
 export type UpdateSubscriptionResponse = {
   __typename?: 'UpdateSubscriptionResponse';
   cancelledAt?: Maybe<Scalars['String']['output']>;
@@ -3754,14 +3726,6 @@ export type UpdateServiceAccountOpMutationVariables = Exact<{
 
 export type UpdateServiceAccountOpMutation = { __typename?: 'Mutation', updateServiceAccount?: { __typename?: 'UpdateServiceAccountMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string }> | null } | null } | null };
 
-export type UpdateServiceAccountOwnershipOpMutationVariables = Exact<{
-  serviceAccountId: Scalars['ID']['input'];
-  teamId?: InputMaybe<Scalars['ID']['input']>;
-}>;
-
-
-export type UpdateServiceAccountOwnershipOpMutation = { __typename?: 'Mutation', updateServiceAccountOwnership?: { __typename?: 'UpdateServiceAccountOwnershipMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, team?: { __typename?: 'TeamType', id: string, name: string } | null } | null } | null };
-
 export type CreateNewAwsSecretsSyncMutationVariables = Exact<{
   envId: Scalars['ID']['input'];
   path: Scalars['String']['input'];
@@ -4679,7 +4643,6 @@ export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitio
 export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
 export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}},"type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
-export const UpdateServiceAccountOwnershipOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOwnershipOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"teamId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"teamId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOwnershipOpMutation, UpdateServiceAccountOwnershipOpMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
 export const CreateNewAzureKeyVaultSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAzureKeyVaultSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAzureKeyVaultSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"vaultUri"},"value":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}}},{"kind":"Argument","name":{"kind":"Name","value":"syncMode"},"value":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAzureKeyVaultSyncMutation, CreateNewAzureKeyVaultSyncMutationVariables>;
 export const CreateNewCfPagesSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewCfPagesSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createCloudflarePagesSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}}},{"kind":"Argument","name":{"kind":"Name","value":"deploymentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectEnv"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewCfPagesSyncMutation, CreateNewCfPagesSyncMutationVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 4850f8f8d..f0b8fe533 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -1191,16 +1191,6 @@ type Mutation {
   """
   createServerSideServiceAccountToken(expiry: BigInt, name: String!, serviceAccountId: ID!): CreateServerSideServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
-
-  """
-  Transfer a service account between org-level and team ownership.
-  
-  - team_id=null: Promote team-owned SA to org-level (clears team FK).
-  - team_id=<id>: Assign SA to a team (narrows visibility to team members).
-  
-  Requires global_access (Owner/Admin only).
-  """
-  updateServiceAccountOwnership(serviceAccountId: ID!, teamId: ID): UpdateServiceAccountOwnershipMutation
   initEnvSync(appId: ID, envKeys: [EnvironmentKeyInput]): InitEnvSync
   deleteEnvSync(syncId: ID): DeleteSync
   triggerSync(syncId: ID): TriggerSync
@@ -1549,18 +1539,6 @@ type DeleteServiceAccountTokenMutation {
   ok: Boolean
 }
 
-"""
-Transfer a service account between org-level and team ownership.
-
-- team_id=null: Promote team-owned SA to org-level (clears team FK).
-- team_id=<id>: Assign SA to a team (narrows visibility to team members).
-
-Requires global_access (Owner/Admin only).
-"""
-type UpdateServiceAccountOwnershipMutation {
-  serviceAccount: ServiceAccountType
-}
-
 type InitEnvSync {
   app: AppType
 }
diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index 9456a0281..fccf0142c 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -8,17 +8,15 @@ import { GetTeams } from '@/graphql/queries/teams/getTeams.gql'
 import { userHasPermission, userHasGlobalAccess } from '@/utils/access/permissions'
 import { useMutation, useQuery } from '@apollo/client'
 import Link from 'next/link'
-import { Fragment, useContext, useEffect, useMemo, useRef, useState } from 'react'
+import { useContext, useEffect, useMemo, useState } from 'react'
 import {
   FaBan,
   FaBoxOpen,
   FaBuilding,
-  FaChevronDown,
   FaChevronLeft,
   FaCog,
   FaEdit,
   FaNetworkWired,
-  FaUsers,
   FaUsersCog,
 } from 'react-icons/fa'
 import { FaServer, FaArrowDownUpLock } from 'react-icons/fa6'
@@ -38,19 +36,11 @@ import { UpdateAccountNetworkPolicies } from '@/components/access/UpdateAccountN
 import { ServiceAccountTokens } from './_components/ServiceAccountTokens'
 import { KeyManagementDialog } from '@/components/service-accounts/KeyManagementDialog'
 import { ServiceAccountIdentities } from './_components/ServiceAccountIdentities'
-import { UpdateServiceAccountOwnershipOp } from '@/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql'
-import GenericDialog from '@/components/common/GenericDialog'
-import { Alert } from '@/components/common/Alert'
-import { Listbox } from '@headlessui/react'
-import clsx from 'clsx'
 
 export default function ServiceAccount({ params }: { params: { team: string; account: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
   const [name, setName] = useState('')
-  const [selectedTeamId, setSelectedTeamId] = useState<string | null>(null)
-  const [savingOwnership, setSavingOwnership] = useState(false)
-  const ownershipDialogRef = useRef<{ closeModal: () => void }>(null)
 
   // Org-level permissions (always use org role, not overridden by team)
   const userCanReadTeams = organisation
@@ -78,7 +68,6 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
   })
 
   const [updateAccount] = useMutation(UpdateServiceAccountOp)
-  const [updateOwnership] = useMutation(UpdateServiceAccountOwnershipOp)
 
   const account: ServiceAccountType = data?.serviceAccounts[0]
   const isTeamOwned = !!account?.team
@@ -121,21 +110,6 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
     )
   }, [teamsData, account])
 
-  const isMultiTeamOrg = !isTeamOwned && accountTeams.length > 1
-
-  // Ownership management: global access or team owner
-  const userCanManageOwnership = userIsGlobalAccess || isTeamOwner
-
-  // Non global-access users only see teams they're a member of (for ownership dialog)
-  const availableTeams = useMemo(() => {
-    if (!teamsData?.teams) return []
-    const allTeams = teamsData.teams as TeamType[]
-    if (userIsGlobalAccess) return allTeams
-    return allTeams.filter((t) =>
-      t.members?.some((m) => m.orgMember?.id === organisation?.memberId)
-    )
-  }, [teamsData, userIsGlobalAccess, organisation])
-
   const nameUpdated = account ? account.name !== name : false
 
   const updateName = async () => {
@@ -161,34 +135,6 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
 
   const resetName = () => setName(account.name)
 
-  const handleOwnershipSave = async () => {
-    setSavingOwnership(true)
-    try {
-      await updateOwnership({
-        variables: {
-          serviceAccountId: account.id,
-          teamId: selectedTeamId,
-        },
-        refetchQueries: [
-          {
-            query: GetServiceAccountDetail,
-            variables: { orgId: organisation?.id, id: params.account },
-          },
-        ],
-      })
-      toast.success(
-        selectedTeamId
-          ? 'Service account assigned to team'
-          : 'Service account promoted to organisation level'
-      )
-      if (ownershipDialogRef.current) ownershipDialogRef.current.closeModal()
-    } catch (e: any) {
-      toast.error(e.message)
-    } finally {
-      setSavingOwnership(false)
-    }
-  }
-
   useEffect(() => {
     if (account) setName(account.name)
   }, [account])
@@ -329,141 +275,6 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           </div>
         </div>
 
-        {userCanManageOwnership && userCanReadTeams && (
-          <div className="py-4 space-y-3">
-            <div className="flex items-center justify-between">
-              <div>
-                <div className="text-base font-medium">Ownership</div>
-                <div className="text-neutral-500 text-sm">
-                  {account.team
-                    ? 'This account is owned by a team and only visible to team members.'
-                    : 'This account is organisation-level and visible to all members with permission.'}
-                </div>
-              </div>
-              <GenericDialog
-                title="Manage Ownership"
-                buttonContent={<>Manage</>}
-                buttonVariant="secondary"
-                size="sm"
-                ref={ownershipDialogRef}
-                onOpen={() => {
-                  setSelectedTeamId(account.team?.id || null)
-                  setSavingOwnership(false)
-                }}
-              >
-                <div className="pt-4 space-y-4">
-                  <p className="text-sm text-neutral-500">
-                    Change who owns and manages this service account.
-                  </p>
-
-                  <Listbox
-                    value={selectedTeamId}
-                    onChange={setSelectedTeamId}
-                    disabled={isMultiTeamOrg}
-                  >
-                    {({ open }) => (
-                      <div className="relative">
-                        <Listbox.Button
-                          className={clsx(
-                            'w-full flex items-center justify-between gap-2 py-2 px-3 rounded-md bg-zinc-100 dark:bg-zinc-800 text-sm',
-                            isMultiTeamOrg ? 'opacity-60 cursor-not-allowed' : 'cursor-pointer'
-                          )}
-                        >
-                          <span className="flex items-center gap-1.5">
-                            {selectedTeamId ? (
-                              <>
-                                <FaUsers className="text-blue-500 text-xs" />
-                                {availableTeams.find((t) => t.id === selectedTeamId)?.name ||
-                                  account.team?.name}
-                              </>
-                            ) : (
-                              <>
-                                <FaBuilding className="text-neutral-500 text-xs" />
-                                Organisation (no team)
-                              </>
-                            )}
-                          </span>
-                          <FaChevronDown
-                            className={clsx(
-                              'transition-transform ease duration-300 text-neutral-500 text-xs',
-                              open ? 'rotate-180' : 'rotate-0'
-                            )}
-                          />
-                        </Listbox.Button>
-                        <Listbox.Options className="absolute z-10 mt-1 w-full bg-zinc-200 dark:bg-zinc-800 rounded-md shadow-2xl p-1 max-h-60 overflow-auto focus:outline-none">
-                          {userIsGlobalAccess && (
-                            <Listbox.Option value={null} as={Fragment}>
-                              {({ active, selected }) => (
-                                <div
-                                  className={clsx(
-                                    'px-3 py-2 cursor-pointer rounded text-sm flex items-center gap-1.5',
-                                    active && 'bg-zinc-300 dark:bg-zinc-700',
-                                    selected && 'font-medium'
-                                  )}
-                                >
-                                  <FaBuilding className="text-neutral-500 text-xs" />
-                                  Organisation (no team)
-                                </div>
-                              )}
-                            </Listbox.Option>
-                          )}
-                          {availableTeams.map((t) => (
-                            <Listbox.Option key={t.id} value={t.id} as={Fragment}>
-                              {({ active, selected }) => (
-                                <div
-                                  className={clsx(
-                                    'px-3 py-2 cursor-pointer rounded text-sm flex items-center gap-1.5',
-                                    active && 'bg-zinc-300 dark:bg-zinc-700',
-                                    selected && 'font-medium'
-                                  )}
-                                >
-                                  <FaUsers className="text-blue-500 text-xs" />
-                                  {t.name}
-                                </div>
-                              )}
-                            </Listbox.Option>
-                          ))}
-                        </Listbox.Options>
-                      </div>
-                    )}
-                  </Listbox>
-
-                  {isMultiTeamOrg && (
-                    <Alert variant="info" icon size="sm">
-                      <span className="text-xs">
-                        This account is a member of multiple teams and cannot be assigned to a
-                        specific team. Remove the account from all but one team before changing
-                        ownership.
-                      </span>
-                    </Alert>
-                  )}
-
-                  {isTeamOwned && selectedTeamId === null && (
-                    <Alert variant="warning" icon size="sm">
-                      <span className="text-xs">
-                        Promoting this account to organisation level will make it visible and
-                        manageable by all users with the relevant permissions. The existing team
-                        membership will be preserved.
-                      </span>
-                    </Alert>
-                  )}
-
-                  <div className="flex justify-end pt-2">
-                    <Button
-                      variant="primary"
-                      onClick={handleOwnershipSave}
-                      isLoading={savingOwnership}
-                      disabled={isMultiTeamOrg || selectedTeamId === (account.team?.id || null)}
-                    >
-                      Save
-                    </Button>
-                  </div>
-                </div>
-              </GenericDialog>
-            </div>
-          </div>
-        )}
-
         {userCanReadTeams && (
           <div className="py-4 space-y-3">
             <div>
diff --git a/frontend/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql b/frontend/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql
deleted file mode 100644
index f388a4fb8..000000000
--- a/frontend/graphql/mutations/service-accounts/updateServiceAccountOwnership.gql
+++ /dev/null
@@ -1,11 +0,0 @@
-mutation UpdateServiceAccountOwnershipOp($serviceAccountId: ID!, $teamId: ID) {
-  updateServiceAccountOwnership(serviceAccountId: $serviceAccountId, teamId: $teamId) {
-    serviceAccount {
-      id
-      team {
-        id
-        name
-      }
-    }
-  }
-}

From 7e56eeb183e1552b008d3317ac6df1a7345be18b Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 21:17:17 +0530
Subject: [PATCH 086/118] fix: avoid leaking exception messages in SCIM error
 responses

---
 backend/ee/authentication/scim/views/groups.py | 4 ++--
 backend/ee/authentication/scim/views/users.py  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/ee/authentication/scim/views/groups.py b/backend/ee/authentication/scim/views/groups.py
index 7f806bfc3..a138ae674 100644
--- a/backend/ee/authentication/scim/views/groups.py
+++ b/backend/ee/authentication/scim/views/groups.py
@@ -196,9 +196,9 @@ def _create_group(request, org):
             is_scim_managed=True,
             created_by=None,
         )
-    except Exception as e:
+    except Exception:
         logger.exception("Failed to create team for SCIM group")
-        return scim_server_error(str(e))
+        return scim_server_error()
 
     # Create SCIMGroup
     try:
diff --git a/backend/ee/authentication/scim/views/users.py b/backend/ee/authentication/scim/views/users.py
index e2c7faf10..08b78b8e3 100644
--- a/backend/ee/authentication/scim/views/users.py
+++ b/backend/ee/authentication/scim/views/users.py
@@ -185,7 +185,7 @@ def _create_user(request, org):
             status="error", response_status=500,
             response_body={"detail": str(e)},
         )
-        return scim_server_error(str(e))
+        return scim_server_error()
 
     if not active:
         deactivate_scim_user(scim_user)

From 3f42f73cda21d83403bbb0fd057e61d494de2c15 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 21:17:45 +0530
Subject: [PATCH 087/118] fix: cap SCIM filter length to prevent polynomial
 ReDoS

---
 backend/ee/authentication/scim/filters.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/backend/ee/authentication/scim/filters.py b/backend/ee/authentication/scim/filters.py
index c4a3a6a8c..c04d946e0 100644
--- a/backend/ee/authentication/scim/filters.py
+++ b/backend/ee/authentication/scim/filters.py
@@ -1,5 +1,10 @@
 import re
 
+# Cap filter input to bound regex matching time. Real SCIM filters are short
+# (typically a single `attr eq "value"` clause); anything over this is rejected
+# to prevent polynomial backtracking on adversarial whitespace-heavy input.
+MAX_FILTER_LENGTH = 1024
+
 
 def parse_scim_filter(filter_string):
     """
@@ -11,7 +16,7 @@ def parse_scim_filter(filter_string):
 
     Returns a list of (attribute, operator, value) tuples.
     """
-    if not filter_string:
+    if not filter_string or len(filter_string) > MAX_FILTER_LENGTH:
         return []
 
     clauses = []

From b1c99b1a9416b84c58837377f69be36efe9b981a Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 21:17:45 +0530
Subject: [PATCH 088/118] test: mock ServiceAccount in SCIM group delete tests

---
 .../ee/authentication/scim/test_groups.py     | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/backend/tests/ee/authentication/scim/test_groups.py b/backend/tests/ee/authentication/scim/test_groups.py
index 1ffd8814d..cc65764a4 100644
--- a/backend/tests/ee/authentication/scim/test_groups.py
+++ b/backend/tests/ee/authentication/scim/test_groups.py
@@ -901,10 +901,12 @@ def test_patch_no_operations_returns_400(self, MockSCIMGroup, mock_log, scim_cli
 
 class TestDeleteGroup:
 
+    @patch(f"{_P}.ServiceAccountToken")
+    @patch(f"{_P}.ServiceAccount")
     @patch(f"{_P}.log_scim_event")
     @patch(f"{_P}.revoke_team_environment_keys")
     @patch(f"{_P}.SCIMGroup")
-    def test_delete_returns_204(self, MockSCIMGroup, mock_revoke, mock_log, scim_client):
+    def test_delete_returns_204(self, MockSCIMGroup, mock_revoke, mock_log, MockSA, MockSAToken, scim_client):
         eng = make_mock_scim_group(display_name="Engineering")
         MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
         MockSCIMGroup.DoesNotExist = Exception
@@ -912,10 +914,12 @@ def test_delete_returns_204(self, MockSCIMGroup, mock_revoke, mock_log, scim_cli
         resp = scim_client.delete(group_url(eng.id))
         assert resp.status_code == 204
 
+    @patch(f"{_P}.ServiceAccountToken")
+    @patch(f"{_P}.ServiceAccount")
     @patch(f"{_P}.log_scim_event")
     @patch(f"{_P}.revoke_team_environment_keys")
     @patch(f"{_P}.SCIMGroup")
-    def test_delete_soft_deletes_team(self, MockSCIMGroup, mock_revoke, mock_log, scim_client):
+    def test_delete_soft_deletes_team(self, MockSCIMGroup, mock_revoke, mock_log, MockSA, MockSAToken, scim_client):
         eng = make_mock_scim_group(display_name="Engineering")
         MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
         MockSCIMGroup.DoesNotExist = Exception
@@ -924,10 +928,12 @@ def test_delete_soft_deletes_team(self, MockSCIMGroup, mock_revoke, mock_log, sc
         assert eng.team.deleted_at is not None
         eng.team.save.assert_called()
 
+    @patch(f"{_P}.ServiceAccountToken")
+    @patch(f"{_P}.ServiceAccount")
     @patch(f"{_P}.log_scim_event")
     @patch(f"{_P}.revoke_team_environment_keys")
     @patch(f"{_P}.SCIMGroup")
-    def test_delete_removes_scim_group_record(self, MockSCIMGroup, mock_revoke, mock_log, scim_client):
+    def test_delete_removes_scim_group_record(self, MockSCIMGroup, mock_revoke, mock_log, MockSA, MockSAToken, scim_client):
         eng = make_mock_scim_group(display_name="Engineering")
         MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
         MockSCIMGroup.DoesNotExist = Exception
@@ -935,10 +941,12 @@ def test_delete_removes_scim_group_record(self, MockSCIMGroup, mock_revoke, mock
         scim_client.delete(group_url(eng.id))
         eng.delete.assert_called_once()
 
+    @patch(f"{_P}.ServiceAccountToken")
+    @patch(f"{_P}.ServiceAccount")
     @patch(f"{_P}.log_scim_event")
     @patch(f"{_P}.revoke_team_environment_keys")
     @patch(f"{_P}.SCIMGroup")
-    def test_delete_logs_event(self, MockSCIMGroup, mock_revoke, mock_log, scim_client):
+    def test_delete_logs_event(self, MockSCIMGroup, mock_revoke, mock_log, MockSA, MockSAToken, scim_client):
         eng = make_mock_scim_group(display_name="Engineering")
         MockSCIMGroup.objects.select_related.return_value.get.return_value = eng
         MockSCIMGroup.DoesNotExist = Exception
@@ -958,11 +966,13 @@ def test_delete_nonexistent_returns_404(self, MockSCIMGroup, mock_log, scim_clie
         resp = scim_client.delete(group_url("nonexistent-id"))
         assert resp.status_code == 404
 
+    @patch(f"{_P}.ServiceAccountToken")
+    @patch(f"{_P}.ServiceAccount")
     @patch(f"{_P}.log_scim_event")
     @patch(f"{_P}.revoke_team_environment_keys")
     @patch(f"{_P}.SCIMGroup")
     def test_delete_revokes_team_environment_keys(
-        self, MockSCIMGroup, mock_revoke, mock_log, scim_client
+        self, MockSCIMGroup, mock_revoke, mock_log, MockSA, MockSAToken, scim_client
     ):
         eng = make_mock_scim_group(display_name="Engineering")
         MockSCIMGroup.objects.select_related.return_value.get.return_value = eng

From 1c5d91106f09e0e92226efe1ec1764b808cc16c2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 21:51:39 +0530
Subject: [PATCH 089/118] feat: paywall CreateTeamDialog behind Pro plan on
 free tier

---
 .../teams/_components/CreateTeamDialog.tsx    | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx b/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx
index 1f41741ad..f041adca9 100644
--- a/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx
+++ b/frontend/app/[team]/access/teams/_components/CreateTeamDialog.tsx
@@ -1,6 +1,6 @@
 'use client'
 
-import { RoleType } from '@/apollo/graphql'
+import { ApiOrganisationPlanChoices, RoleType } from '@/apollo/graphql'
 import GenericDialog from '@/components/common/GenericDialog'
 import { Button } from '@/components/common/Button'
 import { Input } from '@/components/common/Input'
@@ -15,6 +15,8 @@ import { FaChevronDown, FaPlus, FaUserShield, FaRobot } from 'react-icons/fa'
 import { Listbox } from '@headlessui/react'
 import clsx from 'clsx'
 import { toast } from 'react-toastify'
+import { UpsellDialog } from '@/components/settings/organisation/UpsellDialog'
+import { PlanLabel } from '@/components/settings/organisation/PlanLabel'
 
 const RoleSelector = ({
   value,
@@ -98,9 +100,11 @@ const RoleSelector = ({
 export const CreateTeamDialog = () => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
 
+  const upsell = organisation?.plan === ApiOrganisationPlanChoices.Fr
+
   const { data: roleData } = useQuery(GetRoles, {
     variables: { orgId: organisation?.id },
-    skip: !organisation,
+    skip: !organisation || upsell,
   })
 
   const [createTeam, { loading: createPending }] = useMutation(CreateTeamOp)
@@ -147,6 +151,18 @@ export const CreateTeamDialog = () => {
     }
   }
 
+  if (upsell)
+    return (
+      <UpsellDialog
+        title="Upgrade to Pro to create Teams"
+        buttonLabel={
+          <>
+            <FaPlus /> Create Team <PlanLabel plan={ApiOrganisationPlanChoices.Pr} />
+          </>
+        }
+      />
+    )
+
   return (
     <GenericDialog
       title="Create a new Team"

From 0d099b7f4252dac498ec3f0b182a77d8fc61799c Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 21:51:44 +0530
Subject: [PATCH 090/118] feat: spell out team deletion consequences in delete
 dialog

---
 .../teams/_components/DeleteTeamDialog.tsx    | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/frontend/app/[team]/access/teams/_components/DeleteTeamDialog.tsx b/frontend/app/[team]/access/teams/_components/DeleteTeamDialog.tsx
index 8135a7c84..9b6ea104c 100644
--- a/frontend/app/[team]/access/teams/_components/DeleteTeamDialog.tsx
+++ b/frontend/app/[team]/access/teams/_components/DeleteTeamDialog.tsx
@@ -48,17 +48,27 @@ export const DeleteTeamDialog = ({
   return (
     <GenericDialog
       title={`Delete ${teamName}`}
-      buttonContent={<FaTrashAlt />}
+      buttonContent={
+        <div className="py-1">
+          <FaTrashAlt />
+        </div>
+      }
       buttonVariant="danger"
-      buttonProps={{ classString: 'py-0.5' }}
       ref={dialogRef}
       onClose={() => setConfirmName('')}
     >
       <div className="space-y-4 pt-4">
-        <p className="text-sm text-neutral-500">
-          This will permanently delete the team <strong>{teamName}</strong> and revoke all
-          environment key grants associated with it. This action cannot be undone.
-        </p>
+        <div className="text-sm text-neutral-500 space-y-2">
+          <p>
+            Deleting <strong>{teamName}</strong> will:
+          </p>
+          <ul className="list-disc pl-5 space-y-1">
+            <li>Revoke all team-based environment access grants</li>
+            <li>Delete all team-owned service accounts and revoke their tokens</li>
+            <li>Remove all team memberships</li>
+          </ul>
+          <p>This action cannot be undone.</p>
+        </div>
         <div className="space-y-2">
           <label className="block text-neutral-500 text-xs">
             Type <strong>{teamName}</strong> to confirm

From 4d47779e0bbe646e6788660e47988823f4ea4d94 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 18 Apr 2026 22:02:19 +0530
Subject: [PATCH 091/118] fix: rewrite SCIM filter split with lookarounds to
 eliminate ReDoS pattern

---
 backend/ee/authentication/scim/filters.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/ee/authentication/scim/filters.py b/backend/ee/authentication/scim/filters.py
index c04d946e0..bbf04ea65 100644
--- a/backend/ee/authentication/scim/filters.py
+++ b/backend/ee/authentication/scim/filters.py
@@ -20,8 +20,9 @@ def parse_scim_filter(filter_string):
         return []
 
     clauses = []
-    # Split on ' and ' (case-insensitive)
-    parts = re.split(r"\s+and\s+", filter_string, flags=re.IGNORECASE)
+    # Split on ' and ' (case-insensitive). Lookarounds keep the pattern
+    # non-backtracking: no `\s+` quantifier means no polynomial worst case.
+    parts = re.split(r"(?<=\s)and(?=\s)", filter_string, flags=re.IGNORECASE)
 
     for part in parts:
         part = part.strip()

From 721a2838791ae2f8678b9b7268eb1ffecf1bee18 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 1 May 2026 16:58:06 +0530
Subject: [PATCH 092/118] chore: renumber team and scim migrations to follow
 main's auth chain

Rebase put main's 0120-0122 (email verification, OrganisationSSOProvider,
SSO audit FKs) ahead of the team migrations. Renumber 0120-0123 to
0123-0126 and update dependencies so the graph stays linear.
---
 .../{0120_add_team_models.py => 0123_add_team_models.py}        | 2 +-
 ...nt_key_grants.py => 0124_backfill_environment_key_grants.py} | 2 +-
 .../{0122_teams_and_scim.py => 0125_teams_and_scim.py}          | 2 +-
 ...{0123_populate_team_owner.py => 0126_populate_team_owner.py} | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)
 rename backend/api/migrations/{0120_add_team_models.py => 0123_add_team_models.py} (98%)
 rename backend/api/migrations/{0121_backfill_environment_key_grants.py => 0124_backfill_environment_key_grants.py} (97%)
 rename backend/api/migrations/{0122_teams_and_scim.py => 0125_teams_and_scim.py} (99%)
 rename backend/api/migrations/{0123_populate_team_owner.py => 0126_populate_team_owner.py} (93%)

diff --git a/backend/api/migrations/0120_add_team_models.py b/backend/api/migrations/0123_add_team_models.py
similarity index 98%
rename from backend/api/migrations/0120_add_team_models.py
rename to backend/api/migrations/0123_add_team_models.py
index 66f16242b..792126da0 100644
--- a/backend/api/migrations/0120_add_team_models.py
+++ b/backend/api/migrations/0123_add_team_models.py
@@ -8,7 +8,7 @@
 class Migration(migrations.Migration):
 
     dependencies = [
-        ('api', '0119_secretevent_type_field'),
+        ('api', '0122_sso_audit_fks_set_null'),
     ]
 
     operations = [
diff --git a/backend/api/migrations/0121_backfill_environment_key_grants.py b/backend/api/migrations/0124_backfill_environment_key_grants.py
similarity index 97%
rename from backend/api/migrations/0121_backfill_environment_key_grants.py
rename to backend/api/migrations/0124_backfill_environment_key_grants.py
index 70e975ea4..39b35809c 100644
--- a/backend/api/migrations/0121_backfill_environment_key_grants.py
+++ b/backend/api/migrations/0124_backfill_environment_key_grants.py
@@ -38,7 +38,7 @@ def reverse_backfill(apps, schema_editor):
 class Migration(migrations.Migration):
 
     dependencies = [
-        ("api", "0120_add_team_models"),
+        ("api", "0123_add_team_models"),
     ]
 
     operations = [
diff --git a/backend/api/migrations/0122_teams_and_scim.py b/backend/api/migrations/0125_teams_and_scim.py
similarity index 99%
rename from backend/api/migrations/0122_teams_and_scim.py
rename to backend/api/migrations/0125_teams_and_scim.py
index fb51ae07a..68fb9423f 100644
--- a/backend/api/migrations/0122_teams_and_scim.py
+++ b/backend/api/migrations/0125_teams_and_scim.py
@@ -9,7 +9,7 @@
 class Migration(migrations.Migration):
 
     dependencies = [
-        ('api', '0121_backfill_environment_key_grants'),
+        ('api', '0124_backfill_environment_key_grants'),
     ]
 
     operations = [
diff --git a/backend/api/migrations/0123_populate_team_owner.py b/backend/api/migrations/0126_populate_team_owner.py
similarity index 93%
rename from backend/api/migrations/0123_populate_team_owner.py
rename to backend/api/migrations/0126_populate_team_owner.py
index 439c709e1..1b13669f4 100644
--- a/backend/api/migrations/0123_populate_team_owner.py
+++ b/backend/api/migrations/0126_populate_team_owner.py
@@ -17,7 +17,7 @@ def reverse(apps, schema_editor):
 class Migration(migrations.Migration):
 
     dependencies = [
-        ('api', '0122_teams_and_scim'),
+        ('api', '0125_teams_and_scim'),
     ]
 
     operations = [

From d1a34229167eba2e446c6e351ab4ee31f50f2b78 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 1 May 2026 17:08:39 +0530
Subject: [PATCH 093/118] fix: use userContext useSession in account-init page
 after NextAuth removal

---
 frontend/app/[team]/account-init/page.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/app/[team]/account-init/page.tsx b/frontend/app/[team]/account-init/page.tsx
index e6ca3c558..3dd4c7962 100644
--- a/frontend/app/[team]/account-init/page.tsx
+++ b/frontend/app/[team]/account-init/page.tsx
@@ -8,7 +8,7 @@ import { AccountRecovery } from '@/components/onboarding/AccountRecovery'
 import { LogoMark } from '@/components/common/LogoMark'
 import { organisationContext } from '@/contexts/organisationContext'
 import { useContext, useEffect, useState } from 'react'
-import { useSession } from 'next-auth/react'
+import { useSession } from '@/contexts/userContext'
 import { useRouter } from 'next/navigation'
 import { useMutation } from '@apollo/client'
 import { MdKey, MdOutlinePassword } from 'react-icons/md'

From 9c4aae5f9464fb2c29ce126e86cd270e882c40f5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 1 May 2026 19:13:43 +0530
Subject: [PATCH 094/118] chore: regenerate GraphQL schema and codegen for
 merged main + team types

---
 frontend/apollo/gql.ts         |  66 ++++++-
 frontend/apollo/graphql.ts     | 319 ++++++++++++++++++++++++++++++++-
 frontend/apollo/schema.graphql | 215 ++++++++++++++++++++--
 3 files changed, 573 insertions(+), 27 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 7b4fae66e..9c0aa79d4 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -26,6 +26,8 @@ type Documents = {
     "mutation RemoveMemberFromApp($memberId: ID!, $memberType: MemberType, $appId: ID!) {\n  removeAppMember(memberId: $memberId, memberType: $memberType, appId: $appId) {\n    app {\n      id\n    }\n  }\n}": typeof types.RemoveMemberFromAppDocument,
     "mutation UpdateAppInfoOp($id: ID!, $name: String, $description: String) {\n  updateAppInfo(id: $id, name: $name, description: $description) {\n    app {\n      id\n      name\n      description\n    }\n  }\n}": typeof types.UpdateAppInfoOpDocument,
     "mutation UpdateEnvScope($memberId: ID!, $memberType: MemberType, $appId: ID!, $envKeys: [EnvironmentKeyInput]) {\n  updateMemberEnvironmentScope(\n    memberId: $memberId\n    memberType: $memberType\n    appId: $appId\n    envKeys: $envKeys\n  ) {\n    app {\n      id\n    }\n  }\n}": typeof types.UpdateEnvScopeDocument,
+    "mutation ChangePassword($orgId: ID!, $currentAuthHash: String!, $newAuthHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  changeAccountPassword(\n    orgId: $orgId\n    currentAuthHash: $currentAuthHash\n    newAuthHash: $newAuthHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.ChangePasswordDocument,
+    "mutation RecoverKeyring($orgId: ID!, $authHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  recoverAccountKeyring(\n    orgId: $orgId\n    authHash: $authHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.RecoverKeyringDocument,
     "mutation CancelStripeSubscription($organisationId: ID!, $subscriptionId: String!) {\n  cancelSubscription(\n    organisationId: $organisationId\n    subscriptionId: $subscriptionId\n  ) {\n    success\n  }\n}": typeof types.CancelStripeSubscriptionDocument,
     "mutation CreateStripeSetupIntentOp($organisationId: ID!) {\n  createSetupIntent(organisationId: $organisationId) {\n    clientSecret\n  }\n}": typeof types.CreateStripeSetupIntentOpDocument,
     "mutation DeleteStripePaymentMethod($organisationId: ID!, $paymentMethodId: String!) {\n  deletePaymentMethod(\n    organisationId: $organisationId\n    paymentMethodId: $paymentMethodId\n  ) {\n    ok\n  }\n}": typeof types.DeleteStripePaymentMethodDocument,
@@ -73,7 +75,7 @@ type Documents = {
     "mutation InitAccountKeys($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.InitAccountKeysDocument,
     "mutation TransferOrgOwnership($organisationId: ID!, $newOwnerId: ID!, $billingEmail: String) {\n  transferOrganisationOwnership(\n    organisationId: $organisationId\n    newOwnerId: $newOwnerId\n    billingEmail: $billingEmail\n  ) {\n    ok\n  }\n}": typeof types.TransferOrgOwnershipDocument,
     "mutation UpdateMemberRole($memberId: ID!, $roleId: ID!) {\n  updateOrganisationMemberRole(memberId: $memberId, roleId: $roleId) {\n    orgMember {\n      id\n      role {\n        name\n      }\n    }\n  }\n}": typeof types.UpdateMemberRoleDocument,
-    "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.UpdateWrappedSecretsDocument,
+    "mutation UpdateWrappedSecrets($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": typeof types.UpdateWrappedSecretsDocument,
     "mutation RotateAppKey($id: ID!, $appToken: String!, $wrappedKeyShare: String!) {\n  rotateAppKeys(id: $id, appToken: $appToken, wrappedKeyShare: $wrappedKeyShare) {\n    app {\n      id\n    }\n  }\n}": typeof types.RotateAppKeyDocument,
     "mutation CreateSCIMTokenOp($organisationId: ID!, $name: String!, $expiryDays: Int) {\n  createScimToken(\n    organisationId: $organisationId\n    name: $name\n    expiryDays: $expiryDays\n  ) {\n    token\n    scimToken {\n      id\n      name\n      tokenPrefix\n      createdBy {\n        id\n        fullName\n        email\n        avatarUrl\n      }\n      createdAt\n      expiresAt\n      lastUsedAt\n    }\n  }\n}": typeof types.CreateScimTokenOpDocument,
     "mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}": typeof types.DeleteScimTokenOpDocument,
@@ -88,6 +90,11 @@ type Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": typeof types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": typeof types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.UpdateServiceAccountOpDocument,
+    "mutation CreateOrgSSOProvider($orgId: ID!, $providerType: String!, $name: String!, $config: JSONString!) {\n  createOrganisationSsoProvider(\n    orgId: $orgId\n    providerType: $providerType\n    name: $name\n    config: $config\n  ) {\n    providerId\n  }\n}": typeof types.CreateOrgSsoProviderDocument,
+    "mutation DeleteOrgSSOProvider($providerId: ID!) {\n  deleteOrganisationSsoProvider(providerId: $providerId) {\n    ok\n  }\n}": typeof types.DeleteOrgSsoProviderDocument,
+    "mutation TestOrgSSOProvider($providerId: ID!) {\n  testOrganisationSsoProvider(providerId: $providerId) {\n    success\n    error\n  }\n}": typeof types.TestOrgSsoProviderDocument,
+    "mutation UpdateOrgSSOProvider($providerId: ID!, $name: String, $config: JSONString, $enabled: Boolean) {\n  updateOrganisationSsoProvider(\n    providerId: $providerId\n    name: $name\n    config: $config\n    enabled: $enabled\n  ) {\n    ok\n  }\n}": typeof types.UpdateOrgSsoProviderDocument,
+    "mutation UpdateOrgSecurity($orgId: ID!, $requireSso: Boolean!) {\n  updateOrganisationSecurity(orgId: $orgId, requireSso: $requireSso) {\n    ok\n    sessionInvalidated\n  }\n}": typeof types.UpdateOrgSecurityDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": typeof types.CreateNewCfPagesSyncDocument,
@@ -124,6 +131,7 @@ type Documents = {
     "query GetAppAccounts($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": typeof types.GetAppAccountsDocument,
     "query GetAppMembers($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n}": typeof types.GetAppMembersDocument,
     "query GetAppServiceAccounts($appId: ID!) {\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": typeof types.GetAppServiceAccountsDocument,
+    "query VerifyPassword($authHash: String!) {\n  verifyPassword(authHash: $authHash)\n}": typeof types.VerifyPasswordDocument,
     "query GetCheckoutDetails($stripeSessionId: String!) {\n  stripeCheckoutDetails(stripeSessionId: $stripeSessionId) {\n    paymentStatus\n    customerEmail\n    billingStartDate\n    billingEndDate\n    subscriptionId\n    planName\n  }\n}": typeof types.GetCheckoutDetailsDocument,
     "query GetCustomerPortalLink($organisationId: ID!) {\n  stripeCustomerPortalUrl(organisationId: $organisationId)\n}": typeof types.GetCustomerPortalLinkDocument,
     "query GetSubscriptionDetails($organisationId: ID!) {\n  stripeSubscriptionDetails(organisationId: $organisationId) {\n    subscriptionId\n    planName\n    planType\n    billingPeriod\n    status\n    nextPaymentAmount\n    currentPeriodStart\n    currentPeriodEnd\n    renewalDate\n    cancelAt\n    cancelAtPeriodEnd\n    paymentMethods {\n      id\n      brand\n      last4\n      expMonth\n      expYear\n      isDefault\n    }\n  }\n}": typeof types.GetSubscriptionDetailsDocument,
@@ -133,7 +141,7 @@ type Documents = {
     "query GetAppKmsLogs($appId: ID!, $start: BigInt, $end: BigInt) {\n  kmsLogs(appId: $appId, start: $start, end: $end) {\n    logs {\n      id\n      timestamp\n      phaseNode\n      eventType\n      ipAddress\n      country\n      city\n      phSize\n    }\n    count\n  }\n}": typeof types.GetAppKmsLogsDocument,
     "query GetApps($organisationId: ID!, $appId: ID) {\n  apps(organisationId: $organisationId, appId: $appId) {\n    id\n    name\n    description\n    identityKey\n    createdAt\n    updatedAt\n    sseEnabled\n    members {\n      id\n      email\n      fullName\n      avatarUrl\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      envType\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": typeof types.GetAppsDocument,
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": typeof types.GetDashboardDocument,
-    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    scimEnabled\n  }\n}": typeof types.GetOrganisationsDocument,
+    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}": typeof types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": typeof types.GetAwsStsEndpointsDocument,
     "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": typeof types.GetIdentityProvidersDocument,
     "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": typeof types.GetOrganisationIdentitiesDocument,
@@ -167,6 +175,7 @@ type Documents = {
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": typeof types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": typeof types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": typeof types.GetServiceAccountsDocument,
+    "query GetOrgSSOProviders {\n  organisations {\n    id\n    name\n    requireSso\n    ssoProviders {\n      id\n      providerType\n      name\n      publicConfig\n      enabled\n      createdAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      updatedAt\n      updatedBy {\n        fullName\n        avatarUrl\n        self\n      }\n    }\n  }\n  serverPublicKey\n}": typeof types.GetOrgSsoProvidersDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": typeof types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": typeof types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": typeof types.ValidateAwsAssumeRoleAuthDocument,
@@ -205,6 +214,8 @@ const documents: Documents = {
     "mutation RemoveMemberFromApp($memberId: ID!, $memberType: MemberType, $appId: ID!) {\n  removeAppMember(memberId: $memberId, memberType: $memberType, appId: $appId) {\n    app {\n      id\n    }\n  }\n}": types.RemoveMemberFromAppDocument,
     "mutation UpdateAppInfoOp($id: ID!, $name: String, $description: String) {\n  updateAppInfo(id: $id, name: $name, description: $description) {\n    app {\n      id\n      name\n      description\n    }\n  }\n}": types.UpdateAppInfoOpDocument,
     "mutation UpdateEnvScope($memberId: ID!, $memberType: MemberType, $appId: ID!, $envKeys: [EnvironmentKeyInput]) {\n  updateMemberEnvironmentScope(\n    memberId: $memberId\n    memberType: $memberType\n    appId: $appId\n    envKeys: $envKeys\n  ) {\n    app {\n      id\n    }\n  }\n}": types.UpdateEnvScopeDocument,
+    "mutation ChangePassword($orgId: ID!, $currentAuthHash: String!, $newAuthHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  changeAccountPassword(\n    orgId: $orgId\n    currentAuthHash: $currentAuthHash\n    newAuthHash: $newAuthHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.ChangePasswordDocument,
+    "mutation RecoverKeyring($orgId: ID!, $authHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  recoverAccountKeyring(\n    orgId: $orgId\n    authHash: $authHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.RecoverKeyringDocument,
     "mutation CancelStripeSubscription($organisationId: ID!, $subscriptionId: String!) {\n  cancelSubscription(\n    organisationId: $organisationId\n    subscriptionId: $subscriptionId\n  ) {\n    success\n  }\n}": types.CancelStripeSubscriptionDocument,
     "mutation CreateStripeSetupIntentOp($organisationId: ID!) {\n  createSetupIntent(organisationId: $organisationId) {\n    clientSecret\n  }\n}": types.CreateStripeSetupIntentOpDocument,
     "mutation DeleteStripePaymentMethod($organisationId: ID!, $paymentMethodId: String!) {\n  deletePaymentMethod(\n    organisationId: $organisationId\n    paymentMethodId: $paymentMethodId\n  ) {\n    ok\n  }\n}": types.DeleteStripePaymentMethodDocument,
@@ -252,7 +263,7 @@ const documents: Documents = {
     "mutation InitAccountKeys($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.InitAccountKeysDocument,
     "mutation TransferOrgOwnership($organisationId: ID!, $newOwnerId: ID!, $billingEmail: String) {\n  transferOrganisationOwnership(\n    organisationId: $organisationId\n    newOwnerId: $newOwnerId\n    billingEmail: $billingEmail\n  ) {\n    ok\n  }\n}": types.TransferOrgOwnershipDocument,
     "mutation UpdateMemberRole($memberId: ID!, $roleId: ID!) {\n  updateOrganisationMemberRole(memberId: $memberId, roleId: $roleId) {\n    orgMember {\n      id\n      role {\n        name\n      }\n    }\n  }\n}": types.UpdateMemberRoleDocument,
-    "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.UpdateWrappedSecretsDocument,
+    "mutation UpdateWrappedSecrets($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}": types.UpdateWrappedSecretsDocument,
     "mutation RotateAppKey($id: ID!, $appToken: String!, $wrappedKeyShare: String!) {\n  rotateAppKeys(id: $id, appToken: $appToken, wrappedKeyShare: $wrappedKeyShare) {\n    app {\n      id\n    }\n  }\n}": types.RotateAppKeyDocument,
     "mutation CreateSCIMTokenOp($organisationId: ID!, $name: String!, $expiryDays: Int) {\n  createScimToken(\n    organisationId: $organisationId\n    name: $name\n    expiryDays: $expiryDays\n  ) {\n    token\n    scimToken {\n      id\n      name\n      tokenPrefix\n      createdBy {\n        id\n        fullName\n        email\n        avatarUrl\n      }\n      createdAt\n      expiresAt\n      lastUsedAt\n    }\n  }\n}": types.CreateScimTokenOpDocument,
     "mutation DeleteSCIMTokenOp($tokenId: ID!) {\n  deleteScimToken(tokenId: $tokenId) {\n    ok\n  }\n}": types.DeleteScimTokenOpDocument,
@@ -267,6 +278,11 @@ const documents: Documents = {
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
+    "mutation CreateOrgSSOProvider($orgId: ID!, $providerType: String!, $name: String!, $config: JSONString!) {\n  createOrganisationSsoProvider(\n    orgId: $orgId\n    providerType: $providerType\n    name: $name\n    config: $config\n  ) {\n    providerId\n  }\n}": types.CreateOrgSsoProviderDocument,
+    "mutation DeleteOrgSSOProvider($providerId: ID!) {\n  deleteOrganisationSsoProvider(providerId: $providerId) {\n    ok\n  }\n}": types.DeleteOrgSsoProviderDocument,
+    "mutation TestOrgSSOProvider($providerId: ID!) {\n  testOrganisationSsoProvider(providerId: $providerId) {\n    success\n    error\n  }\n}": types.TestOrgSsoProviderDocument,
+    "mutation UpdateOrgSSOProvider($providerId: ID!, $name: String, $config: JSONString, $enabled: Boolean) {\n  updateOrganisationSsoProvider(\n    providerId: $providerId\n    name: $name\n    config: $config\n    enabled: $enabled\n  ) {\n    ok\n  }\n}": types.UpdateOrgSsoProviderDocument,
+    "mutation UpdateOrgSecurity($orgId: ID!, $requireSso: Boolean!) {\n  updateOrganisationSecurity(orgId: $orgId, requireSso: $requireSso) {\n    ok\n    sessionInvalidated\n  }\n}": types.UpdateOrgSecurityDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewAzureKeyVaultSync($envId: ID!, $path: String!, $credentialId: ID!, $vaultUri: String!, $syncMode: String!, $secretName: String) {\n  createAzureKeyVaultSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    vaultUri: $vaultUri\n    syncMode: $syncMode\n    secretName: $secretName\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAzureKeyVaultSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewCfPagesSyncDocument,
@@ -303,6 +319,7 @@ const documents: Documents = {
     "query GetAppAccounts($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": types.GetAppAccountsDocument,
     "query GetAppMembers($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n}": types.GetAppMembersDocument,
     "query GetAppServiceAccounts($appId: ID!) {\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": types.GetAppServiceAccountsDocument,
+    "query VerifyPassword($authHash: String!) {\n  verifyPassword(authHash: $authHash)\n}": types.VerifyPasswordDocument,
     "query GetCheckoutDetails($stripeSessionId: String!) {\n  stripeCheckoutDetails(stripeSessionId: $stripeSessionId) {\n    paymentStatus\n    customerEmail\n    billingStartDate\n    billingEndDate\n    subscriptionId\n    planName\n  }\n}": types.GetCheckoutDetailsDocument,
     "query GetCustomerPortalLink($organisationId: ID!) {\n  stripeCustomerPortalUrl(organisationId: $organisationId)\n}": types.GetCustomerPortalLinkDocument,
     "query GetSubscriptionDetails($organisationId: ID!) {\n  stripeSubscriptionDetails(organisationId: $organisationId) {\n    subscriptionId\n    planName\n    planType\n    billingPeriod\n    status\n    nextPaymentAmount\n    currentPeriodStart\n    currentPeriodEnd\n    renewalDate\n    cancelAt\n    cancelAtPeriodEnd\n    paymentMethods {\n      id\n      brand\n      last4\n      expMonth\n      expYear\n      isDefault\n    }\n  }\n}": types.GetSubscriptionDetailsDocument,
@@ -312,7 +329,7 @@ const documents: Documents = {
     "query GetAppKmsLogs($appId: ID!, $start: BigInt, $end: BigInt) {\n  kmsLogs(appId: $appId, start: $start, end: $end) {\n    logs {\n      id\n      timestamp\n      phaseNode\n      eventType\n      ipAddress\n      country\n      city\n      phSize\n    }\n    count\n  }\n}": types.GetAppKmsLogsDocument,
     "query GetApps($organisationId: ID!, $appId: ID) {\n  apps(organisationId: $organisationId, appId: $appId) {\n    id\n    name\n    description\n    identityKey\n    createdAt\n    updatedAt\n    sseEnabled\n    members {\n      id\n      email\n      fullName\n      avatarUrl\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      envType\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetAppsDocument,
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": types.GetDashboardDocument,
-    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    scimEnabled\n  }\n}": types.GetOrganisationsDocument,
+    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}": types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": types.GetAwsStsEndpointsDocument,
     "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": types.GetIdentityProvidersDocument,
     "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": types.GetOrganisationIdentitiesDocument,
@@ -346,6 +363,7 @@ const documents: Documents = {
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
+    "query GetOrgSSOProviders {\n  organisations {\n    id\n    name\n    requireSso\n    ssoProviders {\n      id\n      providerType\n      name\n      publicConfig\n      enabled\n      createdAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      updatedAt\n      updatedBy {\n        fullName\n        avatarUrl\n        self\n      }\n    }\n  }\n  serverPublicKey\n}": types.GetOrgSsoProvidersDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": types.GetAwsSecretsDocument,
     "query ValidateAWSAssumeRoleAuth {\n  validateAwsAssumeRoleAuth {\n    valid\n    message\n    method\n    error\n  }\n}": types.ValidateAwsAssumeRoleAuthDocument,
@@ -434,6 +452,14 @@ export function graphql(source: "mutation UpdateAppInfoOp($id: ID!, $name: Strin
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation UpdateEnvScope($memberId: ID!, $memberType: MemberType, $appId: ID!, $envKeys: [EnvironmentKeyInput]) {\n  updateMemberEnvironmentScope(\n    memberId: $memberId\n    memberType: $memberType\n    appId: $appId\n    envKeys: $envKeys\n  ) {\n    app {\n      id\n    }\n  }\n}"): (typeof documents)["mutation UpdateEnvScope($memberId: ID!, $memberType: MemberType, $appId: ID!, $envKeys: [EnvironmentKeyInput]) {\n  updateMemberEnvironmentScope(\n    memberId: $memberId\n    memberType: $memberType\n    appId: $appId\n    envKeys: $envKeys\n  ) {\n    app {\n      id\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation ChangePassword($orgId: ID!, $currentAuthHash: String!, $newAuthHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  changeAccountPassword(\n    orgId: $orgId\n    currentAuthHash: $currentAuthHash\n    newAuthHash: $newAuthHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"): (typeof documents)["mutation ChangePassword($orgId: ID!, $currentAuthHash: String!, $newAuthHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  changeAccountPassword(\n    orgId: $orgId\n    currentAuthHash: $currentAuthHash\n    newAuthHash: $newAuthHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation RecoverKeyring($orgId: ID!, $authHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  recoverAccountKeyring(\n    orgId: $orgId\n    authHash: $authHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"): (typeof documents)["mutation RecoverKeyring($orgId: ID!, $authHash: String!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  recoverAccountKeyring(\n    orgId: $orgId\n    authHash: $authHash\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -625,7 +651,7 @@ export function graphql(source: "mutation UpdateMemberRole($memberId: ID!, $role
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"): (typeof documents)["mutation UpdateWrappedSecrets($orgId: ID!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"];
+export function graphql(source: "mutation UpdateWrappedSecrets($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"): (typeof documents)["mutation UpdateWrappedSecrets($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!) {\n  updateMemberWrappedSecrets(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n  ) {\n    orgMember {\n      id\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -682,6 +708,26 @@ export function graphql(source: "mutation UpdateServiceAccountHandlerKeys($orgId
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation CreateOrgSSOProvider($orgId: ID!, $providerType: String!, $name: String!, $config: JSONString!) {\n  createOrganisationSsoProvider(\n    orgId: $orgId\n    providerType: $providerType\n    name: $name\n    config: $config\n  ) {\n    providerId\n  }\n}"): (typeof documents)["mutation CreateOrgSSOProvider($orgId: ID!, $providerType: String!, $name: String!, $config: JSONString!) {\n  createOrganisationSsoProvider(\n    orgId: $orgId\n    providerType: $providerType\n    name: $name\n    config: $config\n  ) {\n    providerId\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation DeleteOrgSSOProvider($providerId: ID!) {\n  deleteOrganisationSsoProvider(providerId: $providerId) {\n    ok\n  }\n}"): (typeof documents)["mutation DeleteOrgSSOProvider($providerId: ID!) {\n  deleteOrganisationSsoProvider(providerId: $providerId) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation TestOrgSSOProvider($providerId: ID!) {\n  testOrganisationSsoProvider(providerId: $providerId) {\n    success\n    error\n  }\n}"): (typeof documents)["mutation TestOrgSSOProvider($providerId: ID!) {\n  testOrganisationSsoProvider(providerId: $providerId) {\n    success\n    error\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation UpdateOrgSSOProvider($providerId: ID!, $name: String, $config: JSONString, $enabled: Boolean) {\n  updateOrganisationSsoProvider(\n    providerId: $providerId\n    name: $name\n    config: $config\n    enabled: $enabled\n  ) {\n    ok\n  }\n}"): (typeof documents)["mutation UpdateOrgSSOProvider($providerId: ID!, $name: String, $config: JSONString, $enabled: Boolean) {\n  updateOrganisationSsoProvider(\n    providerId: $providerId\n    name: $name\n    config: $config\n    enabled: $enabled\n  ) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation UpdateOrgSecurity($orgId: ID!, $requireSso: Boolean!) {\n  updateOrganisationSecurity(orgId: $orgId, requireSso: $requireSso) {\n    ok\n    sessionInvalidated\n  }\n}"): (typeof documents)["mutation UpdateOrgSecurity($orgId: ID!, $requireSso: Boolean!) {\n  updateOrganisationSecurity(orgId: $orgId, requireSso: $requireSso) {\n    ok\n    sessionInvalidated\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -826,6 +872,10 @@ export function graphql(source: "query GetAppMembers($appId: ID!) {\n  appUsers(
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "query GetAppServiceAccounts($appId: ID!) {\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}"): (typeof documents)["query GetAppServiceAccounts($appId: ID!) {\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query VerifyPassword($authHash: String!) {\n  verifyPassword(authHash: $authHash)\n}"): (typeof documents)["query VerifyPassword($authHash: String!) {\n  verifyPassword(authHash: $authHash)\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -865,7 +915,7 @@ export function graphql(source: "query GetDashboard($organisationId: ID!) {\n  a
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    scimEnabled\n  }\n}"): (typeof documents)["query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    scimEnabled\n  }\n}"];
+export function graphql(source: "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}"): (typeof documents)["query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -998,6 +1048,10 @@ export function graphql(source: "query GetServiceAccountTokens($orgId: ID!, $id:
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"): (typeof documents)["query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    team {\n      id\n      name\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetOrgSSOProviders {\n  organisations {\n    id\n    name\n    requireSso\n    ssoProviders {\n      id\n      providerType\n      name\n      publicConfig\n      enabled\n      createdAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      updatedAt\n      updatedBy {\n        fullName\n        avatarUrl\n        self\n      }\n    }\n  }\n  serverPublicKey\n}"): (typeof documents)["query GetOrgSSOProviders {\n  organisations {\n    id\n    name\n    requireSso\n    ssoProviders {\n      id\n      providerType\n      name\n      publicConfig\n      enabled\n      createdAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      updatedAt\n      updatedBy {\n        fullName\n        avatarUrl\n        self\n      }\n    }\n  }\n  serverPublicKey\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index d05b72d7e..c219a15e1 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -219,6 +219,14 @@ export enum ApiOrganisationPlanChoices {
   Pr = 'PR'
 }
 
+/** An enumeration. */
+export enum ApiOrganisationSsoProviderProviderTypeChoices {
+  /** Microsoft Entra ID */
+  EntraId = 'ENTRA_ID',
+  /** Okta */
+  Okta = 'OKTA'
+}
+
 /** An enumeration. */
 export enum ApiScimEventEventTypeChoices {
   /** Group Created */
@@ -384,6 +392,32 @@ export type BulkInviteOrganisationMembersMutation = {
   invites?: Maybe<Array<Maybe<OrganisationMemberInviteType>>>;
 };
 
+/**
+ * Rotate the user's account password and rewrap the active org's
+ * keyring with the new deviceKey. Used by the in-session change-password
+ * dialog where the user supplies their current password, a new password,
+ * and the org's recovery mnemonic.
+ *
+ * Three server-side proofs are required:
+ *   1. current_auth_hash matches user.password — proves the caller
+ *      knows the current login password.
+ *   2. identity_key matches the org's stored identity_key — proves the
+ *      caller derived the keyring from the right mnemonic.
+ *   3. user is a member of the org.
+ *
+ * On success: user.password is set to new_auth_hash, the org's
+ * wrapped_keyring + wrapped_recovery are replaced, and the session is
+ * refreshed so the post-rotation HASH_SESSION_KEY stays valid.
+ *
+ * Only the active org's keyring is rewrapped. Other orgs the user
+ * belongs to remain encrypted with the old deviceKey; they'll fall
+ * through to per-org recovery on next access.
+ */
+export type ChangeAccountPasswordMutation = {
+  __typename?: 'ChangeAccountPasswordMutation';
+  orgMember?: Maybe<OrganisationMemberType>;
+};
+
 export type ChartDataPointType = {
   __typename?: 'ChartDataPointType';
   data?: Maybe<Scalars['Int']['output']>;
@@ -499,6 +533,11 @@ export type CreateOrganisationMutation = {
   organisation?: Maybe<OrganisationType>;
 };
 
+export type CreateOrganisationSsoProviderMutation = {
+  __typename?: 'CreateOrganisationSSOProviderMutation';
+  providerId?: Maybe<Scalars['ID']['output']>;
+};
+
 export type CreatePersonalSecretMutation = {
   __typename?: 'CreatePersonalSecretMutation';
   override?: Maybe<PersonalSecretType>;
@@ -639,6 +678,11 @@ export type DeleteOrganisationMemberMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
+export type DeleteOrganisationSsoProviderMutation = {
+  __typename?: 'DeleteOrganisationSSOProviderMutation';
+  ok?: Maybe<Scalars['Boolean']['output']>;
+};
+
 export type DeletePaymentMethodMutation = {
   __typename?: 'DeletePaymentMethodMutation';
   ok?: Maybe<Scalars['Boolean']['output']>;
@@ -1050,6 +1094,28 @@ export type Mutation = {
   bulkAddAppMembers?: Maybe<BulkAddAppMembersMutation>;
   bulkInviteOrganisationMembers?: Maybe<BulkInviteOrganisationMembersMutation>;
   cancelSubscription?: Maybe<UpdateSubscriptionResponse>;
+  /**
+   * Rotate the user's account password and rewrap the active org's
+   * keyring with the new deviceKey. Used by the in-session change-password
+   * dialog where the user supplies their current password, a new password,
+   * and the org's recovery mnemonic.
+   *
+   * Three server-side proofs are required:
+   *   1. current_auth_hash matches user.password — proves the caller
+   *      knows the current login password.
+   *   2. identity_key matches the org's stored identity_key — proves the
+   *      caller derived the keyring from the right mnemonic.
+   *   3. user is a member of the org.
+   *
+   * On success: user.password is set to new_auth_hash, the org's
+   * wrapped_keyring + wrapped_recovery are replaced, and the session is
+   * refreshed so the post-rotation HASH_SESSION_KEY stays valid.
+   *
+   * Only the active org's keyring is rewrapped. Other orgs the user
+   * belongs to remain encrypted with the old deviceKey; they'll fall
+   * through to per-org recovery on next access.
+   */
+  changeAccountPassword?: Maybe<ChangeAccountPasswordMutation>;
   createApp?: Maybe<CreateAppMutation>;
   createAwsDynamicSecret?: Maybe<CreateAwsDynamicSecretMutation>;
   createAwsSecretSync?: Maybe<CreateAwsSecretsManagerSync>;
@@ -1070,6 +1136,7 @@ export type Mutation = {
   createNomadSync?: Maybe<CreateNomadSync>;
   createOrganisation?: Maybe<CreateOrganisationMutation>;
   createOrganisationMember?: Maybe<CreateOrganisationMemberMutation>;
+  createOrganisationSsoProvider?: Maybe<CreateOrganisationSsoProviderMutation>;
   createOverride?: Maybe<CreatePersonalSecretMutation>;
   createProviderCredentials?: Maybe<CreateProviderCredentials>;
   createRailwaySync?: Maybe<CreateRailwaySync>;
@@ -1105,6 +1172,7 @@ export type Mutation = {
   deleteInvitation?: Maybe<DeleteInviteMutation>;
   deleteNetworkAccessPolicy?: Maybe<DeleteNetworkAccessPolicyMutation>;
   deleteOrganisationMember?: Maybe<DeleteOrganisationMemberMutation>;
+  deleteOrganisationSsoProvider?: Maybe<DeleteOrganisationSsoProviderMutation>;
   deletePaymentMethod?: Maybe<DeletePaymentMethodMutation>;
   deleteProviderCredentials?: Maybe<DeleteProviderCredentials>;
   deleteScimToken?: Maybe<DeleteScimTokenMutation>;
@@ -1124,6 +1192,24 @@ export type Mutation = {
   migratePricing?: Maybe<MigratePricingMutation>;
   modifySubscription?: Maybe<UpdateSubscriptionResponse>;
   readSecret?: Maybe<ReadSecretMutation>;
+  /**
+   * Rewrap THIS org's keyring with a deviceKey derived from the user's
+   * account password. Used by the recovery flow when the local keyring
+   * has been lost (cleared cache, new device) but the user still
+   * remembers their password.
+   *
+   * Two server-side proofs are required:
+   *   1. identity_key matches the org's stored identity_key — proves the
+   *      caller derived the keyring from the right mnemonic.
+   *   2. auth_hash matches user.password — proves the password the user
+   *      is wrapping the keyring with is also their account login auth.
+   *
+   * The mutation does NOT change user.password. The auth_hash check is a
+   * guardrail to keep auth and wrap passwords unified; if it fails, the
+   * user is trying to wrap the keyring with a password that doesn't
+   * authenticate them, which we never persist.
+   */
+  recoverAccountKeyring?: Maybe<RecoverAccountKeyringMutation>;
   removeAppMember?: Maybe<RemoveAppMemberMutation>;
   removeOverride?: Maybe<DeletePersonalSecretMutation>;
   removeTeamApp?: Maybe<RemoveTeamAppMutation>;
@@ -1134,6 +1220,7 @@ export type Mutation = {
   revokeDynamicSecretLease?: Maybe<RevokeLeaseMutation>;
   rotateAppKeys?: Maybe<RotateAppKeysMutation>;
   setDefaultPaymentMethod?: Maybe<SetDefaultPaymentMethodMutation>;
+  testOrganisationSsoProvider?: Maybe<TestOrganisationSsoProviderMutation>;
   /** Master switch: enable/disable SCIM for the organisation. */
   toggleScim?: Maybe<ToggleScimMutation>;
   /** Per-provider toggle: enable/disable a single SCIM token. */
@@ -1153,9 +1240,23 @@ export type Mutation = {
   updateEnvironmentOrder?: Maybe<UpdateEnvironmentOrderMutation>;
   updateIdentity?: Maybe<UpdateIdentityMutation>;
   updateMemberEnvironmentScope?: Maybe<UpdateMemberEnvScopeMutation>;
+  /**
+   * Re-wrap THIS org's keyring after the caller proves they hold the
+   * recovery mnemonic. Used by SSO recovery (where there's no login
+   * password to verify against, so identity is proven via the mnemonic
+   * alone).
+   *
+   * Requires identity_key matching the org's stored identity_key — proves
+   * the caller derived the keyring from the right mnemonic. Without this
+   * proof, an authenticated user (or session-cookie holder) could
+   * overwrite their own wrapped_keyring with arbitrary garbage and lock
+   * themselves out of the org permanently.
+   */
   updateMemberWrappedSecrets?: Maybe<UpdateUserWrappedSecretsMutation>;
   updateNetworkAccessPolicy?: Maybe<UpdateNetworkAccessPolicyMutation>;
   updateOrganisationMemberRole?: Maybe<UpdateOrganisationMemberRole>;
+  updateOrganisationSecurity?: Maybe<UpdateOrganisationSecurityMutation>;
+  updateOrganisationSsoProvider?: Maybe<UpdateOrganisationSsoProviderMutation>;
   updateProviderCredentials?: Maybe<UpdateProviderCredentials>;
   updateServiceAccount?: Maybe<UpdateServiceAccountMutation>;
   updateServiceAccountHandlers?: Maybe<UpdateServiceAccountHandlersMutation>;
@@ -1204,6 +1305,16 @@ export type MutationCancelSubscriptionArgs = {
 };
 
 
+export type MutationChangeAccountPasswordArgs = {
+  currentAuthHash: Scalars['String']['input'];
+  identityKey: Scalars['String']['input'];
+  newAuthHash: Scalars['String']['input'];
+  orgId: Scalars['ID']['input'];
+  wrappedKeyring: Scalars['String']['input'];
+  wrappedRecovery: Scalars['String']['input'];
+};
+
+
 export type MutationCreateAppArgs = {
   appSeed: Scalars['String']['input'];
   appToken: Scalars['String']['input'];
@@ -1400,6 +1511,14 @@ export type MutationCreateOrganisationMemberArgs = {
 };
 
 
+export type MutationCreateOrganisationSsoProviderArgs = {
+  config: Scalars['JSONString']['input'];
+  name: Scalars['String']['input'];
+  orgId: Scalars['ID']['input'];
+  providerType: Scalars['String']['input'];
+};
+
+
 export type MutationCreateOverrideArgs = {
   overrideData?: InputMaybe<PersonalSecretInput>;
 };
@@ -1603,6 +1722,11 @@ export type MutationDeleteOrganisationMemberArgs = {
 };
 
 
+export type MutationDeleteOrganisationSsoProviderArgs = {
+  providerId: Scalars['ID']['input'];
+};
+
+
 export type MutationDeletePaymentMethodArgs = {
   organisationId?: InputMaybe<Scalars['ID']['input']>;
   paymentMethodId?: InputMaybe<Scalars['String']['input']>;
@@ -1706,6 +1830,15 @@ export type MutationReadSecretArgs = {
 };
 
 
+export type MutationRecoverAccountKeyringArgs = {
+  authHash: Scalars['String']['input'];
+  identityKey: Scalars['String']['input'];
+  orgId: Scalars['ID']['input'];
+  wrappedKeyring: Scalars['String']['input'];
+  wrappedRecovery: Scalars['String']['input'];
+};
+
+
 export type MutationRemoveAppMemberArgs = {
   appId?: InputMaybe<Scalars['ID']['input']>;
   memberId?: InputMaybe<Scalars['ID']['input']>;
@@ -1767,6 +1900,11 @@ export type MutationSetDefaultPaymentMethodArgs = {
 };
 
 
+export type MutationTestOrganisationSsoProviderArgs = {
+  providerId: Scalars['ID']['input'];
+};
+
+
 export type MutationToggleScimArgs = {
   enabled: Scalars['Boolean']['input'];
   organisationId: Scalars['ID']['input'];
@@ -1868,7 +2006,7 @@ export type MutationUpdateMemberEnvironmentScopeArgs = {
 
 
 export type MutationUpdateMemberWrappedSecretsArgs = {
-  identityKey?: InputMaybe<Scalars['String']['input']>;
+  identityKey: Scalars['String']['input'];
   orgId: Scalars['ID']['input'];
   wrappedKeyring: Scalars['String']['input'];
   wrappedRecovery: Scalars['String']['input'];
@@ -1886,6 +2024,20 @@ export type MutationUpdateOrganisationMemberRoleArgs = {
 };
 
 
+export type MutationUpdateOrganisationSecurityArgs = {
+  orgId: Scalars['ID']['input'];
+  requireSso: Scalars['Boolean']['input'];
+};
+
+
+export type MutationUpdateOrganisationSsoProviderArgs = {
+  config?: InputMaybe<Scalars['JSONString']['input']>;
+  enabled?: InputMaybe<Scalars['Boolean']['input']>;
+  name?: InputMaybe<Scalars['String']['input']>;
+  providerId: Scalars['ID']['input'];
+};
+
+
 export type MutationUpdateProviderCredentialsArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
   credentials?: InputMaybe<Scalars['JSONString']['input']>;
@@ -2004,6 +2156,19 @@ export type OrganisationPlanType = {
   seatsUsed?: Maybe<SeatsUsed>;
 };
 
+export type OrganisationSsoProviderType = {
+  __typename?: 'OrganisationSSOProviderType';
+  createdAt: Scalars['DateTime']['output'];
+  createdBy?: Maybe<OrganisationMemberType>;
+  enabled: Scalars['Boolean']['output'];
+  id: Scalars['String']['output'];
+  name: Scalars['String']['output'];
+  providerType: ApiOrganisationSsoProviderProviderTypeChoices;
+  publicConfig?: Maybe<Scalars['JSONString']['output']>;
+  updatedAt: Scalars['DateTime']['output'];
+  updatedBy?: Maybe<OrganisationMemberType>;
+};
+
 export type OrganisationType = {
   __typename?: 'OrganisationType';
   createdAt?: Maybe<Scalars['DateTime']['output']>;
@@ -2016,8 +2181,10 @@ export type OrganisationType = {
   planDetail?: Maybe<OrganisationPlanType>;
   pricingVersion: Scalars['Int']['output'];
   recovery?: Maybe<Scalars['String']['output']>;
+  requireSso: Scalars['Boolean']['output'];
   role?: Maybe<RoleType>;
   scimEnabled: Scalars['Boolean']['output'];
+  ssoProviders?: Maybe<Array<Maybe<OrganisationSsoProviderType>>>;
 };
 
 export type PaymentMethodDetails = {
@@ -2163,6 +2330,7 @@ export type Query = {
   validateAwsAssumeRoleCredentials?: Maybe<AwsValidationResultType>;
   validateInvite?: Maybe<OrganisationMemberInviteType>;
   vercelProjects?: Maybe<Array<Maybe<VercelTeamProjectsType>>>;
+  verifyPassword?: Maybe<Scalars['Boolean']['output']>;
 };
 
 
@@ -2486,6 +2654,11 @@ export type QueryVercelProjectsArgs = {
   credentialId?: InputMaybe<Scalars['ID']['input']>;
 };
 
+
+export type QueryVerifyPasswordArgs = {
+  authHash: Scalars['String']['input'];
+};
+
 export type RailwayEnvironmentType = {
   __typename?: 'RailwayEnvironmentType';
   id: Scalars['ID']['output'];
@@ -2517,6 +2690,28 @@ export type ReadSecretMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
+/**
+ * Rewrap THIS org's keyring with a deviceKey derived from the user's
+ * account password. Used by the recovery flow when the local keyring
+ * has been lost (cleared cache, new device) but the user still
+ * remembers their password.
+ *
+ * Two server-side proofs are required:
+ *   1. identity_key matches the org's stored identity_key — proves the
+ *      caller derived the keyring from the right mnemonic.
+ *   2. auth_hash matches user.password — proves the password the user
+ *      is wrapping the keyring with is also their account login auth.
+ *
+ * The mutation does NOT change user.password. The auth_hash check is a
+ * guardrail to keep auth and wrap passwords unified; if it fails, the
+ * user is trying to wrap the keyring with a password that doesn't
+ * authenticate them, which we never persist.
+ */
+export type RecoverAccountKeyringMutation = {
+  __typename?: 'RecoverAccountKeyringMutation';
+  orgMember?: Maybe<OrganisationMemberType>;
+};
+
 export type RemoveAppMemberMutation = {
   __typename?: 'RemoveAppMemberMutation';
   app?: Maybe<AppType>;
@@ -2871,6 +3066,12 @@ export type TeamType = {
   updatedAt: Scalars['DateTime']['output'];
 };
 
+export type TestOrganisationSsoProviderMutation = {
+  __typename?: 'TestOrganisationSSOProviderMutation';
+  error?: Maybe<Scalars['String']['output']>;
+  success?: Maybe<Scalars['Boolean']['output']>;
+};
+
 export enum TimeRange {
   AllTime = 'ALL_TIME',
   Day = 'DAY',
@@ -2961,6 +3162,17 @@ export type UpdateOrganisationMemberRole = {
   orgMember?: Maybe<OrganisationMemberType>;
 };
 
+export type UpdateOrganisationSsoProviderMutation = {
+  __typename?: 'UpdateOrganisationSSOProviderMutation';
+  ok?: Maybe<Scalars['Boolean']['output']>;
+};
+
+export type UpdateOrganisationSecurityMutation = {
+  __typename?: 'UpdateOrganisationSecurityMutation';
+  ok?: Maybe<Scalars['Boolean']['output']>;
+  sessionInvalidated?: Maybe<Scalars['Boolean']['output']>;
+};
+
 export type UpdatePolicyInput = {
   allowedIps?: InputMaybe<Scalars['String']['input']>;
   id: Scalars['ID']['input'];
@@ -3006,6 +3218,18 @@ export type UpdateTeamMutation = {
   team?: Maybe<TeamType>;
 };
 
+/**
+ * Re-wrap THIS org's keyring after the caller proves they hold the
+ * recovery mnemonic. Used by SSO recovery (where there's no login
+ * password to verify against, so identity is proven via the mnemonic
+ * alone).
+ *
+ * Requires identity_key matching the org's stored identity_key — proves
+ * the caller derived the keyring from the right mnemonic. Without this
+ * proof, an authenticated user (or session-cookie holder) could
+ * overwrite their own wrapped_keyring with arbitrary garbage and lock
+ * themselves out of the org permanently.
+ */
 export type UpdateUserWrappedSecretsMutation = {
   __typename?: 'UpdateUserWrappedSecretsMutation';
   orgMember?: Maybe<OrganisationMemberType>;
@@ -3154,6 +3378,29 @@ export type UpdateEnvScopeMutationVariables = Exact<{
 
 export type UpdateEnvScopeMutation = { __typename?: 'Mutation', updateMemberEnvironmentScope?: { __typename?: 'UpdateMemberEnvScopeMutation', app?: { __typename?: 'AppType', id: string } | null } | null };
 
+export type ChangePasswordMutationVariables = Exact<{
+  orgId: Scalars['ID']['input'];
+  currentAuthHash: Scalars['String']['input'];
+  newAuthHash: Scalars['String']['input'];
+  identityKey: Scalars['String']['input'];
+  wrappedKeyring: Scalars['String']['input'];
+  wrappedRecovery: Scalars['String']['input'];
+}>;
+
+
+export type ChangePasswordMutation = { __typename?: 'Mutation', changeAccountPassword?: { __typename?: 'ChangeAccountPasswordMutation', orgMember?: { __typename?: 'OrganisationMemberType', id: string } | null } | null };
+
+export type RecoverKeyringMutationVariables = Exact<{
+  orgId: Scalars['ID']['input'];
+  authHash: Scalars['String']['input'];
+  identityKey: Scalars['String']['input'];
+  wrappedKeyring: Scalars['String']['input'];
+  wrappedRecovery: Scalars['String']['input'];
+}>;
+
+
+export type RecoverKeyringMutation = { __typename?: 'Mutation', recoverAccountKeyring?: { __typename?: 'RecoverAccountKeyringMutation', orgMember?: { __typename?: 'OrganisationMemberType', id: string } | null } | null };
+
 export type CancelStripeSubscriptionMutationVariables = Exact<{
   organisationId: Scalars['ID']['input'];
   subscriptionId: Scalars['String']['input'];
@@ -3595,6 +3842,7 @@ export type UpdateMemberRoleMutation = { __typename?: 'Mutation', updateOrganisa
 
 export type UpdateWrappedSecretsMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
+  identityKey: Scalars['String']['input'];
   wrappedKeyring: Scalars['String']['input'];
   wrappedRecovery: Scalars['String']['input'];
 }>;
@@ -3726,6 +3974,48 @@ export type UpdateServiceAccountOpMutationVariables = Exact<{
 
 export type UpdateServiceAccountOpMutation = { __typename?: 'Mutation', updateServiceAccount?: { __typename?: 'UpdateServiceAccountMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string }> | null } | null } | null };
 
+export type CreateOrgSsoProviderMutationVariables = Exact<{
+  orgId: Scalars['ID']['input'];
+  providerType: Scalars['String']['input'];
+  name: Scalars['String']['input'];
+  config: Scalars['JSONString']['input'];
+}>;
+
+
+export type CreateOrgSsoProviderMutation = { __typename?: 'Mutation', createOrganisationSsoProvider?: { __typename?: 'CreateOrganisationSSOProviderMutation', providerId?: string | null } | null };
+
+export type DeleteOrgSsoProviderMutationVariables = Exact<{
+  providerId: Scalars['ID']['input'];
+}>;
+
+
+export type DeleteOrgSsoProviderMutation = { __typename?: 'Mutation', deleteOrganisationSsoProvider?: { __typename?: 'DeleteOrganisationSSOProviderMutation', ok?: boolean | null } | null };
+
+export type TestOrgSsoProviderMutationVariables = Exact<{
+  providerId: Scalars['ID']['input'];
+}>;
+
+
+export type TestOrgSsoProviderMutation = { __typename?: 'Mutation', testOrganisationSsoProvider?: { __typename?: 'TestOrganisationSSOProviderMutation', success?: boolean | null, error?: string | null } | null };
+
+export type UpdateOrgSsoProviderMutationVariables = Exact<{
+  providerId: Scalars['ID']['input'];
+  name?: InputMaybe<Scalars['String']['input']>;
+  config?: InputMaybe<Scalars['JSONString']['input']>;
+  enabled?: InputMaybe<Scalars['Boolean']['input']>;
+}>;
+
+
+export type UpdateOrgSsoProviderMutation = { __typename?: 'Mutation', updateOrganisationSsoProvider?: { __typename?: 'UpdateOrganisationSSOProviderMutation', ok?: boolean | null } | null };
+
+export type UpdateOrgSecurityMutationVariables = Exact<{
+  orgId: Scalars['ID']['input'];
+  requireSso: Scalars['Boolean']['input'];
+}>;
+
+
+export type UpdateOrgSecurityMutation = { __typename?: 'Mutation', updateOrganisationSecurity?: { __typename?: 'UpdateOrganisationSecurityMutation', ok?: boolean | null, sessionInvalidated?: boolean | null } | null };
+
 export type CreateNewAwsSecretsSyncMutationVariables = Exact<{
   envId: Scalars['ID']['input'];
   path: Scalars['String']['input'];
@@ -4069,6 +4359,13 @@ export type GetAppServiceAccountsQueryVariables = Exact<{
 
 export type GetAppServiceAccountsQuery = { __typename?: 'Query', appServiceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, identityKey?: string | null, name: string, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null, color?: string | null } | null, tokens?: Array<{ __typename?: 'ServiceAccountTokenType', id: string, name: string } | null> | null } | null> | null };
 
+export type VerifyPasswordQueryVariables = Exact<{
+  authHash: Scalars['String']['input'];
+}>;
+
+
+export type VerifyPasswordQuery = { __typename?: 'Query', verifyPassword?: boolean | null };
+
 export type GetCheckoutDetailsQueryVariables = Exact<{
   stripeSessionId: Scalars['String']['input'];
 }>;
@@ -4143,7 +4440,7 @@ export type GetDashboardQuery = { __typename?: 'Query', apps?: Array<{ __typenam
 export type GetOrganisationsQueryVariables = Exact<{ [key: string]: never; }>;
 
 
-export type GetOrganisationsQuery = { __typename?: 'Query', organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, identityKey: string, createdAt?: any | null, plan: ApiOrganisationPlanChoices, memberId?: string | null, keyring?: string | null, recovery?: string | null, pricingVersion: number, scimEnabled: boolean, planDetail?: { __typename?: 'OrganisationPlanType', name?: string | null, maxUsers?: number | null, maxApps?: number | null, maxEnvsPerApp?: number | null, appCount?: number | null, seatsUsed?: { __typename?: 'SeatsUsed', users?: number | null, serviceAccounts?: number | null, total?: number | null } | null } | null, role?: { __typename?: 'RoleType', name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null> | null };
+export type GetOrganisationsQuery = { __typename?: 'Query', organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, identityKey: string, createdAt?: any | null, plan: ApiOrganisationPlanChoices, memberId?: string | null, keyring?: string | null, recovery?: string | null, pricingVersion: number, requireSso: boolean, scimEnabled: boolean, planDetail?: { __typename?: 'OrganisationPlanType', name?: string | null, maxUsers?: number | null, maxApps?: number | null, maxEnvsPerApp?: number | null, appCount?: number | null, seatsUsed?: { __typename?: 'SeatsUsed', users?: number | null, serviceAccounts?: number | null, total?: number | null } | null } | null, role?: { __typename?: 'RoleType', name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, ssoProviders?: Array<{ __typename?: 'OrganisationSSOProviderType', name: string, providerType: ApiOrganisationSsoProviderProviderTypeChoices, enabled: boolean } | null> | null } | null> | null };
 
 export type GetAwsStsEndpointsQueryVariables = Exact<{ [key: string]: never; }>;
 
@@ -4401,6 +4698,11 @@ export type GetServiceAccountsQueryVariables = Exact<{
 
 export type GetServiceAccountsQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null } | null, team?: { __typename?: 'TeamType', id: string, name: string } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null } | null> | null };
 
+export type GetOrgSsoProvidersQueryVariables = Exact<{ [key: string]: never; }>;
+
+
+export type GetOrgSsoProvidersQuery = { __typename?: 'Query', serverPublicKey?: string | null, organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, requireSso: boolean, ssoProviders?: Array<{ __typename?: 'OrganisationSSOProviderType', id: string, providerType: ApiOrganisationSsoProviderProviderTypeChoices, name: string, publicConfig?: any | null, enabled: boolean, createdAt: any, updatedAt: any, createdBy?: { __typename?: 'OrganisationMemberType', fullName?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, updatedBy?: { __typename?: 'OrganisationMemberType', fullName?: string | null, avatarUrl?: string | null, self?: boolean | null } | null } | null> | null } | null> | null };
+
 export type GetOrganisationSyncsQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
 }>;
@@ -4581,6 +4883,8 @@ export const BulkAddMembersToAppDocument = {"kind":"Document","definitions":[{"k
 export const RemoveMemberFromAppDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RemoveMemberFromApp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"removeAppMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RemoveMemberFromAppMutation, RemoveMemberFromAppMutationVariables>;
 export const UpdateAppInfoOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateAppInfoOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateAppInfo"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateAppInfoOpMutation, UpdateAppInfoOpMutationVariables>;
 export const UpdateEnvScopeDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateEnvScope"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envKeys"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"EnvironmentKeyInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberEnvironmentScope"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"envKeys"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envKeys"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateEnvScopeMutation, UpdateEnvScopeMutationVariables>;
+export const ChangePasswordDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"ChangePassword"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"currentAuthHash"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"newAuthHash"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"changeAccountPassword"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"currentAuthHash"},"value":{"kind":"Variable","name":{"kind":"Name","value":"currentAuthHash"}}},{"kind":"Argument","name":{"kind":"Name","value":"newAuthHash"},"value":{"kind":"Variable","name":{"kind":"Name","value":"newAuthHash"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<ChangePasswordMutation, ChangePasswordMutationVariables>;
+export const RecoverKeyringDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RecoverKeyring"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"authHash"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"recoverAccountKeyring"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"authHash"},"value":{"kind":"Variable","name":{"kind":"Name","value":"authHash"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RecoverKeyringMutation, RecoverKeyringMutationVariables>;
 export const CancelStripeSubscriptionDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CancelStripeSubscription"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"subscriptionId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"cancelSubscription"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"subscriptionId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"subscriptionId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"success"}}]}}]}}]} as unknown as DocumentNode<CancelStripeSubscriptionMutation, CancelStripeSubscriptionMutationVariables>;
 export const CreateStripeSetupIntentOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateStripeSetupIntentOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createSetupIntent"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"clientSecret"}}]}}]}}]} as unknown as DocumentNode<CreateStripeSetupIntentOpMutation, CreateStripeSetupIntentOpMutationVariables>;
 export const DeleteStripePaymentMethodDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteStripePaymentMethod"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"paymentMethodId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deletePaymentMethod"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"paymentMethodId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"paymentMethodId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteStripePaymentMethodMutation, DeleteStripePaymentMethodMutationVariables>;
@@ -4628,7 +4932,7 @@ export const RemoveMemberDocument = {"kind":"Document","definitions":[{"kind":"O
 export const InitAccountKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"InitAccountKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberWrappedSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<InitAccountKeysMutation, InitAccountKeysMutationVariables>;
 export const TransferOrgOwnershipDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"TransferOrgOwnership"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"billingEmail"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"transferOrganisationOwnership"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"newOwnerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"newOwnerId"}}},{"kind":"Argument","name":{"kind":"Name","value":"billingEmail"},"value":{"kind":"Variable","name":{"kind":"Name","value":"billingEmail"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<TransferOrgOwnershipMutation, TransferOrgOwnershipMutationVariables>;
 export const UpdateMemberRoleDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateMemberRole"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateOrganisationMemberRole"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateMemberRoleMutation, UpdateMemberRoleMutationVariables>;
-export const UpdateWrappedSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateWrappedSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberWrappedSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateWrappedSecretsMutation, UpdateWrappedSecretsMutationVariables>;
+export const UpdateWrappedSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateWrappedSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateMemberWrappedSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateWrappedSecretsMutation, UpdateWrappedSecretsMutationVariables>;
 export const RotateAppKeyDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RotateAppKey"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appToken"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"rotateAppKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"appToken"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appToken"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<RotateAppKeyMutation, RotateAppKeyMutationVariables>;
 export const CreateScimTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSCIMTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiryDays"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createScimToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiryDays"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiryDays"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"}},{"kind":"Field","name":{"kind":"Name","value":"scimToken"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"tokenPrefix"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"lastUsedAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateScimTokenOpMutation, CreateScimTokenOpMutationVariables>;
 export const DeleteScimTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteSCIMTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteScimToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteScimTokenOpMutation, DeleteScimTokenOpMutationVariables>;
@@ -4643,6 +4947,11 @@ export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitio
 export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
 export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}},"type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
+export const CreateOrgSsoProviderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateOrgSSOProvider"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"providerType"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"config"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"JSONString"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createOrganisationSsoProvider"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"providerType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"providerType"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"config"},"value":{"kind":"Variable","name":{"kind":"Name","value":"config"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"providerId"}}]}}]}}]} as unknown as DocumentNode<CreateOrgSsoProviderMutation, CreateOrgSsoProviderMutationVariables>;
+export const DeleteOrgSsoProviderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteOrgSSOProvider"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteOrganisationSsoProvider"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"providerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteOrgSsoProviderMutation, DeleteOrgSsoProviderMutationVariables>;
+export const TestOrgSsoProviderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"TestOrgSSOProvider"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"testOrganisationSsoProvider"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"providerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"success"}},{"kind":"Field","name":{"kind":"Name","value":"error"}}]}}]}}]} as unknown as DocumentNode<TestOrgSsoProviderMutation, TestOrgSsoProviderMutationVariables>;
+export const UpdateOrgSsoProviderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateOrgSSOProvider"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"config"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"JSONString"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateOrganisationSsoProvider"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"providerId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"providerId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"config"},"value":{"kind":"Variable","name":{"kind":"Name","value":"config"}}},{"kind":"Argument","name":{"kind":"Name","value":"enabled"},"value":{"kind":"Variable","name":{"kind":"Name","value":"enabled"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateOrgSsoProviderMutation, UpdateOrgSsoProviderMutationVariables>;
+export const UpdateOrgSecurityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateOrgSecurity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"requireSso"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Boolean"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateOrganisationSecurity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"requireSso"},"value":{"kind":"Variable","name":{"kind":"Name","value":"requireSso"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}},{"kind":"Field","name":{"kind":"Name","value":"sessionInvalidated"}}]}}]}}]} as unknown as DocumentNode<UpdateOrgSecurityMutation, UpdateOrgSecurityMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
 export const CreateNewAzureKeyVaultSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAzureKeyVaultSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAzureKeyVaultSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"vaultUri"},"value":{"kind":"Variable","name":{"kind":"Name","value":"vaultUri"}}},{"kind":"Argument","name":{"kind":"Name","value":"syncMode"},"value":{"kind":"Variable","name":{"kind":"Name","value":"syncMode"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAzureKeyVaultSyncMutation, CreateNewAzureKeyVaultSyncMutationVariables>;
 export const CreateNewCfPagesSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewCfPagesSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createCloudflarePagesSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}}},{"kind":"Argument","name":{"kind":"Name","value":"deploymentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectEnv"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewCfPagesSyncMutation, CreateNewCfPagesSyncMutationVariables>;
@@ -4679,6 +4988,7 @@ export const GetNetworkPoliciesDocument = {"kind":"Document","definitions":[{"ki
 export const GetAppAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appServiceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppAccountsQuery, GetAppAccountsQueryVariables>;
 export const GetAppMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppMembersQuery, GetAppMembersQueryVariables>;
 export const GetAppServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appServiceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppServiceAccountsQuery, GetAppServiceAccountsQueryVariables>;
+export const VerifyPasswordDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"VerifyPassword"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"authHash"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"verifyPassword"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"authHash"},"value":{"kind":"Variable","name":{"kind":"Name","value":"authHash"}}}]}]}}]} as unknown as DocumentNode<VerifyPasswordQuery, VerifyPasswordQueryVariables>;
 export const GetCheckoutDetailsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetCheckoutDetails"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stripeSessionId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"stripeCheckoutDetails"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"stripeSessionId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stripeSessionId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"paymentStatus"}},{"kind":"Field","name":{"kind":"Name","value":"customerEmail"}},{"kind":"Field","name":{"kind":"Name","value":"billingStartDate"}},{"kind":"Field","name":{"kind":"Name","value":"billingEndDate"}},{"kind":"Field","name":{"kind":"Name","value":"subscriptionId"}},{"kind":"Field","name":{"kind":"Name","value":"planName"}}]}}]}}]} as unknown as DocumentNode<GetCheckoutDetailsQuery, GetCheckoutDetailsQueryVariables>;
 export const GetCustomerPortalLinkDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetCustomerPortalLink"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"stripeCustomerPortalUrl"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}]}]}}]} as unknown as DocumentNode<GetCustomerPortalLinkQuery, GetCustomerPortalLinkQueryVariables>;
 export const GetSubscriptionDetailsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSubscriptionDetails"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"stripeSubscriptionDetails"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"subscriptionId"}},{"kind":"Field","name":{"kind":"Name","value":"planName"}},{"kind":"Field","name":{"kind":"Name","value":"planType"}},{"kind":"Field","name":{"kind":"Name","value":"billingPeriod"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"nextPaymentAmount"}},{"kind":"Field","name":{"kind":"Name","value":"currentPeriodStart"}},{"kind":"Field","name":{"kind":"Name","value":"currentPeriodEnd"}},{"kind":"Field","name":{"kind":"Name","value":"renewalDate"}},{"kind":"Field","name":{"kind":"Name","value":"cancelAt"}},{"kind":"Field","name":{"kind":"Name","value":"cancelAtPeriodEnd"}},{"kind":"Field","name":{"kind":"Name","value":"paymentMethods"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"brand"}},{"kind":"Field","name":{"kind":"Name","value":"last4"}},{"kind":"Field","name":{"kind":"Name","value":"expMonth"}},{"kind":"Field","name":{"kind":"Name","value":"expYear"}},{"kind":"Field","name":{"kind":"Name","value":"isDefault"}}]}}]}}]}}]} as unknown as DocumentNode<GetSubscriptionDetailsQuery, GetSubscriptionDetailsQueryVariables>;
@@ -4688,7 +4998,7 @@ export const GetAppDetailDocument = {"kind":"Document","definitions":[{"kind":"O
 export const GetAppKmsLogsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppKmsLogs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"kmsLogs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"logs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"phaseNode"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"country"}},{"kind":"Field","name":{"kind":"Name","value":"city"}},{"kind":"Field","name":{"kind":"Name","value":"phSize"}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}}]}}]} as unknown as DocumentNode<GetAppKmsLogsQuery, GetAppKmsLogsQueryVariables>;
 export const GetAppsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetApps"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetAppsQuery, GetAppsQueryVariables>;
 export const GetDashboardDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDashboard"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"role"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]} as unknown as DocumentNode<GetDashboardQuery, GetDashboardQueryVariables>;
-export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}},{"kind":"Field","name":{"kind":"Name","value":"pricingVersion"}},{"kind":"Field","name":{"kind":"Name","value":"scimEnabled"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
+export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}},{"kind":"Field","name":{"kind":"Name","value":"pricingVersion"}},{"kind":"Field","name":{"kind":"Name","value":"requireSso"}},{"kind":"Field","name":{"kind":"Name","value":"ssoProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"providerType"}},{"kind":"Field","name":{"kind":"Name","value":"enabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"scimEnabled"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
 export const GetAwsStsEndpointsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsStsEndpoints"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsStsEndpoints"}}]}}]} as unknown as DocumentNode<GetAwsStsEndpointsQuery, GetAwsStsEndpointsQueryVariables>;
 export const GetIdentityProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIdentityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"iconId"}}]}}]}}]} as unknown as DocumentNode<GetIdentityProvidersQuery, GetIdentityProvidersQueryVariables>;
 export const GetOrganisationIdentitiesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationIdentities"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identities"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}},{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AzureEntraConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tenantId"}},{"kind":"Field","name":{"kind":"Name","value":"resource"}},{"kind":"Field","name":{"kind":"Name","value":"allowedServicePrincipalIds"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationIdentitiesQuery, GetOrganisationIdentitiesQueryVariables>;
@@ -4722,6 +5032,7 @@ export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
 export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
+export const GetOrgSsoProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrgSSOProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"requireSso"}},{"kind":"Field","name":{"kind":"Name","value":"ssoProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"providerType"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"publicConfig"}},{"kind":"Field","name":{"kind":"Name","value":"enabled"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"serverPublicKey"}}]}}]} as unknown as DocumentNode<GetOrgSsoProvidersQuery, GetOrgSsoProvidersQueryVariables>;
 export const GetOrganisationSyncsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationSyncs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"completedAt"}},{"kind":"Field","name":{"kind":"Name","value":"meta"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"expectedCredentials"}},{"kind":"Field","name":{"kind":"Name","value":"optionalCredentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationSyncsQuery, GetOrganisationSyncsQueryVariables>;
 export const GetAwsSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"arn"}}]}}]}}]} as unknown as DocumentNode<GetAwsSecretsQuery, GetAwsSecretsQueryVariables>;
 export const ValidateAwsAssumeRoleAuthDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"ValidateAWSAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"validateAwsAssumeRoleAuth"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"valid"}},{"kind":"Field","name":{"kind":"Name","value":"message"}},{"kind":"Field","name":{"kind":"Name","value":"method"}},{"kind":"Field","name":{"kind":"Name","value":"error"}}]}}]}}]} as unknown as DocumentNode<ValidateAwsAssumeRoleAuthQuery, ValidateAwsAssumeRoleAuthQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index f0b8fe533..d1702e502 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -8,6 +8,7 @@ type Query {
   scimTokens(organisationId: ID): [SCIMTokenType]
   scimEvents(organisationId: ID, start: BigInt, end: BigInt, eventTypes: [String], tokenId: ID, status: String): SCIMEventsResponseType
   organisationNameAvailable(name: String): Boolean
+  verifyPassword(authHash: String!): Boolean
   license: PhaseLicenseType
   organisationLicense(organisationId: ID): ActivatedPhaseLicenseType
   organisationPlan(organisationId: ID): OrganisationPlanType
@@ -74,12 +75,14 @@ type OrganisationType {
   createdAt: DateTime
   plan: ApiOrganisationPlanChoices!
   pricingVersion: Int!
+  requireSso: Boolean!
   scimEnabled: Boolean!
   role: RoleType
   memberId: ID
   keyring: String
   recovery: String
   planDetail: OrganisationPlanType
+  ssoProviders: [OrganisationSSOProviderType]
 }
 
 """
@@ -134,23 +137,25 @@ type SeatsUsed {
   total: Int
 }
 
-type NetworkAccessPolicyType {
+type OrganisationSSOProviderType {
   id: String!
+  providerType: ApiOrganisationSSOProviderProviderTypeChoices!
   name: String!
-  organisation: OrganisationType!
-
-  """
-  Comma-separated list of IP addresses or CIDR ranges (e.g. 192.168.1.1, 10.0.0.0/24)
-  """
-  allowedIps: String!
-  isGlobal: Boolean!
+  enabled: Boolean!
   createdAt: DateTime!
-  createdBy: OrganisationMemberType
   updatedAt: DateTime!
+  publicConfig: JSONString
+  createdBy: OrganisationMemberType
   updatedBy: OrganisationMemberType
-  members: [OrganisationMemberType!]!
-  serviceAccounts: [ServiceAccountType!]
-  organisationMembers: [OrganisationMemberType!]
+}
+
+"""An enumeration."""
+enum ApiOrganisationSSOProviderProviderTypeChoices {
+  """Microsoft Entra ID"""
+  ENTRA_ID
+
+  """Okta"""
+  OKTA
 }
 
 type OrganisationMemberType {
@@ -399,6 +404,25 @@ type ServiceAccountTokenType {
   lastUsed: DateTime
 }
 
+type NetworkAccessPolicyType {
+  id: String!
+  name: String!
+  organisation: OrganisationType!
+
+  """
+  Comma-separated list of IP addresses or CIDR ranges (e.g. 192.168.1.1, 10.0.0.0/24)
+  """
+  allowedIps: String!
+  isGlobal: Boolean!
+  createdAt: DateTime!
+  createdBy: OrganisationMemberType
+  updatedAt: DateTime!
+  updatedBy: OrganisationMemberType
+  members: [OrganisationMemberType!]!
+  serviceAccounts: [ServiceAccountType!]
+  organisationMembers: [OrganisationMemberType!]
+}
+
 type IdentityType {
   id: String!
   organisation: OrganisationType!
@@ -415,7 +439,7 @@ type IdentityType {
   serviceAccounts: [ServiceAccountType!]!
 }
 
-union IdentityConfigUnion = AwsIamConfigType
+union IdentityConfigUnion = AwsIamConfigType | AzureEntraConfigType
 
 type AwsIamConfigType {
   trustedPrincipals: [String]
@@ -423,6 +447,24 @@ type AwsIamConfigType {
   stsEndpoint: String
 }
 
+type AzureEntraConfigType {
+  tenantId: String
+  resource: String
+  allowedServicePrincipalIds: [String]
+}
+
+"""An enumeration."""
+enum ApiSecretEventTypeChoices {
+  """Secret"""
+  SECRET
+
+  """Sealed"""
+  SEALED
+
+  """Config"""
+  CONFIG
+}
+
 """An enumeration."""
 enum ApiSecretEventEventTypeChoices {
   """Create"""
@@ -908,7 +950,6 @@ type IdentityProviderType {
   name: String!
   description: String!
   iconId: String!
-  supported: Boolean!
 }
 
 type CloudFlarePagesType {
@@ -1131,7 +1172,62 @@ type Mutation {
   The new owner must have global access (Admin role) to ensure they have all necessary keys.
   """
   transferOrganisationOwnership(billingEmail: String, newOwnerId: ID!, organisationId: ID!): TransferOrganisationOwnershipMutation
-  updateMemberWrappedSecrets(identityKey: String, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
+
+  """
+  Re-wrap THIS org's keyring after the caller proves they hold the
+  recovery mnemonic. Used by SSO recovery (where there's no login
+  password to verify against, so identity is proven via the mnemonic
+  alone).
+  
+  Requires identity_key matching the org's stored identity_key — proves
+  the caller derived the keyring from the right mnemonic. Without this
+  proof, an authenticated user (or session-cookie holder) could
+  overwrite their own wrapped_keyring with arbitrary garbage and lock
+  themselves out of the org permanently.
+  """
+  updateMemberWrappedSecrets(identityKey: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
+
+  """
+  Rewrap THIS org's keyring with a deviceKey derived from the user's
+  account password. Used by the recovery flow when the local keyring
+  has been lost (cleared cache, new device) but the user still
+  remembers their password.
+  
+  Two server-side proofs are required:
+    1. identity_key matches the org's stored identity_key — proves the
+       caller derived the keyring from the right mnemonic.
+    2. auth_hash matches user.password — proves the password the user
+       is wrapping the keyring with is also their account login auth.
+  
+  The mutation does NOT change user.password. The auth_hash check is a
+  guardrail to keep auth and wrap passwords unified; if it fails, the
+  user is trying to wrap the keyring with a password that doesn't
+  authenticate them, which we never persist.
+  """
+  recoverAccountKeyring(authHash: String!, identityKey: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): RecoverAccountKeyringMutation
+
+  """
+  Rotate the user's account password and rewrap the active org's
+  keyring with the new deviceKey. Used by the in-session change-password
+  dialog where the user supplies their current password, a new password,
+  and the org's recovery mnemonic.
+  
+  Three server-side proofs are required:
+    1. current_auth_hash matches user.password — proves the caller
+       knows the current login password.
+    2. identity_key matches the org's stored identity_key — proves the
+       caller derived the keyring from the right mnemonic.
+    3. user is a member of the org.
+  
+  On success: user.password is set to new_auth_hash, the org's
+  wrapped_keyring + wrapped_recovery are replaced, and the session is
+  refreshed so the post-rotation HASH_SESSION_KEY stays valid.
+  
+  Only the active org's keyring is rewrapped. Other orgs the user
+  belongs to remain encrypted with the old deviceKey; they'll fall
+  through to per-org recovery on next access.
+  """
+  changeAccountPassword(currentAuthHash: String!, identityKey: String!, newAuthHash: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): ChangeAccountPasswordMutation
   deleteInvitation(inviteId: ID!): DeleteInviteMutation
   createApp(appSeed: String!, appToken: String!, appVersion: Int!, id: ID!, identityKey: String!, name: String!, organisationId: ID!, wrappedKeyShare: String!): CreateAppMutation
   rotateAppKeys(appToken: String!, id: ID!, wrappedKeyShare: String!): RotateAppKeysMutation
@@ -1154,9 +1250,14 @@ type Mutation {
   updateNetworkAccessPolicy(policyInputs: [UpdatePolicyInput]): UpdateNetworkAccessPolicyMutation
   deleteNetworkAccessPolicy(id: ID!): DeleteNetworkAccessPolicyMutation
   updateAccountNetworkAccessPolicies(accountInputs: [AccountPolicyInput], organisationId: ID!): UpdateAccountNetworkAccessPolicies
-  createIdentity(defaultTtlSeconds: Int!, description: String, maxTtlSeconds: Int!, name: String!, organisationId: ID!, provider: String!, signatureTtlSeconds: Int, stsEndpoint: String, tokenNamePattern: String, trustedPrincipals: String!): CreateIdentityMutation
-  updateIdentity(defaultTtlSeconds: Int, description: String, id: ID!, maxTtlSeconds: Int, name: String, signatureTtlSeconds: Int, stsEndpoint: String, tokenNamePattern: String, trustedPrincipals: String): UpdateIdentityMutation
+  createIdentity(defaultTtlSeconds: Int!, description: String, maxTtlSeconds: Int!, name: String!, organisationId: ID!, provider: String!, resource: String, signatureTtlSeconds: Int, stsEndpoint: String, tenantId: String, tokenNamePattern: String, trustedPrincipals: String!): CreateIdentityMutation
+  updateIdentity(defaultTtlSeconds: Int, description: String, id: ID!, maxTtlSeconds: Int, name: String, resource: String, signatureTtlSeconds: Int, stsEndpoint: String, tenantId: String, tokenNamePattern: String, trustedPrincipals: String): UpdateIdentityMutation
   deleteIdentity(id: ID!): DeleteIdentityMutation
+  createOrganisationSsoProvider(config: JSONString!, name: String!, orgId: ID!, providerType: String!): CreateOrganisationSSOProviderMutation
+  updateOrganisationSsoProvider(config: JSONString, enabled: Boolean, name: String, providerId: ID!): UpdateOrganisationSSOProviderMutation
+  deleteOrganisationSsoProvider(providerId: ID!): DeleteOrganisationSSOProviderMutation
+  testOrganisationSsoProvider(providerId: ID!): TestOrganisationSSOProviderMutation
+  updateOrganisationSecurity(orgId: ID!, requireSso: Boolean!): UpdateOrganisationSecurityMutation
   createTeam(description: String, memberRoleId: ID, name: String!, organisationId: ID!, serviceAccountRoleId: ID): CreateTeamMutation
   updateTeam(description: String, memberRoleId: ID, name: String, serviceAccountRoleId: ID, teamId: ID!): UpdateTeamMutation
   transferTeamOwnership(newOwnerId: ID!, teamId: ID!): TransferTeamOwnershipMutation
@@ -1283,10 +1384,68 @@ type TransferOrganisationOwnershipMutation {
   ok: Boolean
 }
 
+"""
+Re-wrap THIS org's keyring after the caller proves they hold the
+recovery mnemonic. Used by SSO recovery (where there's no login
+password to verify against, so identity is proven via the mnemonic
+alone).
+
+Requires identity_key matching the org's stored identity_key — proves
+the caller derived the keyring from the right mnemonic. Without this
+proof, an authenticated user (or session-cookie holder) could
+overwrite their own wrapped_keyring with arbitrary garbage and lock
+themselves out of the org permanently.
+"""
 type UpdateUserWrappedSecretsMutation {
   orgMember: OrganisationMemberType
 }
 
+"""
+Rewrap THIS org's keyring with a deviceKey derived from the user's
+account password. Used by the recovery flow when the local keyring
+has been lost (cleared cache, new device) but the user still
+remembers their password.
+
+Two server-side proofs are required:
+  1. identity_key matches the org's stored identity_key — proves the
+     caller derived the keyring from the right mnemonic.
+  2. auth_hash matches user.password — proves the password the user
+     is wrapping the keyring with is also their account login auth.
+
+The mutation does NOT change user.password. The auth_hash check is a
+guardrail to keep auth and wrap passwords unified; if it fails, the
+user is trying to wrap the keyring with a password that doesn't
+authenticate them, which we never persist.
+"""
+type RecoverAccountKeyringMutation {
+  orgMember: OrganisationMemberType
+}
+
+"""
+Rotate the user's account password and rewrap the active org's
+keyring with the new deviceKey. Used by the in-session change-password
+dialog where the user supplies their current password, a new password,
+and the org's recovery mnemonic.
+
+Three server-side proofs are required:
+  1. current_auth_hash matches user.password — proves the caller
+     knows the current login password.
+  2. identity_key matches the org's stored identity_key — proves the
+     caller derived the keyring from the right mnemonic.
+  3. user is a member of the org.
+
+On success: user.password is set to new_auth_hash, the org's
+wrapped_keyring + wrapped_recovery are replaced, and the session is
+refreshed so the post-rotation HASH_SESSION_KEY stays valid.
+
+Only the active org's keyring is rewrapped. Other orgs the user
+belongs to remain encrypted with the old deviceKey; they'll fall
+through to per-org recovery on next access.
+"""
+type ChangeAccountPasswordMutation {
+  orgMember: OrganisationMemberType
+}
+
 type DeleteInviteMutation {
   ok: Boolean
 }
@@ -1428,6 +1587,28 @@ type DeleteIdentityMutation {
   ok: Boolean
 }
 
+type CreateOrganisationSSOProviderMutation {
+  providerId: ID
+}
+
+type UpdateOrganisationSSOProviderMutation {
+  ok: Boolean
+}
+
+type DeleteOrganisationSSOProviderMutation {
+  ok: Boolean
+}
+
+type TestOrganisationSSOProviderMutation {
+  success: Boolean
+  error: String
+}
+
+type UpdateOrganisationSecurityMutation {
+  ok: Boolean
+  sessionInvalidated: Boolean
+}
+
 type CreateTeamMutation {
   team: TeamType
 }

From e3859caee61a69ef3839ae9b53fc73aa626712d4 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 10:16:17 +0530
Subject: [PATCH 095/118] fix: set deviceKey on scim account init, enforce sso
 for scim users

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/graphene/types.py             |  4 +++
 frontend/apollo/gql.ts                        |  6 ++--
 frontend/apollo/graphql.ts                    |  5 ++--
 frontend/apollo/schema.graphql                |  1 +
 frontend/app/[team]/account-init/page.tsx     | 28 ++++++++++++++++---
 frontend/graphql/queries/getOrganisations.gql |  1 +
 6 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index 00c6c76f5..055c01fa1 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -129,6 +129,7 @@ def resolve_updated_by(self, info):
 class OrganisationType(DjangoObjectType):
     role = graphene.Field(RoleType)
     member_id = graphene.ID()
+    member_scim_managed = graphene.Boolean()
     keyring = graphene.String()
     recovery = graphene.String()
     plan_detail = graphene.Field(OrganisationPlanType)
@@ -170,6 +171,9 @@ def resolve_role(self, info):
     def resolve_member_id(self, info):
         return OrganisationType._get_member(self, info).id
 
+    def resolve_member_scim_managed(self, info):
+        return OrganisationType._get_member(self, info).scimuser_set.exists()
+
     def resolve_keyring(self, info):
         return OrganisationType._get_member(self, info).wrapped_keyring
 
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 9c0aa79d4..0d00439ec 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -141,7 +141,7 @@ type Documents = {
     "query GetAppKmsLogs($appId: ID!, $start: BigInt, $end: BigInt) {\n  kmsLogs(appId: $appId, start: $start, end: $end) {\n    logs {\n      id\n      timestamp\n      phaseNode\n      eventType\n      ipAddress\n      country\n      city\n      phSize\n    }\n    count\n  }\n}": typeof types.GetAppKmsLogsDocument,
     "query GetApps($organisationId: ID!, $appId: ID) {\n  apps(organisationId: $organisationId, appId: $appId) {\n    id\n    name\n    description\n    identityKey\n    createdAt\n    updatedAt\n    sseEnabled\n    members {\n      id\n      email\n      fullName\n      avatarUrl\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      envType\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": typeof types.GetAppsDocument,
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": typeof types.GetDashboardDocument,
-    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}": typeof types.GetOrganisationsDocument,
+    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    memberScimManaged\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}": typeof types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": typeof types.GetAwsStsEndpointsDocument,
     "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": typeof types.GetIdentityProvidersDocument,
     "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": typeof types.GetOrganisationIdentitiesDocument,
@@ -329,7 +329,7 @@ const documents: Documents = {
     "query GetAppKmsLogs($appId: ID!, $start: BigInt, $end: BigInt) {\n  kmsLogs(appId: $appId, start: $start, end: $end) {\n    logs {\n      id\n      timestamp\n      phaseNode\n      eventType\n      ipAddress\n      country\n      city\n      phSize\n    }\n    count\n  }\n}": types.GetAppKmsLogsDocument,
     "query GetApps($organisationId: ID!, $appId: ID) {\n  apps(organisationId: $organisationId, appId: $appId) {\n    id\n    name\n    description\n    identityKey\n    createdAt\n    updatedAt\n    sseEnabled\n    members {\n      id\n      email\n      fullName\n      avatarUrl\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      envType\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetAppsDocument,
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": types.GetDashboardDocument,
-    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}": types.GetOrganisationsDocument,
+    "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    memberScimManaged\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}": types.GetOrganisationsDocument,
     "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": types.GetAwsStsEndpointsDocument,
     "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n  }\n}": types.GetIdentityProvidersDocument,
     "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n      ... on AzureEntraConfigType {\n        tenantId\n        resource\n        allowedServicePrincipalIds\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": types.GetOrganisationIdentitiesDocument,
@@ -915,7 +915,7 @@ export function graphql(source: "query GetDashboard($organisationId: ID!) {\n  a
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}"): (typeof documents)["query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}"];
+export function graphql(source: "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    memberScimManaged\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}"): (typeof documents)["query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    memberScimManaged\n    keyring\n    recovery\n    pricingVersion\n    requireSso\n    ssoProviders {\n      name\n      providerType\n      enabled\n    }\n    scimEnabled\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index c219a15e1..0298999fb 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -2176,6 +2176,7 @@ export type OrganisationType = {
   identityKey: Scalars['String']['output'];
   keyring?: Maybe<Scalars['String']['output']>;
   memberId?: Maybe<Scalars['ID']['output']>;
+  memberScimManaged?: Maybe<Scalars['Boolean']['output']>;
   name: Scalars['String']['output'];
   plan: ApiOrganisationPlanChoices;
   planDetail?: Maybe<OrganisationPlanType>;
@@ -4440,7 +4441,7 @@ export type GetDashboardQuery = { __typename?: 'Query', apps?: Array<{ __typenam
 export type GetOrganisationsQueryVariables = Exact<{ [key: string]: never; }>;
 
 
-export type GetOrganisationsQuery = { __typename?: 'Query', organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, identityKey: string, createdAt?: any | null, plan: ApiOrganisationPlanChoices, memberId?: string | null, keyring?: string | null, recovery?: string | null, pricingVersion: number, requireSso: boolean, scimEnabled: boolean, planDetail?: { __typename?: 'OrganisationPlanType', name?: string | null, maxUsers?: number | null, maxApps?: number | null, maxEnvsPerApp?: number | null, appCount?: number | null, seatsUsed?: { __typename?: 'SeatsUsed', users?: number | null, serviceAccounts?: number | null, total?: number | null } | null } | null, role?: { __typename?: 'RoleType', name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, ssoProviders?: Array<{ __typename?: 'OrganisationSSOProviderType', name: string, providerType: ApiOrganisationSsoProviderProviderTypeChoices, enabled: boolean } | null> | null } | null> | null };
+export type GetOrganisationsQuery = { __typename?: 'Query', organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, identityKey: string, createdAt?: any | null, plan: ApiOrganisationPlanChoices, memberId?: string | null, memberScimManaged?: boolean | null, keyring?: string | null, recovery?: string | null, pricingVersion: number, requireSso: boolean, scimEnabled: boolean, planDetail?: { __typename?: 'OrganisationPlanType', name?: string | null, maxUsers?: number | null, maxApps?: number | null, maxEnvsPerApp?: number | null, appCount?: number | null, seatsUsed?: { __typename?: 'SeatsUsed', users?: number | null, serviceAccounts?: number | null, total?: number | null } | null } | null, role?: { __typename?: 'RoleType', name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, ssoProviders?: Array<{ __typename?: 'OrganisationSSOProviderType', name: string, providerType: ApiOrganisationSsoProviderProviderTypeChoices, enabled: boolean } | null> | null } | null> | null };
 
 export type GetAwsStsEndpointsQueryVariables = Exact<{ [key: string]: never; }>;
 
@@ -4998,7 +4999,7 @@ export const GetAppDetailDocument = {"kind":"Document","definitions":[{"kind":"O
 export const GetAppKmsLogsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppKmsLogs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"start"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"end"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"kmsLogs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"start"},"value":{"kind":"Variable","name":{"kind":"Name","value":"start"}}},{"kind":"Argument","name":{"kind":"Name","value":"end"},"value":{"kind":"Variable","name":{"kind":"Name","value":"end"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"logs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"timestamp"}},{"kind":"Field","name":{"kind":"Name","value":"phaseNode"}},{"kind":"Field","name":{"kind":"Name","value":"eventType"}},{"kind":"Field","name":{"kind":"Name","value":"ipAddress"}},{"kind":"Field","name":{"kind":"Name","value":"country"}},{"kind":"Field","name":{"kind":"Name","value":"city"}},{"kind":"Field","name":{"kind":"Name","value":"phSize"}}]}},{"kind":"Field","name":{"kind":"Name","value":"count"}}]}}]}}]} as unknown as DocumentNode<GetAppKmsLogsQuery, GetAppKmsLogsQueryVariables>;
 export const GetAppsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetApps"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetAppsQuery, GetAppsQueryVariables>;
 export const GetDashboardDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDashboard"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"role"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]} as unknown as DocumentNode<GetDashboardQuery, GetDashboardQueryVariables>;
-export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}},{"kind":"Field","name":{"kind":"Name","value":"pricingVersion"}},{"kind":"Field","name":{"kind":"Name","value":"requireSso"}},{"kind":"Field","name":{"kind":"Name","value":"ssoProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"providerType"}},{"kind":"Field","name":{"kind":"Name","value":"enabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"scimEnabled"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
+export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"memberScimManaged"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}},{"kind":"Field","name":{"kind":"Name","value":"pricingVersion"}},{"kind":"Field","name":{"kind":"Name","value":"requireSso"}},{"kind":"Field","name":{"kind":"Name","value":"ssoProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"providerType"}},{"kind":"Field","name":{"kind":"Name","value":"enabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"scimEnabled"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
 export const GetAwsStsEndpointsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsStsEndpoints"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsStsEndpoints"}}]}}]} as unknown as DocumentNode<GetAwsStsEndpointsQuery, GetAwsStsEndpointsQueryVariables>;
 export const GetIdentityProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIdentityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"iconId"}}]}}]}}]} as unknown as DocumentNode<GetIdentityProvidersQuery, GetIdentityProvidersQueryVariables>;
 export const GetOrganisationIdentitiesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationIdentities"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identities"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}},{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AzureEntraConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"tenantId"}},{"kind":"Field","name":{"kind":"Name","value":"resource"}},{"kind":"Field","name":{"kind":"Name","value":"allowedServicePrincipalIds"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationIdentitiesQuery, GetOrganisationIdentitiesQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index d1702e502..96db32056 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -79,6 +79,7 @@ type OrganisationType {
   scimEnabled: Boolean!
   role: RoleType
   memberId: ID
+  memberScimManaged: Boolean
   keyring: String
   recovery: String
   planDetail: OrganisationPlanType
diff --git a/frontend/app/[team]/account-init/page.tsx b/frontend/app/[team]/account-init/page.tsx
index 3dd4c7962..ab3c79362 100644
--- a/frontend/app/[team]/account-init/page.tsx
+++ b/frontend/app/[team]/account-init/page.tsx
@@ -8,13 +8,14 @@ import { AccountRecovery } from '@/components/onboarding/AccountRecovery'
 import { LogoMark } from '@/components/common/LogoMark'
 import { organisationContext } from '@/contexts/organisationContext'
 import { useContext, useEffect, useState } from 'react'
-import { useSession } from '@/contexts/userContext'
+import { useSession, useUser } from '@/contexts/userContext'
 import { useRouter } from 'next/navigation'
 import { useMutation } from '@apollo/client'
 import { MdKey, MdOutlinePassword } from 'react-icons/md'
 import { FaArrowRight } from 'react-icons/fa'
 import { toast } from 'react-toastify'
-import { setDevicePassword } from '@/utils/localStorage'
+import { setMemberDeviceKey } from '@/utils/localStorage'
+import { handleSignout } from '@/apollo/client'
 import { copyRecoveryKit, generateRecoveryPdf } from '@/utils/recovery'
 import {
   organisationSeed,
@@ -31,6 +32,7 @@ const bip39 = require('bip39')
 export default function AccountInit() {
   const { activeOrganisation } = useContext(organisationContext)
   const { data: session } = useSession()
+  const { user } = useUser()
   const router = useRouter()
 
   const [initAccountKeys, { loading: mutationLoading }] = useMutation(InitAccountKeys)
@@ -55,6 +57,21 @@ export default function AccountInit() {
     }
   }, [activeOrganisation, router])
 
+  // SCIM-provisioned members must authenticate via SSO. If a password
+  // user lands here (e.g. they signed up with email+password before
+  // SCIM linked their account), sign them out and bounce them to the
+  // login page — they need to re-auth via the org's IdP.
+  useEffect(() => {
+    if (activeOrganisation?.memberScimManaged && user?.authMethod === 'password') {
+      handleSignout().then(() => {
+        // handleSignout already sets window.location to /login, but we
+        // override with the sso_enforced flag so the existing toast on
+        // SignInButtons explains why.
+        window.location.href = '/login?sso_enforced=true'
+      })
+    }
+  }, [activeOrganisation, user])
+
   const steps: Step[] = [
     {
       index: 0,
@@ -111,8 +128,11 @@ export default function AccountInit() {
         })
 
         const memberId = data?.updateMemberWrappedSecrets?.orgMember?.id
-        if (memberId && savePassword) {
-          setDevicePassword(memberId, pw)
+        // SCIM users SSO in, so deviceKey is keyed by memberId (per-org
+        // sudo password — same scheme as other SSO members).
+        if (memberId && savePassword && session?.user?.email) {
+          const deviceKey = await deviceVaultKey(pw, session.user.email)
+          setMemberDeviceKey(memberId, deviceKey)
         }
 
         setIsLoading(false)
diff --git a/frontend/graphql/queries/getOrganisations.gql b/frontend/graphql/queries/getOrganisations.gql
index 18b240df1..3e11299c1 100644
--- a/frontend/graphql/queries/getOrganisations.gql
+++ b/frontend/graphql/queries/getOrganisations.gql
@@ -24,6 +24,7 @@ query GetOrganisations {
       permissions
     }
     memberId
+    memberScimManaged
     keyring
     recovery
     pricingVersion

From 2ac1a4bff1f1f5f523e5df358a6e4f005faa4b85 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 13:42:56 +0530
Subject: [PATCH 096/118] feat: enforce SSO at middleware for SCIM-managed
 members

---
 backend/backend/graphene/middleware.py |  41 +++++-
 backend/tests/test_org_resolution.py   | 173 ++++++++++++++++++++++++-
 backend/tests/test_org_sso.py          |  18 ++-
 3 files changed, 223 insertions(+), 9 deletions(-)

diff --git a/backend/backend/graphene/middleware.py b/backend/backend/graphene/middleware.py
index efc9207cb..3d8faefaf 100644
--- a/backend/backend/graphene/middleware.py
+++ b/backend/backend/graphene/middleware.py
@@ -123,8 +123,8 @@ def resolve(self, next, root, info: GraphQLResolveInfo, **kwargs):
         if not org_id:
             return next(root, info, **kwargs)
 
-        # Skip the require_sso lookup when the session is already SSO-bound
-        # to this org — it would have been blocked at sign-in otherwise.
+        # Skip enforcement when the session is already SSO-bound to this
+        # org — it would have been blocked at sign-in otherwise.
         session = getattr(request, "session", None)
         session_method = session.get("auth_method") if session else None
         session_org_id = session.get("auth_sso_org_id") if session else None
@@ -135,8 +135,13 @@ def resolve(self, next, root, info: GraphQLResolveInfo, **kwargs):
         if decision is None:
             return next(root, info, **kwargs)
 
-        blocked, org_name = decision
-        if not blocked:
+        require_sso, org_name = decision
+
+        # Block when the org requires SSO globally OR the current member
+        # is SCIM-managed (the IdP is the source of truth for their
+        # access to this org). Per-org check — multi-org users can still
+        # password-auth into orgs where they're not SCIM-managed.
+        if not (require_sso or self._is_scim_managed(request, user, org_id)):
             return next(root, info, **kwargs)
 
         raise SSORequiredError(org_name, str(org_id))
@@ -184,6 +189,34 @@ def _get_org_decision(cls, request, org_id):
         cache_l1[key] = decision
         return decision
 
+    @classmethod
+    def _is_scim_managed(cls, request, user, org_id):
+        """Whether `user` is a SCIM-managed member of `org_id`. SCIM
+        membership ties access to the IdP — non-SSO sessions must be
+        rejected for that org regardless of the org's `require_sso`
+        flag. Cached per-(user, org) within the request scope.
+        """
+        cache_attr = "_scim_managed_cache"
+        request_cache = getattr(request, cache_attr, None)
+        if request_cache is None:
+            request_cache = {}
+            setattr(request, cache_attr, request_cache)
+
+        user_id = getattr(user, "userId", None) or getattr(user, "id", None) or user
+        key = (str(user_id), str(org_id))
+        if key in request_cache:
+            return request_cache[key]
+
+        result = OrganisationMember.objects.filter(
+            organisation_id=org_id,
+            user=user,
+            deleted_at__isnull=True,
+            scimuser__isnull=False,
+            scimuser__active=True,
+        ).exists()
+        request_cache[key] = result
+        return result
+
     @classmethod
     def _resolve_org_id(cls, request, kwargs, info=None):
         request_cache = getattr(request, cls._ID_CACHE_ATTR, None)
diff --git a/backend/tests/test_org_resolution.py b/backend/tests/test_org_resolution.py
index 5917f22eb..c88783844 100644
--- a/backend/tests/test_org_resolution.py
+++ b/backend/tests/test_org_resolution.py
@@ -261,9 +261,10 @@ def test_sso_session_bound_to_org_skips_db(self, mock_org_cls):
         self.assertEqual(result, "ran")
         mock_org_cls.objects.only.return_value.get.assert_not_called()
 
+    @patch("backend.graphene.middleware.OrganisationMember")
     @patch("backend.graphene.middleware.Organisation")
     def test_sso_session_bound_to_different_org_does_not_skip(
-        self, mock_org_cls
+        self, mock_org_cls, mock_om_cls
     ):
         """Session bound to org A must NOT short-circuit for requests
         targeting org B — the DB check must run to enforce B's require_sso."""
@@ -273,6 +274,7 @@ def test_sso_session_bound_to_different_org_does_not_skip(
         org = MagicMock(require_sso=False)
         org.name = "acme"
         mock_org_cls.objects.only.return_value.get.return_value = org
+        mock_om_cls.objects.filter.return_value.exists.return_value = False
 
         mw = OrgSSOEnforcementMiddleware()
         mw.resolve(
@@ -285,5 +287,174 @@ def test_sso_session_bound_to_different_org_does_not_skip(
         mock_org_cls.objects.only.return_value.get.assert_called_once()
 
 
+class MiddlewareSCIMEnforcementTest(unittest.TestCase):
+    """SCIM-managed members must access via SSO regardless of the org's
+    require_sso flag — the IdP is the source of truth for that
+    membership. Per-org check, so multi-org users with non-SCIM
+    memberships elsewhere are unaffected."""
+
+    class _StubUser:
+        is_authenticated = True
+
+        def __init__(self, user_id="user-1"):
+            self.userId = user_id
+
+    class _StubRequest:
+        def __init__(self, session, user=None):
+            self.user = user or MiddlewareSCIMEnforcementTest._StubUser()
+            self.session = session
+
+    def _info(self, session, user=None):
+        info = MagicMock()
+        info.context = self._StubRequest(session, user)
+        info.return_type = MagicMock()
+        return info
+
+    def _next(self, root, info, **kwargs):
+        return "ran"
+
+    def setUp(self):
+        cache.clear()
+
+    @patch("backend.graphene.middleware.OrganisationMember")
+    @patch("backend.graphene.middleware.Organisation")
+    def test_password_session_scim_managed_blocks(self, mock_org_cls, mock_om_cls):
+        """Password-auth user accessing an org where they're SCIM-managed
+        must be rejected even when require_sso is False."""
+        from backend.graphene.middleware import (
+            OrgSSOEnforcementMiddleware,
+            SSORequiredError,
+        )
+
+        org = MagicMock(require_sso=False)
+        org.name = "acme"
+        mock_org_cls.objects.only.return_value.get.return_value = org
+        mock_om_cls.objects.filter.return_value.exists.return_value = True
+
+        mw = OrgSSOEnforcementMiddleware()
+        with self.assertRaises(SSORequiredError):
+            mw.resolve(
+                self._next,
+                None,
+                self._info({"auth_method": "password"}),
+                organisation_id="org-1",
+            )
+
+    @patch("backend.graphene.middleware.OrganisationMember")
+    @patch("backend.graphene.middleware.Organisation")
+    def test_password_session_non_scim_member_allowed(
+        self, mock_org_cls, mock_om_cls
+    ):
+        """Regression: password-auth user in an org with require_sso=False
+        and no SCIM membership passes through — no false positives from
+        the new branch."""
+        from backend.graphene.middleware import OrgSSOEnforcementMiddleware
+
+        org = MagicMock(require_sso=False)
+        org.name = "acme"
+        mock_org_cls.objects.only.return_value.get.return_value = org
+        mock_om_cls.objects.filter.return_value.exists.return_value = False
+
+        mw = OrgSSOEnforcementMiddleware()
+        result = mw.resolve(
+            self._next,
+            None,
+            self._info({"auth_method": "password"}),
+            organisation_id="org-1",
+        )
+        self.assertEqual(result, "ran")
+
+    @patch("backend.graphene.middleware.OrganisationMember")
+    @patch("backend.graphene.middleware.Organisation")
+    def test_scim_member_with_org_bound_sso_session_allowed(
+        self, mock_org_cls, mock_om_cls
+    ):
+        """SCIM-managed member with a session SSO-bound to that org skips
+        all checks via the existing fast path — SCIM lookup never even
+        runs."""
+        from backend.graphene.middleware import OrgSSOEnforcementMiddleware
+
+        mw = OrgSSOEnforcementMiddleware()
+        result = mw.resolve(
+            self._next,
+            None,
+            self._info({"auth_method": "sso", "auth_sso_org_id": "org-1"}),
+            organisation_id="org-1",
+        )
+        self.assertEqual(result, "ran")
+        mock_org_cls.objects.only.return_value.get.assert_not_called()
+        mock_om_cls.objects.filter.assert_not_called()
+
+    @patch("backend.graphene.middleware.OrganisationMember")
+    @patch("backend.graphene.middleware.Organisation")
+    def test_password_session_scim_in_other_org_allowed_for_password_org(
+        self, mock_org_cls, mock_om_cls
+    ):
+        """Multi-org isolation: a user who is SCIM-managed in org A can
+        still password-auth into org C where they're a regular member —
+        SCIM enforcement is per-(user, org), not global."""
+        from backend.graphene.middleware import OrgSSOEnforcementMiddleware
+
+        org_c = MagicMock(require_sso=False)
+        org_c.name = "personal"
+        mock_org_cls.objects.only.return_value.get.return_value = org_c
+        # No SCIM membership in org C even though the user is SCIM-managed elsewhere.
+        mock_om_cls.objects.filter.return_value.exists.return_value = False
+
+        mw = OrgSSOEnforcementMiddleware()
+        result = mw.resolve(
+            self._next,
+            None,
+            self._info({"auth_method": "password"}),
+            organisation_id="org-C",
+        )
+        self.assertEqual(result, "ran")
+
+    @patch("backend.graphene.middleware._bypasses_sso_enforcement", return_value=True)
+    @patch("backend.graphene.middleware.OrganisationMember")
+    @patch("backend.graphene.middleware.Organisation")
+    def test_bypass_flag_overrides_scim_enforcement(
+        self, mock_org_cls, mock_om_cls, _mock_bypass
+    ):
+        """SSO admin recovery mutations carry bypass_sso_enforcement=True;
+        SCIM enforcement must not block them, otherwise an admin who
+        accidentally SCIM-locked themselves can't recover."""
+        from backend.graphene.middleware import OrgSSOEnforcementMiddleware
+
+        mw = OrgSSOEnforcementMiddleware()
+        result = mw.resolve(
+            self._next,
+            None,
+            self._info({"auth_method": "password"}),
+            organisation_id="org-1",
+        )
+        self.assertEqual(result, "ran")
+        # Bypass short-circuits before any DB query.
+        mock_org_cls.objects.only.return_value.get.assert_not_called()
+        mock_om_cls.objects.filter.assert_not_called()
+
+    @patch("backend.graphene.middleware.OrganisationMember")
+    @patch("backend.graphene.middleware.Organisation")
+    def test_scim_lookup_cached_per_request(self, mock_org_cls, mock_om_cls):
+        """Within a single request, the SCIM membership query runs once
+        per (user, org). A second resolver call with the same kwargs hits
+        the request-scoped cache instead of the DB."""
+        from backend.graphene.middleware import OrgSSOEnforcementMiddleware
+
+        org = MagicMock(require_sso=False)
+        org.name = "acme"
+        mock_org_cls.objects.only.return_value.get.return_value = org
+        mock_om_cls.objects.filter.return_value.exists.return_value = False
+
+        mw = OrgSSOEnforcementMiddleware()
+        info = self._info({"auth_method": "password"})
+
+        mw.resolve(self._next, None, info, organisation_id="org-1")
+        mw.resolve(self._next, None, info, organisation_id="org-1")
+
+        # filter() called once across both resolves.
+        self.assertEqual(mock_om_cls.objects.filter.call_count, 1)
+
+
 if __name__ == "__main__":
     unittest.main()
diff --git a/backend/tests/test_org_sso.py b/backend/tests/test_org_sso.py
index 24aac455a..a5abeeb97 100644
--- a/backend/tests/test_org_sso.py
+++ b/backend/tests/test_org_sso.py
@@ -1134,12 +1134,14 @@ def _make_info(self, user_authenticated=True, session_auth_method=None, session_
     def _next(self, root, info, **kwargs):
         return "resolver_ran"
 
+    @patch("backend.graphene.middleware.OrganisationMember")
     @patch("backend.graphene.middleware.Organisation")
-    def test_passes_when_org_does_not_require_sso(self, mock_org_cls):
+    def test_passes_when_org_does_not_require_sso(self, mock_org_cls, mock_om_cls):
         from backend.graphene.middleware import OrgSSOEnforcementMiddleware
 
         org = MagicMock(require_sso=False, name="acme", id="org-1")
         mock_org_cls.objects.only.return_value.get.return_value = org
+        mock_om_cls.objects.filter.return_value.exists.return_value = False
 
         mw = OrgSSOEnforcementMiddleware()
         info = self._make_info(session_auth_method="password")
@@ -1658,8 +1660,9 @@ def setUp(self):
     # caching behaviour is independent of the enforcement decision, and
     # these tests aren't exercising the enforcement branch.
 
+    @patch("backend.graphene.middleware.OrganisationMember")
     @patch("backend.graphene.middleware.Organisation")
-    def test_org_lookup_cached_across_calls(self, mock_org_cls):
+    def test_org_lookup_cached_across_calls(self, mock_org_cls, mock_om_cls):
         """A single GraphQL document often pulls many org-scoped fields —
         they must all share one Organisation lookup, not re-query each time."""
         from backend.graphene.middleware import OrgSSOEnforcementMiddleware
@@ -1667,6 +1670,7 @@ def test_org_lookup_cached_across_calls(self, mock_org_cls):
         org = MagicMock(require_sso=False)
         org.name = "acme"
         mock_org_cls.objects.only.return_value.get.return_value = org
+        mock_om_cls.objects.filter.return_value.exists.return_value = False
 
         mw = OrgSSOEnforcementMiddleware()
         info = self._make_info_with_real_request()
@@ -1679,8 +1683,11 @@ def test_org_lookup_cached_across_calls(self, mock_org_cls):
             mock_org_cls.objects.only.return_value.get.call_count, 1
         )
 
+    @patch("backend.graphene.middleware.OrganisationMember")
     @patch("backend.graphene.middleware.Organisation")
-    def test_decision_cached_in_redis_across_requests(self, mock_org_cls):
+    def test_decision_cached_in_redis_across_requests(
+        self, mock_org_cls, mock_om_cls
+    ):
         """Second request against the same org must hit the Redis decision
         cache, not re-query Postgres — that's the whole point of Level 1
         Redis caching."""
@@ -1689,6 +1696,7 @@ def test_decision_cached_in_redis_across_requests(self, mock_org_cls):
         org = MagicMock(require_sso=False)
         org.name = "acme"
         mock_org_cls.objects.only.return_value.get.return_value = org
+        mock_om_cls.objects.filter.return_value.exists.return_value = False
 
         mw = OrgSSOEnforcementMiddleware()
 
@@ -1701,8 +1709,9 @@ def test_decision_cached_in_redis_across_requests(self, mock_org_cls):
             mock_org_cls.objects.only.return_value.get.call_count, 1
         )
 
+    @patch("backend.graphene.middleware.OrganisationMember")
     @patch("backend.graphene.middleware.Organisation")
-    def test_decision_invalidate_clears_redis(self, mock_org_cls):
+    def test_decision_invalidate_clears_redis(self, mock_org_cls, mock_om_cls):
         """invalidate_decision must drop the cache so the next request
         re-reads require_sso from the DB (so e.g. toggling enforcement
         takes effect immediately for other users, not after the 60s TTL)."""
@@ -1711,6 +1720,7 @@ def test_decision_invalidate_clears_redis(self, mock_org_cls):
         org = MagicMock(require_sso=False)
         org.name = "acme"
         mock_org_cls.objects.only.return_value.get.return_value = org
+        mock_om_cls.objects.filter.return_value.exists.return_value = False
 
         mw = OrgSSOEnforcementMiddleware()
 

From b1e10269cdf76b6a318458d9c1c6c35632d8fdab Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 13:43:01 +0530
Subject: [PATCH 097/118] feat: auto-link SSO identity to existing user when
 SCIM-authorised

---
 backend/api/views/sso.py | 96 +++++++++++++++++++++++++++-------------
 1 file changed, 65 insertions(+), 31 deletions(-)

diff --git a/backend/api/views/sso.py b/backend/api/views/sso.py
index a246f771b..50daaedff 100644
--- a/backend/api/views/sso.py
+++ b/backend/api/views/sso.py
@@ -483,7 +483,37 @@ def _complete_login_bypassing_allauth(
             already_linked = SocialAccount.objects.filter(
                 user=existing_user, provider=provider
             ).exists()
-            if not already_linked:
+            if already_linked:
+                # Same provider linked under a different uid — refuse
+                # the silent re-link so the user can clean up
+                # deliberately.
+                logger.warning(
+                    f"Refused SSO link: provider={provider} email={email} "
+                    f"already linked under a different uid."
+                )
+                raise ValueError(
+                    "This sign-in identity does not match the one on "
+                    "file for this account. Contact your administrator."
+                )
+
+            # SCIM-provisioned members are an explicit exception to the
+            # silent-link refusal. The admin has already vouched for
+            # the IdP→email binding by provisioning this user via SCIM
+            # (signed by the org's SCIM token), so the first SSO
+            # sign-in from the same IdP is allowed to link
+            # automatically. Bound to org-level SSO callbacks only —
+            # instance-level SSO has no SCIM context to check against.
+            from api.models import SCIMUser
+
+            scim_authorised = bool(
+                org_config_id
+                and SCIMUser.objects.filter(
+                    user=existing_user,
+                    organisation=org,
+                    active=True,
+                ).exists()
+            )
+            if not scim_authorised:
                 logger.warning(
                     f"Refused silent SSO link: provider={provider} "
                     f"email={email} already has an account."
@@ -493,41 +523,45 @@ def _complete_login_bypassing_allauth(
                     "Sign in with your existing method, then link "
                     "this provider from your account settings."
                 )
-            # Same provider linked under a different uid — refuse the
-            # silent re-link so the user can clean up deliberately.
-            logger.warning(
-                f"Refused SSO link: provider={provider} email={email} "
-                f"already linked under a different uid."
+
+            logger.info(
+                f"Auto-linked SSO identity for SCIM-provisioned "
+                f"user: provider={provider} email={email} "
+                f"org={org.name}"
             )
-            raise ValueError(
-                "This sign-in identity does not match the one on "
-                "file for this account. Contact your administrator."
+            user = existing_user
+            sa = SocialAccount.objects.create(
+                provider=provider,
+                uid=uid,
+                user=user,
+                extra_data=extra_data,
             )
+        else:
+            from api.views.auth_password import username_for_email
 
-        from api.views.auth_password import username_for_email
-
-        user = User.objects.create_user(
-            username=username_for_email(email),
-            email=email,
-            password=None,
-        )
-        sa = SocialAccount.objects.create(
-            provider=provider,
-            uid=uid,
-            user=user,
-            extra_data=extra_data,
-        )
+            user = User.objects.create_user(
+                username=username_for_email(email),
+                email=email,
+                password=None,
+            )
+            sa = SocialAccount.objects.create(
+                provider=provider,
+                uid=uid,
+                user=user,
+                extra_data=extra_data,
+            )
 
-        # Fire allauth's signup signal so receivers (e.g. Slack notifier) run
-        # for org-SSO signups. The instance-level OAuth/OIDC flow goes
-        # through allauth and gets this for free; this callback creates
-        # users manually and would otherwise skip every receiver.
-        try:
-            from allauth.account.signals import user_signed_up
+            # Fire allauth's signup signal so receivers (e.g. Slack
+            # notifier) run for org-SSO signups. The instance-level
+            # OAuth/OIDC flow goes through allauth and gets this for
+            # free; this callback creates users manually and would
+            # otherwise skip every receiver.
+            try:
+                from allauth.account.signals import user_signed_up
 
-            user_signed_up.send(sender=user.__class__, request=request, user=user)
-        except Exception:
-            logger.exception("Failed to dispatch user_signed_up signal for %s", email)
+                user_signed_up.send(sender=user.__class__, request=request, user=user)
+            except Exception:
+                logger.exception("Failed to dispatch user_signed_up signal for %s", email)
 
     # Save the SocialToken if we have one
     if token and token.token:

From 2cb572ae15d8cd1fdd972018335b833eaadd2944 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 13:43:04 +0530
Subject: [PATCH 098/118] fix: skip identity_key proof on first-key-ceremony
 for SCIM members

---
 .../graphene/mutations/organisation.py        | 28 +++++-----
 backend/tests/test_auth_password.py           | 56 ++++++++++++++++---
 2 files changed, 64 insertions(+), 20 deletions(-)

diff --git a/backend/backend/graphene/mutations/organisation.py b/backend/backend/graphene/mutations/organisation.py
index d0c82ac08..e778b9dda 100644
--- a/backend/backend/graphene/mutations/organisation.py
+++ b/backend/backend/graphene/mutations/organisation.py
@@ -96,16 +96,18 @@ def mutate(
 
 
 class UpdateUserWrappedSecretsMutation(graphene.Mutation):
-    """Re-wrap THIS org's keyring after the caller proves they hold the
-    recovery mnemonic. Used by SSO recovery (where there's no login
-    password to verify against, so identity is proven via the mnemonic
-    alone).
-
-    Requires identity_key matching the org's stored identity_key — proves
-    the caller derived the keyring from the right mnemonic. Without this
-    proof, an authenticated user (or session-cookie holder) could
-    overwrite their own wrapped_keyring with arbitrary garbage and lock
-    themselves out of the org permanently.
+    """Re-wrap this member's keyring after the caller proves they hold
+    the recovery mnemonic, or establish the keyring for the first time
+    (e.g. SCIM-provisioned members completing their initial key
+    ceremony). Used by SSO recovery and the account-init page.
+
+    Requires identity_key matching the member's stored identity_key —
+    proves the caller derived the keyring from the same mnemonic they
+    registered with. Every Phase user has their own independently-
+    derived keyring, so this check is against the member's identity_key,
+    not the org's (which is the owner's). Members with no prior
+    identity_key (SCIM-preprovisioned accounts on first login) have no
+    identity to verify against — they are establishing one here.
     """
 
     class Arguments:
@@ -123,9 +125,6 @@ def mutate(cls, root, info, org_id, identity_key, wrapped_keyring, wrapped_recov
         except Organisation.DoesNotExist:
             raise GraphQLError("Organisation not found.")
 
-        if org.identity_key != identity_key:
-            raise GraphQLError("Invalid recovery proof.")
-
         try:
             org_member = OrganisationMember.objects.get(
                 organisation=org, user=info.context.user, deleted_at=None
@@ -133,6 +132,9 @@ def mutate(cls, root, info, org_id, identity_key, wrapped_keyring, wrapped_recov
         except OrganisationMember.DoesNotExist:
             raise GraphQLError("Not a member of this organisation.")
 
+        if org_member.identity_key and org_member.identity_key != identity_key:
+            raise GraphQLError("Invalid recovery proof.")
+
         first_key_ceremony = identity_key and not org_member.identity_key
 
         if identity_key:
diff --git a/backend/tests/test_auth_password.py b/backend/tests/test_auth_password.py
index 36edb1c72..ddf763fd0 100644
--- a/backend/tests/test_auth_password.py
+++ b/backend/tests/test_auth_password.py
@@ -1222,10 +1222,10 @@ def test_sso_user_recovery_rejected(self):
     @patch("backend.graphene.mutations.organisation.OrganisationMember")
     @patch("backend.graphene.mutations.organisation.Organisation")
     def test_sso_recovery_rewrap_requires_identity_proof(self, mock_org, mock_om):
-        """SSO recovery via UpdateUserWrappedSecretsMutation must reject
-        when supplied identity_key doesn't match — without this proof an
-        authenticated user (or session-cookie holder) could overwrite
-        their wrapped_keyring with arbitrary garbage."""
+        """Re-wrap of an existing keyring must reject when supplied
+        identity_key doesn't match the member's stored one — without
+        this proof an authenticated user (or session-cookie holder)
+        could overwrite their wrapped_keyring with a foreign identity."""
         from graphql import GraphQLError
         from backend.graphene.mutations.organisation import (
             UpdateUserWrappedSecretsMutation,
@@ -1233,9 +1233,12 @@ def test_sso_recovery_rewrap_requires_identity_proof(self, mock_org, mock_om):
         user = MagicMock()
 
         org = MagicMock()
-        org.identity_key = "real_key"
         mock_org.objects.get.return_value = org
 
+        org_member = MagicMock()
+        org_member.identity_key = "real_key"
+        mock_om.objects.get.return_value = org_member
+
         with self.assertRaises(GraphQLError):
             UpdateUserWrappedSecretsMutation.mutate(
                 None,
@@ -1245,7 +1248,7 @@ def test_sso_recovery_rewrap_requires_identity_proof(self, mock_org, mock_om):
                 wrapped_keyring="garbage",
                 wrapped_recovery="garbage",
             )
-        mock_om.objects.get.assert_not_called()
+        org_member.save.assert_not_called()
 
     @patch("backend.graphene.mutations.organisation.OrganisationMember")
     @patch("backend.graphene.mutations.organisation.Organisation")
@@ -1259,10 +1262,10 @@ def test_sso_recovery_rewrap_succeeds_with_valid_identity(
         user = MagicMock()
 
         org = MagicMock()
-        org.identity_key = "matching_key"
         mock_org.objects.get.return_value = org
 
         org_member = MagicMock()
+        org_member.identity_key = "matching_key"
         mock_om.objects.get.return_value = org_member
 
         result = UpdateUserWrappedSecretsMutation.mutate(
@@ -1279,6 +1282,45 @@ def test_sso_recovery_rewrap_succeeds_with_valid_identity(
         org_member.save.assert_called_once()
         self.assertIs(result.org_member, org_member)
 
+    @patch("backend.graphene.mutations.organisation.provision_pending_team_keys")
+    @patch("backend.graphene.mutations.organisation.OrganisationMember")
+    @patch("backend.graphene.mutations.organisation.Organisation")
+    def test_first_key_ceremony_skips_identity_proof(
+        self, mock_org, mock_om, mock_provision
+    ):
+        """SCIM-provisioned members have no prior identity_key — they
+        are establishing one for the first time, so the proof check
+        must be skipped. A blank stored identity_key would otherwise
+        reject every legitimate first-ceremony call."""
+        from backend.graphene.mutations.organisation import (
+            UpdateUserWrappedSecretsMutation,
+        )
+        user = MagicMock()
+
+        org = MagicMock()
+        mock_org.objects.get.return_value = org
+
+        org_member = MagicMock()
+        org_member.identity_key = ""  # SCIM-preprovisioned, never set
+        mock_om.objects.get.return_value = org_member
+
+        result = UpdateUserWrappedSecretsMutation.mutate(
+            None,
+            self._info(user),
+            org_id="org-1",
+            identity_key="newly-derived-key",
+            wrapped_keyring="new_wk",
+            wrapped_recovery="new_wr",
+        )
+
+        self.assertEqual(org_member.identity_key, "newly-derived-key")
+        self.assertEqual(org_member.wrapped_keyring, "new_wk")
+        self.assertEqual(org_member.wrapped_recovery, "new_wr")
+        org_member.save.assert_called_once()
+        # Team env keys are provisioned for SCIM members on first ceremony.
+        mock_provision.assert_called_once_with(org_member)
+        self.assertIs(result.org_member, org_member)
+
 
 class CrossAuthMethodTest(_ThrottleClearMixin, unittest.TestCase):
     """Tests for cross-auth-method edge cases."""

From c7841bece7124a31e8507d92d99a45b543e7e83d Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 13:43:09 +0530
Subject: [PATCH 099/118] fix: redirect SCIM-restricted access to lobby instead
 of forcing logout

---
 frontend/app/[team]/account-init/page.tsx | 21 ++++++----------
 frontend/app/[team]/layout.tsx            | 30 ++++++++++++++++++++++-
 frontend/app/page.tsx                     | 14 ++++++++---
 3 files changed, 46 insertions(+), 19 deletions(-)

diff --git a/frontend/app/[team]/account-init/page.tsx b/frontend/app/[team]/account-init/page.tsx
index ab3c79362..bf02191be 100644
--- a/frontend/app/[team]/account-init/page.tsx
+++ b/frontend/app/[team]/account-init/page.tsx
@@ -15,7 +15,6 @@ import { MdKey, MdOutlinePassword } from 'react-icons/md'
 import { FaArrowRight } from 'react-icons/fa'
 import { toast } from 'react-toastify'
 import { setMemberDeviceKey } from '@/utils/localStorage'
-import { handleSignout } from '@/apollo/client'
 import { copyRecoveryKit, generateRecoveryPdf } from '@/utils/recovery'
 import {
   organisationSeed,
@@ -57,20 +56,16 @@ export default function AccountInit() {
     }
   }, [activeOrganisation, router])
 
-  // SCIM-provisioned members must authenticate via SSO. If a password
-  // user lands here (e.g. they signed up with email+password before
-  // SCIM linked their account), sign them out and bounce them to the
-  // login page — they need to re-auth via the org's IdP.
+  // SCIM-provisioned members must authenticate via SSO for this org.
+  // If a password user lands here (e.g. they signed up with email+
+  // password before SCIM linked their account), bounce them to the
+  // lobby — it shows this org greyed out with a "sign in via SSO"
+  // hint, preserving their session for any other orgs they belong to.
   useEffect(() => {
     if (activeOrganisation?.memberScimManaged && user?.authMethod === 'password') {
-      handleSignout().then(() => {
-        // handleSignout already sets window.location to /login, but we
-        // override with the sso_enforced flag so the existing toast on
-        // SignInButtons explains why.
-        window.location.href = '/login?sso_enforced=true'
-      })
+      router.push('/')
     }
-  }, [activeOrganisation, user])
+  }, [activeOrganisation, user, router])
 
   const steps: Step[] = [
     {
@@ -210,7 +205,6 @@ export default function AccountInit() {
   if (success) {
     return (
       <main className="w-full flex flex-col justify-between h-screen">
-        <HeroPattern />
         <div className="mx-auto my-auto max-w-2xl space-y-8 p-16 bg-zinc-100 dark:bg-zinc-800 text-black dark:text-white rounded-md shadow-2xl text-center">
           <div className="flex flex-col gap-y-2 items-center">
             <h1 className="text-4xl text-black dark:text-white text-center font-bold">
@@ -237,7 +231,6 @@ export default function AccountInit() {
 
   return (
     <main className="w-full flex flex-col justify-between h-screen">
-      <HeroPattern />
       <div className="mx-auto my-auto w-full max-w-4xl flex flex-col gap-y-16 py-40">
         <form
           onSubmit={incrementStep}
diff --git a/frontend/app/[team]/layout.tsx b/frontend/app/[team]/layout.tsx
index 1383f2a54..4833fa98e 100644
--- a/frontend/app/[team]/layout.tsx
+++ b/frontend/app/[team]/layout.tsx
@@ -4,6 +4,8 @@ import '@/app/globals.css'
 import { NavBar } from '@/components/layout/Navbar'
 import Sidebar from '@/components/layout/Sidebar'
 import { organisationContext } from '@/contexts/organisationContext'
+import { useUser } from '@/contexts/userContext'
+import { OrganisationType } from '@/apollo/graphql'
 import clsx from 'clsx'
 import { usePathname, useRouter } from 'next/navigation'
 import { useContext, useEffect, useMemo } from 'react'
@@ -18,12 +20,23 @@ export default function RootLayout({
 }) {
   const { activeOrganisation, setActiveOrganisation, organisations, loading } =
     useContext(organisationContext)
+  const { user } = useUser()
 
   const router = useRouter()
 
   const path = usePathname()
   const isAccountInit = path?.split('/').includes('account-init')
 
+  // Mirrors `canAccessOrg` on the lobby: an org is accessible only when
+  // the session is SSO-bound to it if the org requires SSO (either
+  // explicitly via require_sso or implicitly because the member is
+  // SCIM-managed).
+  const canAccessOrg = (org: OrganisationType): boolean => {
+    const ssoRequired = org.requireSso || org.memberScimManaged
+    if (!ssoRequired) return true
+    return user?.authMethod === 'sso' && user?.authSsoOrgId === org.id
+  }
+
   useEffect(() => {
     if (!loading && organisations !== null) {
       // if there are no organisations for this user, send to onboarding
@@ -38,6 +51,15 @@ export default function RootLayout({
       if (org) {
         setActiveOrganisation(org)
 
+        // Bounce to the lobby if SSO is required for this org but the
+        // session isn't SSO-bound. The lobby renders the org as
+        // greyed-out with a "sign in via SSO" hint instead of the
+        // user being silently logged out.
+        if (!canAccessOrg(org)) {
+          router.push(`/`)
+          return
+        }
+
         // SCIM-provisioned users with no keyring need to complete key ceremony
         if (!org.keyring && !isAccountInit) {
           router.push(`/${org.name}/account-init`)
@@ -48,6 +70,11 @@ export default function RootLayout({
         const singleOrg = organisations[0]
         setActiveOrganisation(singleOrg)
 
+        if (!canAccessOrg(singleOrg)) {
+          router.push(`/`)
+          return
+        }
+
         if (!singleOrg.keyring && !isAccountInit) {
           router.push(`/${singleOrg.name}/account-init`)
         }
@@ -55,7 +82,8 @@ export default function RootLayout({
       // else send to home
       else router.push(`/`)
     }
-  }, [organisations, params.team, router, loading, setActiveOrganisation, isAccountInit])
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [organisations, params.team, router, loading, setActiveOrganisation, isAccountInit, user])
 
   // Detect if we need to redirect to account-init (SCIM user with no keyring)
   const needsKeyringInit = useMemo(() => {
diff --git a/frontend/app/page.tsx b/frontend/app/page.tsx
index da2fb32c1..ae9d65a9b 100644
--- a/frontend/app/page.tsx
+++ b/frontend/app/page.tsx
@@ -29,9 +29,12 @@ export default function Home() {
   const [showOrgCards, setShowOrgCards] = useState<boolean>(false)
 
   const canAccessOrg = (org: OrganisationType) => {
-    if (!org.requireSso) return true
-    if (user?.authMethod === 'sso' && user?.authSsoOrgId === org.id) return true
-    return false
+    // SCIM-managed members must auth via the org's SSO — the IdP is the
+    // source of truth for their access. Same enforcement as require_sso,
+    // applied per-member rather than per-org.
+    const ssoRequired = org.requireSso || org.memberScimManaged
+    if (!ssoRequired) return true
+    return user?.authMethod === 'sso' && user?.authSsoOrgId === org.id
   }
 
   const getActiveProviderName = (org: OrganisationType) => {
@@ -136,7 +139,10 @@ export default function Home() {
                           <div className="flex flex-col gap-2 items-end text-right">
                             <div className="flex items-center gap-1.5 text-amber-600 dark:text-amber-400 text-xs">
                               <FaLock className="shrink-0" />
-                              <span>Sign in with {getActiveProviderName(org)} to access</span>
+                              <span>
+                                Sign in with {getActiveProviderName(org)} to access
+                                {org.memberScimManaged && ' (provisioned via SCIM)'}
+                              </span>
                             </div>
                             <button
                               onClick={(e) => { e.stopPropagation(); handleSignout() }}

From 783a418556795fca59879f1dabe529efc4d252f6 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 23:05:59 +0530
Subject: [PATCH 100/118] fix: store env identity_key on team-provisioned
 EnvironmentKeys

---
 backend/api/utils/keys.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/backend/api/utils/keys.py b/backend/api/utils/keys.py
index 7fcd2a36a..cfed2b587 100644
--- a/backend/api/utils/keys.py
+++ b/backend/api/utils/keys.py
@@ -103,9 +103,12 @@ def provision_team_environment_keys(team, app, members=None):
                 # constraint catches it — re-fetch instead of propagating the error.
                 try:
                     with transaction.atomic():
+                        # identity_key here is the env's, not the
+                        # recipient's — clients derive the env keypair
+                        # from it to decrypt secrets.
                         env_key = EnvironmentKey.objects.create(
                             **key_filter,
-                            identity_key=account.identity_key,
+                            identity_key=env.identity_key,
                             wrapped_seed=wrapped_seed,
                             wrapped_salt=wrapped_salt,
                         )

From be9f97c813be60991a146afc8b41d99838f470ee Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 23:06:04 +0530
Subject: [PATCH 101/118] feat: gate SCIM SSO auto-link on email_verified claim

---
 backend/api/views/sso.py | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/backend/api/views/sso.py b/backend/api/views/sso.py
index 50daaedff..07609fa84 100644
--- a/backend/api/views/sso.py
+++ b/backend/api/views/sso.py
@@ -496,13 +496,9 @@ def _complete_login_bypassing_allauth(
                     "file for this account. Contact your administrator."
                 )
 
-            # SCIM-provisioned members are an explicit exception to the
-            # silent-link refusal. The admin has already vouched for
-            # the IdP→email binding by provisioning this user via SCIM
-            # (signed by the org's SCIM token), so the first SSO
-            # sign-in from the same IdP is allowed to link
-            # automatically. Bound to org-level SSO callbacks only —
-            # instance-level SSO has no SCIM context to check against.
+            # SCIM-provisioned members get an auto-link exception:
+            # the admin already vouched for IdP→email when issuing the
+            # SCIM token. Only org-level callbacks have this context.
             from api.models import SCIMUser
 
             scim_authorised = bool(
@@ -524,6 +520,18 @@ def _complete_login_bypassing_allauth(
                     "this provider from your account settings."
                 )
 
+            # Belt-and-braces: SCIM trust doesn't override an explicit
+            # `email_verified=false` from the IdP this round-trip.
+            if extra_data.get("email_verified") is False:
+                logger.warning(
+                    f"Refused SCIM auto-link: provider={provider} "
+                    f"email={email} not verified by IdP."
+                )
+                raise ValueError(
+                    "Email not verified by identity provider. "
+                    "Contact your administrator."
+                )
+
             logger.info(
                 f"Auto-linked SSO identity for SCIM-provisioned "
                 f"user: provider={provider} email={email} "

From 155ddc533701189f8be0a24803746e091301b7a9 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 23:06:13 +0530
Subject: [PATCH 102/118] feat: gate social adapter auto-link on email_verified

---
 backend/api/authentication/adapters/social.py | 10 ++
 backend/tests/api/test_social_adapter.py      | 91 +++++++++++++++++++
 2 files changed, 101 insertions(+)
 create mode 100644 backend/tests/api/test_social_adapter.py

diff --git a/backend/api/authentication/adapters/social.py b/backend/api/authentication/adapters/social.py
index b0aa05279..36234625a 100644
--- a/backend/api/authentication/adapters/social.py
+++ b/backend/api/authentication/adapters/social.py
@@ -29,6 +29,16 @@ def pre_social_login(self, request, sociallogin):
         if not email:
             return
 
+        # Defense-in-depth: never auto-link when the IdP explicitly
+        # marks the email unverified. Mirrors the SSO callback's gate.
+        extra_data = sociallogin.account.extra_data or {}
+        if extra_data.get("email_verified") is False:
+            logger.warning(
+                f"Refused auto-link: provider={sociallogin.account.provider} "
+                f"email={email} not verified by IdP."
+            )
+            return
+
         try:
             existing_user = User.objects.get(email=email)
         except User.DoesNotExist:
diff --git a/backend/tests/api/test_social_adapter.py b/backend/tests/api/test_social_adapter.py
new file mode 100644
index 000000000..52245cbf5
--- /dev/null
+++ b/backend/tests/api/test_social_adapter.py
@@ -0,0 +1,91 @@
+"""Unit tests for AutoLinkSocialAccountAdapter (F2 of QA batch 1).
+
+The adapter currently isn't invoked in the product SSO flow (which
+bypasses allauth's `complete_social_login`), but it is still registered
+globally via `SOCIALACCOUNT_ADAPTER`. Anything that does flow through
+allauth — Django admin OAuth, future allauth-based code paths,
+third-party deps — would invoke it. The auto-link must only fire when
+the IdP's `email_verified` claim isn't explicitly False.
+"""
+
+from unittest.mock import MagicMock, patch
+
+
+def _make_sociallogin(email, extra_data, is_existing=False):
+    sociallogin = MagicMock()
+    sociallogin.is_existing = is_existing
+    sociallogin.user = MagicMock(email=email)
+    sociallogin.account = MagicMock(
+        provider="okta-oidc",
+        uid="idp-uid-123",
+        extra_data=extra_data,
+    )
+    return sociallogin
+
+
+@patch("api.authentication.adapters.social.SocialAccount")
+@patch("api.authentication.adapters.social.User")
+def test_skips_link_when_email_explicitly_unverified(MockUser, MockSocialAccount):
+    """`email_verified=False` is the only blocker — a malicious or
+    misconfigured IdP claiming another user's email must not be silently
+    linked to that account."""
+    from api.authentication.adapters.social import AutoLinkSocialAccountAdapter
+
+    adapter = AutoLinkSocialAccountAdapter()
+    sociallogin = _make_sociallogin(
+        email="victim@example.com",
+        extra_data={"email_verified": False},
+    )
+
+    adapter.pre_social_login(request=MagicMock(), sociallogin=sociallogin)
+
+    # Neither the lookup nor the link should have happened.
+    MockUser.objects.get.assert_not_called()
+    MockSocialAccount.objects.get_or_create.assert_not_called()
+
+
+@patch("api.authentication.adapters.social.SocialAccount")
+@patch("api.authentication.adapters.social.User")
+def test_links_when_email_verified_true(MockUser, MockSocialAccount):
+    existing = MagicMock()
+    MockUser.objects.get.return_value = existing
+    sa = MagicMock()
+    MockSocialAccount.objects.get_or_create.return_value = (sa, True)
+
+    from api.authentication.adapters.social import AutoLinkSocialAccountAdapter
+
+    adapter = AutoLinkSocialAccountAdapter()
+    sociallogin = _make_sociallogin(
+        email="alice@example.com",
+        extra_data={"email_verified": True},
+    )
+
+    adapter.pre_social_login(request=MagicMock(), sociallogin=sociallogin)
+
+    MockUser.objects.get.assert_called_once_with(email="alice@example.com")
+    MockSocialAccount.objects.get_or_create.assert_called_once()
+
+
+@patch("api.authentication.adapters.social.SocialAccount")
+@patch("api.authentication.adapters.social.User")
+def test_links_when_email_verified_absent(MockUser, MockSocialAccount):
+    """Some IdPs (Microsoft work accounts, older OIDC) don't emit the
+    claim. Those flow through — the adapter trusts the IdP at the
+    registration level. Only an explicit False is a blocker."""
+    existing = MagicMock()
+    MockUser.objects.get.return_value = existing
+    sa = MagicMock()
+    MockSocialAccount.objects.get_or_create.return_value = (sa, True)
+
+    from api.authentication.adapters.social import AutoLinkSocialAccountAdapter
+
+    adapter = AutoLinkSocialAccountAdapter()
+    sociallogin = _make_sociallogin(
+        email="alice@example.com",
+        extra_data={},  # no email_verified key at all
+    )
+
+    adapter.pre_social_login(request=MagicMock(), sociallogin=sociallogin)
+
+    MockUser.objects.get.assert_called_once()
+    MockSocialAccount.objects.get_or_create.assert_called_once()

From cf53d820754020c8407e709b40517e96e39e2bc2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 23:06:40 +0530
Subject: [PATCH 103/118] fix: scope TeamType nested resolvers to
 caller-accessible apps

---
 backend/backend/graphene/types.py | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index 055c01fa1..000695a58 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -1,6 +1,7 @@
 from api.services import Providers, ServiceConfig
 from api.utils.syncing.auth import get_credentials
 from api.utils.access.permissions import (
+    user_can_access_app,
     user_can_access_environment,
     user_has_permission,
 )
@@ -1227,13 +1228,32 @@ def resolve_members(self, info):
         )
 
     def resolve_apps(self, info):
+        # Gate to apps the caller can access — AppType exposes app_seed,
+        # wrapped_key_share, app_token, which would leak via teams.
+        user_id = info.context.user.userId
         app_ids = (
             self.app_environments.values_list("app_id", flat=True).distinct()
         )
-        return App.objects.filter(id__in=app_ids, is_deleted=False)
+        return [
+            app
+            for app in App.objects.filter(id__in=app_ids, is_deleted=False)
+            if user_can_access_app(user_id, app.id)
+        ]
 
     def resolve_app_environments(self, info):
-        return self.app_environments.select_related("app", "environment").all()
+        # Same gate as resolve_apps — don't leak the team→env matrix
+        # for apps the caller can't see.
+        user_id = info.context.user.userId
+        accessible_app_ids = {
+            app_id
+            for app_id in self.app_environments.values_list(
+                "app_id", flat=True
+            ).distinct()
+            if user_can_access_app(user_id, app_id)
+        }
+        return self.app_environments.select_related(
+            "app", "environment"
+        ).filter(app_id__in=accessible_app_ids)
 
     def resolve_member_count(self, info):
         return self.memberships.exclude(

From 24b278ba7309beff8b098c1e97d591707b2e5a9c Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 23:06:46 +0530
Subject: [PATCH 104/118] fix: pre-flight per-SA permission check before bulk
 handler delete

---
 .../graphene/mutations/service_accounts.py    |  14 +-
 .../test_update_service_account_handlers.py   | 127 ++++++++++++++++++
 2 files changed, 139 insertions(+), 2 deletions(-)
 create mode 100644 backend/tests/api/mutations/test_update_service_account_handlers.py

diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index c024c7c4f..e8c06ec92 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -324,9 +324,19 @@ def mutate(cls, root, info, organisation_id, handlers):
                 "You don't have permission to manage service accounts"
             )
 
-        # Only delete handlers for SAs referenced in the incoming list.
-        # This prevents wiping handlers for team-owned SAs the caller can't see.
+        # Pre-flight: org-level perms aren't sufficient for team-owned
+        # SAs — fail before the bulk delete below if any are off-limits.
         sa_ids = set(h.service_account_id for h in handlers)
+        target_sas = ServiceAccount.objects.filter(
+            id__in=sa_ids,
+            organisation=org,
+            deleted_at__isnull=True,
+        ).select_related("team")
+        for sa in target_sas:
+            _check_sa_permission(user, sa, "update", "ServiceAccounts")
+
+        # Scope the delete to listed SAs so we don't wipe handlers for
+        # team-owned SAs the caller can't see.
         ServiceAccountHandler.objects.filter(
             service_account__organisation=org,
             service_account_id__in=sa_ids,
diff --git a/backend/tests/api/mutations/test_update_service_account_handlers.py b/backend/tests/api/mutations/test_update_service_account_handlers.py
new file mode 100644
index 000000000..5086a5dde
--- /dev/null
+++ b/backend/tests/api/mutations/test_update_service_account_handlers.py
@@ -0,0 +1,127 @@
+"""Unit tests for UpdateServiceAccountHandlersMutation (F4 of QA batch 1).
+
+A non-global user with org-level `ServiceAccounts.update` could
+previously pass team-owned SA ids in `handlers` — the bulk delete at
+the top of the mutation wiped handlers before any per-SA visibility
+check ran. The fix pre-flights `_check_sa_permission` over every
+submitted SA before any deletion happens, so a single inaccessible SA
+in the payload aborts the whole mutation with no side effects.
+"""
+
+import pytest
+from unittest.mock import MagicMock, patch
+
+from graphql import GraphQLError
+
+
+def _make_info(user):
+    info = MagicMock()
+    info.context.user = user
+    return info
+
+
+def _make_handler_input(sa_id, member_id="m1"):
+    h = MagicMock()
+    h.service_account_id = sa_id
+    h.member_id = member_id
+    h.wrapped_keyring = "wk"
+    h.wrapped_recovery = "wr"
+    return h
+
+
+@patch("backend.graphene.mutations.service_accounts.ServiceAccountHandler")
+@patch("backend.graphene.mutations.service_accounts.ServiceAccount")
+@patch("backend.graphene.mutations.service_accounts._check_sa_permission")
+@patch("backend.graphene.mutations.service_accounts.user_has_permission", return_value=True)
+@patch("backend.graphene.mutations.service_accounts.user_is_org_member", return_value=True)
+@patch("backend.graphene.mutations.service_accounts.Organisation")
+def test_pre_flight_check_blocks_inaccessible_team_sa(
+    MockOrg,
+    _mock_org_member,
+    _mock_perm,
+    mock_check_sa,
+    MockSA,
+    MockHandler,
+):
+    """An inaccessible SA in the payload aborts the whole mutation
+    before any handler row is touched."""
+    from backend.graphene.mutations.service_accounts import (
+        UpdateServiceAccountHandlersMutation,
+    )
+
+    org = MagicMock()
+    MockOrg.objects.get.return_value = org
+
+    accessible_sa = MagicMock(id="sa-ok")
+    inaccessible_sa = MagicMock(id="sa-blocked")
+    MockSA.objects.filter.return_value.select_related.return_value = [
+        accessible_sa, inaccessible_sa,
+    ]
+
+    # _check_sa_permission raises on the second SA (the team-owned one
+    # the caller can't access).
+    mock_check_sa.side_effect = [None, GraphQLError("denied")]
+
+    user = MagicMock()
+    user.userId = "u1"
+
+    with pytest.raises(GraphQLError):
+        UpdateServiceAccountHandlersMutation.mutate(
+            None,
+            _make_info(user),
+            organisation_id="org-1",
+            handlers=[
+                _make_handler_input("sa-ok"),
+                _make_handler_input("sa-blocked"),
+            ],
+        )
+
+    # No bulk delete and no handler creation should have happened.
+    MockHandler.objects.filter.return_value.delete.assert_not_called()
+    MockHandler.objects.create.assert_not_called()
+
+
+@patch("backend.graphene.mutations.service_accounts.ServiceAccountHandler")
+@patch("backend.graphene.mutations.service_accounts.ServiceAccount")
+@patch("backend.graphene.mutations.service_accounts._check_sa_permission", return_value=None)
+@patch("backend.graphene.mutations.service_accounts.user_has_permission", return_value=True)
+@patch("backend.graphene.mutations.service_accounts.user_is_org_member", return_value=True)
+@patch("backend.graphene.mutations.service_accounts.Organisation")
+def test_pre_flight_passes_when_all_sas_accessible(
+    MockOrg,
+    _mock_org_member,
+    _mock_perm,
+    _mock_check_sa,
+    MockSA,
+    MockHandler,
+):
+    """Regression: when every SA in the payload passes the per-SA
+    permission check, the mutation proceeds to delete handlers and
+    create the new ones."""
+    from backend.graphene.mutations.service_accounts import (
+        UpdateServiceAccountHandlersMutation,
+    )
+
+    org = MagicMock()
+    MockOrg.objects.get.return_value = org
+
+    sa = MagicMock(id="sa-1")
+    MockSA.objects.filter.return_value.select_related.return_value = [sa]
+    # `ServiceAccount.objects.get(...)` for the per-handler create loop
+    MockSA.objects.get.return_value = sa
+    # No existing handler for this (sa, member) pair.
+    MockHandler.objects.filter.return_value.exists.return_value = False
+
+    user = MagicMock()
+    user.userId = "u1"
+
+    UpdateServiceAccountHandlersMutation.mutate(
+        None,
+        _make_info(user),
+        organisation_id="org-1",
+        handlers=[_make_handler_input("sa-1")],
+    )
+
+    # Bulk delete fired; new handler created.
+    MockHandler.objects.filter.return_value.delete.assert_called()
+    MockHandler.objects.create.assert_called_once()

From e6c007e9b12369837e911e46b9d8ea774c78546b Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 23:06:59 +0530
Subject: [PATCH 105/118] fix: preserve team grants when updating direct env
 scope

---
 .../backend/graphene/mutations/environment.py |  46 ++++++-
 .../mutations/test_update_member_env_scope.py | 126 ++++++++++++++++++
 2 files changed, 167 insertions(+), 5 deletions(-)
 create mode 100644 backend/tests/api/mutations/test_update_member_env_scope.py

diff --git a/backend/backend/graphene/mutations/environment.py b/backend/backend/graphene/mutations/environment.py
index 32c08d0aa..627f26cda 100644
--- a/backend/backend/graphene/mutations/environment.py
+++ b/backend/backend/graphene/mutations/environment.py
@@ -416,13 +416,49 @@ def mutate(
                 )
 
         with transaction.atomic():
-            # Soft-delete existing keys (preserves grant history, avoids CASCADE)
-            old_keys = EnvironmentKey.objects.filter(**key_to_delete_filter)
-            EnvironmentKeyGrant.objects.filter(environment_key__in=old_keys).delete()
-            old_keys.update(deleted_at=timezone.now())
+            # Drop only individual grants; team grants on the same key
+            # must survive this edit. Soft-delete keys with no grants
+            # left, and re-attach individual grants to keys preserved
+            # for their team grant (avoids the (env, user|sa) unique
+            # conflict that would arise from creating a duplicate row).
+            old_keys = list(
+                EnvironmentKey.objects.filter(
+                    deleted_at__isnull=True, **key_to_delete_filter
+                )
+            )
+            old_key_ids = [k.id for k in old_keys]
+            EnvironmentKeyGrant.objects.filter(
+                environment_key_id__in=old_key_ids, grant_type="individual"
+            ).delete()
+
+            keys_with_remaining_grants = set(
+                EnvironmentKeyGrant.objects.filter(
+                    environment_key_id__in=old_key_ids
+                ).values_list("environment_key_id", flat=True)
+            )
+            EnvironmentKey.objects.filter(
+                id__in=[
+                    kid for kid in old_key_ids
+                    if kid not in keys_with_remaining_grants
+                ]
+            ).update(deleted_at=timezone.now())
+
+            preserved_by_env = {
+                k.environment_id: k
+                for k in old_keys
+                if k.id in keys_with_remaining_grants
+            }
 
-            # Create new keys with individual grants
             for key in env_keys:
+                preserved = preserved_by_env.get(key.env_id)
+                if preserved is not None:
+                    EnvironmentKeyGrant.objects.get_or_create(
+                        environment_key=preserved,
+                        grant_type="individual",
+                        team=None,
+                    )
+                    continue
+
                 new_key = EnvironmentKey.objects.create(
                     environment_id=key.env_id,
                     user_id=key.user_id if member_type == MemberType.USER else None,
diff --git a/backend/tests/api/mutations/test_update_member_env_scope.py b/backend/tests/api/mutations/test_update_member_env_scope.py
new file mode 100644
index 000000000..6c5484b7a
--- /dev/null
+++ b/backend/tests/api/mutations/test_update_member_env_scope.py
@@ -0,0 +1,126 @@
+"""Unit tests for UpdateMemberEnvScopeMutation grant handling
+(F5 of QA batch 1).
+
+A single EnvironmentKey row can carry multiple EnvironmentKeyGrant
+entries — `provision_team_environment_keys` re-uses an existing key
+rather than creating a duplicate, so a member can simultaneously hold
+an `individual` and a `team` grant on the same key. The previous
+implementation deleted ALL grants on the old keys when updating direct
+scope, then soft-deleted the keys, silently revoking team-provided
+access. The fix:
+
+1. Delete only `grant_type='individual'` grants on the existing keys.
+2. Soft-delete only the keys with no remaining grants.
+3. For envs in the new direct scope where the existing key is
+   preserved (because a team grant survives), attach a new individual
+   grant to the existing row instead of trying to create a duplicate
+   row (which would violate the (env, user|sa) uniqueness constraint).
+"""
+
+from unittest.mock import MagicMock, patch
+
+
+def _make_info(user):
+    info = MagicMock()
+    info.context.user = user
+    return info
+
+
+def _make_env_key_input(env_id, user_id="u1", wrapped_seed="ws", wrapped_salt="wsl",
+                       identity_key="ik"):
+    k = MagicMock()
+    k.env_id = env_id
+    k.user_id = user_id
+    k.wrapped_seed = wrapped_seed
+    k.wrapped_salt = wrapped_salt
+    k.identity_key = identity_key
+    return k
+
+
+@patch("backend.graphene.mutations.environment.timezone")
+@patch("backend.graphene.mutations.environment.transaction")
+@patch("backend.graphene.mutations.environment.EnvironmentKeyGrant")
+@patch("backend.graphene.mutations.environment.EnvironmentKey")
+@patch("backend.graphene.mutations.environment.OrganisationMember")
+@patch("backend.graphene.mutations.environment.App")
+@patch("backend.graphene.mutations.environment.user_can_access_app", return_value=True)
+@patch("backend.graphene.mutations.environment.user_has_permission", return_value=True)
+def test_team_granted_keys_survive_direct_scope_edit(
+    _mock_perm, _mock_access, MockApp, MockOM, MockEnvKey, MockGrant, mock_tx, mock_tz,
+):
+    """A key carrying both an individual grant and a team grant for the
+    same member must keep the team grant (and itself) when the direct
+    scope is reduced. Previously this would delete all grants and
+    soft-delete the key, silently revoking team access."""
+    from backend.graphene.mutations.environment import UpdateMemberEnvScopeMutation
+    from backend.graphene.types import MemberType
+
+    # Setup: app + member context.
+    app = MagicMock()
+    MockApp.objects.get.return_value = app
+    member = MagicMock()
+    MockOM.objects.get.return_value = member
+    app.members.all.return_value = [member]
+
+    # Two existing keys for this member:
+    # - K1 on env-A: individual + team grants
+    # - K2 on env-B: individual grant only
+    k1 = MagicMock(id="k1", environment_id="env-A")
+    k2 = MagicMock(id="k2", environment_id="env-B")
+    MockEnvKey.objects.filter.return_value = [k1, k2]
+
+    # Grant queries:
+    #   First call (delete individual grants) → no return value needed.
+    #   Second call (find keys with remaining grants) → returns
+    #     environment_key_id values: only k1 still has a (team) grant.
+    #   Third call (soft-delete keys with no remaining grants) → updates
+    #     k2 only.
+    delete_mock = MagicMock()
+    remaining_qs = MagicMock()
+    remaining_qs.values_list.return_value = ["k1"]
+    MockGrant.objects.filter.side_effect = [delete_mock, remaining_qs]
+
+    soft_delete_qs = MagicMock()
+    MockEnvKey.objects.filter.return_value = soft_delete_qs
+
+    # The mutation reads `EnvironmentKey.objects.filter(...)` twice:
+    #   (a) first to collect old keys (returns iterable),
+    #   (b) second to soft-delete the orphan subset.
+    # Use side_effect to return different values per call.
+    MockEnvKey.objects.filter.side_effect = [
+        # (a) old keys list
+        MagicMock(__iter__=MagicMock(return_value=iter([k1, k2]))),
+        # (b) soft-delete queryset for non-preserved keys
+        soft_delete_qs,
+    ]
+
+    user = MagicMock()
+    user.userId = "u1"
+
+    # New direct scope: only env-A (env-B is dropped).
+    UpdateMemberEnvScopeMutation.mutate(
+        None,
+        _make_info(user),
+        member_id="m1",
+        app_id="app-1",
+        env_keys=[_make_env_key_input("env-A")],
+        member_type=MemberType.USER,
+    )
+
+    # Assertions:
+    # 1. Individual grants were deleted on the old keys.
+    delete_mock.delete.assert_called_once()
+    # 2. Soft-delete was called on keys WITHOUT remaining grants — the
+    #    queryset filter should have included k2 but excluded k1
+    #    (k1 still has a team grant).
+    soft_delete_qs.update.assert_called_once()
+    # 3. For env-A (the preserved key with a team grant), the mutation
+    #    used get_or_create on the EXISTING row rather than creating a
+    #    duplicate EnvironmentKey row.
+    MockGrant.objects.get_or_create.assert_called_once()
+    create_call = MockGrant.objects.get_or_create.call_args
+    assert create_call.kwargs["environment_key"] is k1
+    assert create_call.kwargs["grant_type"] == "individual"
+    # 4. No new EnvironmentKey row was created for env-A — the mutation
+    #    re-used the preserved row to avoid a uniqueness conflict.
+    MockEnvKey.objects.create.assert_not_called()

From 022e107e81e8a08dedd9b4af810bb4e69311c52b Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 23:07:05 +0530
Subject: [PATCH 106/118] fix: track grants and preserve team access in app
 member mutations

---
 backend/backend/graphene/mutations/app.py | 68 ++++++++++++++++++++---
 1 file changed, 60 insertions(+), 8 deletions(-)

diff --git a/backend/backend/graphene/mutations/app.py b/backend/backend/graphene/mutations/app.py
index a0fa3fc6c..f9717db7c 100644
--- a/backend/backend/graphene/mutations/app.py
+++ b/backend/backend/graphene/mutations/app.py
@@ -10,6 +10,7 @@
 from api.models import (
     App,
     EnvironmentKey,
+    EnvironmentKeyGrant,
     Organisation,
     OrganisationMember,
     Role,
@@ -18,10 +19,51 @@
 from backend.graphene.types import AppType, MemberType
 from django.conf import settings
 from django.db.models import Q
+from django.utils import timezone
 
 CLOUD_HOSTED = settings.APP_HOST == "cloud"
 
 
+def _upsert_active_env_key(condition, defaults):
+    """Like `update_or_create` but scoped to active rows only — the
+    unique constraint allows soft-deleted dupes to coexist with one
+    active row, which would trip MultipleObjectsReturned otherwise."""
+    try:
+        env_key = EnvironmentKey.objects.get(deleted_at__isnull=True, **condition)
+        for k, v in defaults.items():
+            setattr(env_key, k, v)
+        env_key.save()
+        return env_key
+    except EnvironmentKey.DoesNotExist:
+        return EnvironmentKey.objects.create(**condition, **defaults)
+
+
+def _revoke_individual_keys_for_app(app, user_id=None, service_account_id=None):
+    """Drop individual grants on `app`'s envs for the given member;
+    soft-delete only keys with no grants left so team access survives."""
+    key_filter = {"environment__app": app, "deleted_at__isnull": True}
+    if user_id is not None:
+        key_filter["user_id"] = user_id
+    if service_account_id is not None:
+        key_filter["service_account_id"] = service_account_id
+
+    keys = list(EnvironmentKey.objects.filter(**key_filter))
+    key_ids = [k.id for k in keys]
+
+    EnvironmentKeyGrant.objects.filter(
+        environment_key_id__in=key_ids, grant_type="individual"
+    ).delete()
+
+    keys_with_remaining = set(
+        EnvironmentKeyGrant.objects.filter(
+            environment_key_id__in=key_ids
+        ).values_list("environment_key_id", flat=True)
+    )
+    EnvironmentKey.objects.filter(
+        id__in=[kid for kid in key_ids if kid not in keys_with_remaining]
+    ).update(deleted_at=timezone.now())
+
+
 class CreateAppMutation(graphene.Mutation):
     class Arguments:
         id = graphene.ID(required=True)
@@ -268,7 +310,14 @@ def mutate(cls, root, info, app_id, members):
                     ),
                 }
 
-                EnvironmentKey.objects.update_or_create(**condition, defaults=defaults)
+                env_key = _upsert_active_env_key(condition, defaults)
+                # Track the grant so removing an unrelated team grant
+                # later doesn't orphan-delete this key.
+                EnvironmentKeyGrant.objects.get_or_create(
+                    environment_key=env_key,
+                    grant_type="individual",
+                    team=None,
+                )
 
         return BulkAddAppMembersMutation(app=app)
 
@@ -325,7 +374,14 @@ def mutate(
                 ),
             }
 
-            EnvironmentKey.objects.update_or_create(**condition, defaults=defaults)
+            env_key = _upsert_active_env_key(condition, defaults)
+            # Track the grant so removing an unrelated team grant
+            # later doesn't orphan-delete this key.
+            EnvironmentKeyGrant.objects.get_or_create(
+                environment_key=env_key,
+                grant_type="individual",
+                team=None,
+            )
 
         return AddAppMemberMutation(app=app)
 
@@ -372,17 +428,13 @@ def mutate(cls, root, info, member_id, app_id, member_type=MemberType.USER):
                 raise GraphQLError("This user is not a member of this app")
 
             app.members.remove(member)
-            EnvironmentKey.objects.filter(
-                environment__app=app, user_id=member_id
-            ).delete()
+            _revoke_individual_keys_for_app(app, user_id=member_id)
 
         elif member_type == MemberType.SERVICE:
             if member not in app.service_accounts.all():
                 raise GraphQLError("This service account is not a member of this app")
 
             app.service_accounts.remove(member)
-            EnvironmentKey.objects.filter(
-                environment__app=app, service_account_id=member_id
-            ).delete()
+            _revoke_individual_keys_for_app(app, service_account_id=member_id)
 
         return RemoveAppMemberMutation(app=app)

From 357912ee085621cead13f1ea46842b06bae9d92f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 23:07:13 +0530
Subject: [PATCH 107/118] feat: surface env access source on app members page

---
 backend/backend/graphene/types.py             |  19 +++
 frontend/apollo/gql.ts                        |   6 +
 frontend/apollo/graphql.ts                    | 112 +++++++++++++-----
 frontend/apollo/schema.graphql                | 105 ++++++++++------
 .../_components/ManageUserAccessDialog.tsx    |  54 ++++++++-
 .../queries/access/getMemberEnvKeyGrants.gql  |  15 +++
 6 files changed, 243 insertions(+), 68 deletions(-)
 create mode 100644 frontend/graphql/queries/access/getMemberEnvKeyGrants.gql

diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index 000695a58..c26d6ab25 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -18,6 +18,7 @@
     DynamicSecret,
     Environment,
     EnvironmentKey,
+    EnvironmentKeyGrant,
     EnvironmentSync,
     EnvironmentSyncEvent,
     EnvironmentToken,
@@ -854,7 +855,22 @@ def resolve_identities(self, info):
         return self.identities.filter(deleted_at=None)
 
 
+class EnvironmentKeyGrantType(DjangoObjectType):
+    """One key can carry multiple grants (individual + team)."""
+
+    class Meta:
+        model = EnvironmentKeyGrant
+        fields = (
+            "id",
+            "grant_type",
+            "team",
+            "created_at",
+        )
+
+
 class EnvironmentKeyType(DjangoObjectType):
+    grants = graphene.List(graphene.NonNull(EnvironmentKeyGrantType))
+
     class Meta:
         model = EnvironmentKey
         fields = (
@@ -867,6 +883,9 @@ class Meta:
             "environment",
         )
 
+    def resolve_grants(self, info):
+        return self.grants.all()
+
 
 class ServerEnvironmentKeyType(DjangoObjectType):
     class Meta:
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 0d00439ec..1103d4c32 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -127,6 +127,7 @@ type Documents = {
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": typeof types.CreateNewUserTokenDocument,
     "mutation RevokeUserToken($tokenId: ID!) {\n  deleteUserToken(tokenId: $tokenId) {\n    ok\n  }\n}": typeof types.RevokeUserTokenDocument,
     "query GetIP {\n  clientIp\n}": typeof types.GetIpDocument,
+    "query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {\n  environmentKeys(appId: $appId, memberId: $memberId) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.GetMemberEnvKeyGrantsDocument,
     "query GetNetworkPolicies($organisationId: ID!) {\n  networkAccessPolicies(organisationId: $organisationId) {\n    id\n    name\n    allowedIps\n    isGlobal\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    updatedAt\n    updatedBy {\n      fullName\n      avatarUrl\n      self\n    }\n  }\n  clientIp\n}": typeof types.GetNetworkPoliciesDocument,
     "query GetAppAccounts($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": typeof types.GetAppAccountsDocument,
     "query GetAppMembers($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n}": typeof types.GetAppMembersDocument,
@@ -315,6 +316,7 @@ const documents: Documents = {
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": types.CreateNewUserTokenDocument,
     "mutation RevokeUserToken($tokenId: ID!) {\n  deleteUserToken(tokenId: $tokenId) {\n    ok\n  }\n}": types.RevokeUserTokenDocument,
     "query GetIP {\n  clientIp\n}": types.GetIpDocument,
+    "query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {\n  environmentKeys(appId: $appId, memberId: $memberId) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}": types.GetMemberEnvKeyGrantsDocument,
     "query GetNetworkPolicies($organisationId: ID!) {\n  networkAccessPolicies(organisationId: $organisationId) {\n    id\n    name\n    allowedIps\n    isGlobal\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    updatedAt\n    updatedBy {\n      fullName\n      avatarUrl\n      self\n    }\n  }\n  clientIp\n}": types.GetNetworkPoliciesDocument,
     "query GetAppAccounts($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": types.GetAppAccountsDocument,
     "query GetAppMembers($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n}": types.GetAppMembersDocument,
@@ -856,6 +858,10 @@ export function graphql(source: "mutation RevokeUserToken($tokenId: ID!) {\n  de
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "query GetIP {\n  clientIp\n}"): (typeof documents)["query GetIP {\n  clientIp\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {\n  environmentKeys(appId: $appId, memberId: $memberId) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {\n  environmentKeys(appId: $appId, memberId: $memberId) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 0298999fb..30010f657 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -181,6 +181,14 @@ export enum ApiEnvironmentEnvTypeChoices {
   Staging = 'STAGING'
 }
 
+/** An enumeration. */
+export enum ApiEnvironmentKeyGrantGrantTypeChoices {
+  /** Individual */
+  Individual = 'INDIVIDUAL',
+  /** Team */
+  Team = 'TEAM'
+}
+
 /** An enumeration. */
 export enum ApiEnvironmentSyncEventStatusChoices {
   /** cancelled */
@@ -401,8 +409,11 @@ export type BulkInviteOrganisationMembersMutation = {
  * Three server-side proofs are required:
  *   1. current_auth_hash matches user.password — proves the caller
  *      knows the current login password.
- *   2. identity_key matches the org's stored identity_key — proves the
- *      caller derived the keyring from the right mnemonic.
+ *   2. identity_key matches the member's stored identity_key — proves
+ *      the caller derived the keyring from the same mnemonic they
+ *      registered with. Every Phase user has their own keyring, so
+ *      this is checked against the member's identity_key, not the
+ *      org's (which is the owner's).
  *   3. user is a member of the org.
  *
  * On success: user.password is set to new_auth_hash, the org's
@@ -829,6 +840,20 @@ export type EnvironmentInput = {
   wrappedSeed: Scalars['String']['input'];
 };
 
+/**
+ * Records WHY an EnvironmentKey exists. A single key can carry
+ * multiple grants (e.g. an individual grant + a team grant for the
+ * same env), and clients use this to show users where their access
+ * comes from.
+ */
+export type EnvironmentKeyGrantType = {
+  __typename?: 'EnvironmentKeyGrantType';
+  createdAt?: Maybe<Scalars['DateTime']['output']>;
+  grantType: ApiEnvironmentKeyGrantGrantTypeChoices;
+  id: Scalars['String']['output'];
+  team?: Maybe<TeamType>;
+};
+
 export type EnvironmentKeyInput = {
   envId: Scalars['ID']['input'];
   identityKey: Scalars['String']['input'];
@@ -841,6 +866,7 @@ export type EnvironmentKeyType = {
   __typename?: 'EnvironmentKeyType';
   createdAt?: Maybe<Scalars['DateTime']['output']>;
   environment: EnvironmentType;
+  grants?: Maybe<Array<EnvironmentKeyGrantType>>;
   id: Scalars['String']['output'];
   identityKey: Scalars['String']['output'];
   updatedAt: Scalars['DateTime']['output'];
@@ -1103,8 +1129,11 @@ export type Mutation = {
    * Three server-side proofs are required:
    *   1. current_auth_hash matches user.password — proves the caller
    *      knows the current login password.
-   *   2. identity_key matches the org's stored identity_key — proves the
-   *      caller derived the keyring from the right mnemonic.
+   *   2. identity_key matches the member's stored identity_key — proves
+   *      the caller derived the keyring from the same mnemonic they
+   *      registered with. Every Phase user has their own keyring, so
+   *      this is checked against the member's identity_key, not the
+   *      org's (which is the owner's).
    *   3. user is a member of the org.
    *
    * On success: user.password is set to new_auth_hash, the org's
@@ -1193,14 +1222,17 @@ export type Mutation = {
   modifySubscription?: Maybe<UpdateSubscriptionResponse>;
   readSecret?: Maybe<ReadSecretMutation>;
   /**
-   * Rewrap THIS org's keyring with a deviceKey derived from the user's
-   * account password. Used by the recovery flow when the local keyring
-   * has been lost (cleared cache, new device) but the user still
+   * Rewrap this member's keyring with a deviceKey derived from the
+   * user's account password. Used by the recovery flow when the local
+   * keyring has been lost (cleared cache, new device) but the user still
    * remembers their password.
    *
    * Two server-side proofs are required:
-   *   1. identity_key matches the org's stored identity_key — proves the
-   *      caller derived the keyring from the right mnemonic.
+   *   1. identity_key matches the member's stored identity_key — proves
+   *      the caller derived the keyring from the same mnemonic they
+   *      registered with. Every Phase user has their own keyring, so
+   *      this is checked against the member's identity_key, not the
+   *      org's (which is the owner's).
    *   2. auth_hash matches user.password — proves the password the user
    *      is wrapping the keyring with is also their account login auth.
    *
@@ -1241,16 +1273,18 @@ export type Mutation = {
   updateIdentity?: Maybe<UpdateIdentityMutation>;
   updateMemberEnvironmentScope?: Maybe<UpdateMemberEnvScopeMutation>;
   /**
-   * Re-wrap THIS org's keyring after the caller proves they hold the
-   * recovery mnemonic. Used by SSO recovery (where there's no login
-   * password to verify against, so identity is proven via the mnemonic
-   * alone).
+   * Re-wrap this member's keyring after the caller proves they hold
+   * the recovery mnemonic, or establish the keyring for the first time
+   * (e.g. SCIM-provisioned members completing their initial key
+   * ceremony). Used by SSO recovery and the account-init page.
    *
-   * Requires identity_key matching the org's stored identity_key — proves
-   * the caller derived the keyring from the right mnemonic. Without this
-   * proof, an authenticated user (or session-cookie holder) could
-   * overwrite their own wrapped_keyring with arbitrary garbage and lock
-   * themselves out of the org permanently.
+   * Requires identity_key matching the member's stored identity_key —
+   * proves the caller derived the keyring from the same mnemonic they
+   * registered with. Every Phase user has their own independently-
+   * derived keyring, so this check is against the member's identity_key,
+   * not the org's (which is the owner's). Members with no prior
+   * identity_key (SCIM-preprovisioned accounts on first login) have no
+   * identity to verify against — they are establishing one here.
    */
   updateMemberWrappedSecrets?: Maybe<UpdateUserWrappedSecretsMutation>;
   updateNetworkAccessPolicy?: Maybe<UpdateNetworkAccessPolicyMutation>;
@@ -2692,14 +2726,17 @@ export type ReadSecretMutation = {
 };
 
 /**
- * Rewrap THIS org's keyring with a deviceKey derived from the user's
- * account password. Used by the recovery flow when the local keyring
- * has been lost (cleared cache, new device) but the user still
+ * Rewrap this member's keyring with a deviceKey derived from the
+ * user's account password. Used by the recovery flow when the local
+ * keyring has been lost (cleared cache, new device) but the user still
  * remembers their password.
  *
  * Two server-side proofs are required:
- *   1. identity_key matches the org's stored identity_key — proves the
- *      caller derived the keyring from the right mnemonic.
+ *   1. identity_key matches the member's stored identity_key — proves
+ *      the caller derived the keyring from the same mnemonic they
+ *      registered with. Every Phase user has their own keyring, so
+ *      this is checked against the member's identity_key, not the
+ *      org's (which is the owner's).
  *   2. auth_hash matches user.password — proves the password the user
  *      is wrapping the keyring with is also their account login auth.
  *
@@ -3220,16 +3257,18 @@ export type UpdateTeamMutation = {
 };
 
 /**
- * Re-wrap THIS org's keyring after the caller proves they hold the
- * recovery mnemonic. Used by SSO recovery (where there's no login
- * password to verify against, so identity is proven via the mnemonic
- * alone).
+ * Re-wrap this member's keyring after the caller proves they hold
+ * the recovery mnemonic, or establish the keyring for the first time
+ * (e.g. SCIM-provisioned members completing their initial key
+ * ceremony). Used by SSO recovery and the account-init page.
  *
- * Requires identity_key matching the org's stored identity_key — proves
- * the caller derived the keyring from the right mnemonic. Without this
- * proof, an authenticated user (or session-cookie holder) could
- * overwrite their own wrapped_keyring with arbitrary garbage and lock
- * themselves out of the org permanently.
+ * Requires identity_key matching the member's stored identity_key —
+ * proves the caller derived the keyring from the same mnemonic they
+ * registered with. Every Phase user has their own independently-
+ * derived keyring, so this check is against the member's identity_key,
+ * not the org's (which is the owner's). Members with no prior
+ * identity_key (SCIM-preprovisioned accounts on first login) have no
+ * identity to verify against — they are establishing one here.
  */
 export type UpdateUserWrappedSecretsMutation = {
   __typename?: 'UpdateUserWrappedSecretsMutation';
@@ -4332,6 +4371,14 @@ export type GetIpQueryVariables = Exact<{ [key: string]: never; }>;
 
 export type GetIpQuery = { __typename?: 'Query', clientIp?: string | null };
 
+export type GetMemberEnvKeyGrantsQueryVariables = Exact<{
+  appId: Scalars['ID']['input'];
+  memberId: Scalars['ID']['input'];
+}>;
+
+
+export type GetMemberEnvKeyGrantsQuery = { __typename?: 'Query', environmentKeys?: Array<{ __typename?: 'EnvironmentKeyType', id: string, environment: { __typename?: 'EnvironmentType', id: string }, grants?: Array<{ __typename?: 'EnvironmentKeyGrantType', grantType: ApiEnvironmentKeyGrantGrantTypeChoices, team?: { __typename?: 'TeamType', id: string, name: string } | null }> | null } | null> | null };
+
 export type GetNetworkPoliciesQueryVariables = Exact<{
   organisationId: Scalars['ID']['input'];
 }>;
@@ -4985,6 +5032,7 @@ export const UpdateTeamAppEnvironmentsOpDocument = {"kind":"Document","definitio
 export const CreateNewUserTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewUserToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createUserToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<CreateNewUserTokenMutation, CreateNewUserTokenMutationVariables>;
 export const RevokeUserTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RevokeUserToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteUserToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<RevokeUserTokenMutation, RevokeUserTokenMutationVariables>;
 export const GetIpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIP"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"clientIp"}}]}}]} as unknown as DocumentNode<GetIpQuery, GetIpQueryVariables>;
+export const GetMemberEnvKeyGrantsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetMemberEnvKeyGrants"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"grants"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"grantType"}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetMemberEnvKeyGrantsQuery, GetMemberEnvKeyGrantsQueryVariables>;
 export const GetNetworkPoliciesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetNetworkPolicies"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"networkAccessPolicies"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"clientIp"}}]}}]} as unknown as DocumentNode<GetNetworkPoliciesQuery, GetNetworkPoliciesQueryVariables>;
 export const GetAppAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appServiceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppAccountsQuery, GetAppAccountsQueryVariables>;
 export const GetAppMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppMembersQuery, GetAppMembersQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 96db32056..d7954e496 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -934,6 +934,29 @@ type EnvironmentKeyType {
   wrappedSalt: String!
   createdAt: DateTime
   updatedAt: DateTime!
+  grants: [EnvironmentKeyGrantType!]
+}
+
+"""
+Records WHY an EnvironmentKey exists. A single key can carry
+multiple grants (e.g. an individual grant + a team grant for the
+same env), and clients use this to show users where their access
+comes from.
+"""
+type EnvironmentKeyGrantType {
+  id: String!
+  grantType: ApiEnvironmentKeyGrantGrantTypeChoices!
+  team: TeamType
+  createdAt: DateTime
+}
+
+"""An enumeration."""
+enum ApiEnvironmentKeyGrantGrantTypeChoices {
+  """Individual"""
+  INDIVIDUAL
+
+  """Team"""
+  TEAM
 }
 
 type EnvironmentTokenType {
@@ -1175,28 +1198,33 @@ type Mutation {
   transferOrganisationOwnership(billingEmail: String, newOwnerId: ID!, organisationId: ID!): TransferOrganisationOwnershipMutation
 
   """
-  Re-wrap THIS org's keyring after the caller proves they hold the
-  recovery mnemonic. Used by SSO recovery (where there's no login
-  password to verify against, so identity is proven via the mnemonic
-  alone).
+  Re-wrap this member's keyring after the caller proves they hold
+  the recovery mnemonic, or establish the keyring for the first time
+  (e.g. SCIM-provisioned members completing their initial key
+  ceremony). Used by SSO recovery and the account-init page.
   
-  Requires identity_key matching the org's stored identity_key — proves
-  the caller derived the keyring from the right mnemonic. Without this
-  proof, an authenticated user (or session-cookie holder) could
-  overwrite their own wrapped_keyring with arbitrary garbage and lock
-  themselves out of the org permanently.
+  Requires identity_key matching the member's stored identity_key —
+  proves the caller derived the keyring from the same mnemonic they
+  registered with. Every Phase user has their own independently-
+  derived keyring, so this check is against the member's identity_key,
+  not the org's (which is the owner's). Members with no prior
+  identity_key (SCIM-preprovisioned accounts on first login) have no
+  identity to verify against — they are establishing one here.
   """
   updateMemberWrappedSecrets(identityKey: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
 
   """
-  Rewrap THIS org's keyring with a deviceKey derived from the user's
-  account password. Used by the recovery flow when the local keyring
-  has been lost (cleared cache, new device) but the user still
+  Rewrap this member's keyring with a deviceKey derived from the
+  user's account password. Used by the recovery flow when the local
+  keyring has been lost (cleared cache, new device) but the user still
   remembers their password.
   
   Two server-side proofs are required:
-    1. identity_key matches the org's stored identity_key — proves the
-       caller derived the keyring from the right mnemonic.
+    1. identity_key matches the member's stored identity_key — proves
+       the caller derived the keyring from the same mnemonic they
+       registered with. Every Phase user has their own keyring, so
+       this is checked against the member's identity_key, not the
+       org's (which is the owner's).
     2. auth_hash matches user.password — proves the password the user
        is wrapping the keyring with is also their account login auth.
   
@@ -1216,8 +1244,11 @@ type Mutation {
   Three server-side proofs are required:
     1. current_auth_hash matches user.password — proves the caller
        knows the current login password.
-    2. identity_key matches the org's stored identity_key — proves the
-       caller derived the keyring from the right mnemonic.
+    2. identity_key matches the member's stored identity_key — proves
+       the caller derived the keyring from the same mnemonic they
+       registered with. Every Phase user has their own keyring, so
+       this is checked against the member's identity_key, not the
+       org's (which is the owner's).
     3. user is a member of the org.
   
   On success: user.password is set to new_auth_hash, the org's
@@ -1386,30 +1417,35 @@ type TransferOrganisationOwnershipMutation {
 }
 
 """
-Re-wrap THIS org's keyring after the caller proves they hold the
-recovery mnemonic. Used by SSO recovery (where there's no login
-password to verify against, so identity is proven via the mnemonic
-alone).
-
-Requires identity_key matching the org's stored identity_key — proves
-the caller derived the keyring from the right mnemonic. Without this
-proof, an authenticated user (or session-cookie holder) could
-overwrite their own wrapped_keyring with arbitrary garbage and lock
-themselves out of the org permanently.
+Re-wrap this member's keyring after the caller proves they hold
+the recovery mnemonic, or establish the keyring for the first time
+(e.g. SCIM-provisioned members completing their initial key
+ceremony). Used by SSO recovery and the account-init page.
+
+Requires identity_key matching the member's stored identity_key —
+proves the caller derived the keyring from the same mnemonic they
+registered with. Every Phase user has their own independently-
+derived keyring, so this check is against the member's identity_key,
+not the org's (which is the owner's). Members with no prior
+identity_key (SCIM-preprovisioned accounts on first login) have no
+identity to verify against — they are establishing one here.
 """
 type UpdateUserWrappedSecretsMutation {
   orgMember: OrganisationMemberType
 }
 
 """
-Rewrap THIS org's keyring with a deviceKey derived from the user's
-account password. Used by the recovery flow when the local keyring
-has been lost (cleared cache, new device) but the user still
+Rewrap this member's keyring with a deviceKey derived from the
+user's account password. Used by the recovery flow when the local
+keyring has been lost (cleared cache, new device) but the user still
 remembers their password.
 
 Two server-side proofs are required:
-  1. identity_key matches the org's stored identity_key — proves the
-     caller derived the keyring from the right mnemonic.
+  1. identity_key matches the member's stored identity_key — proves
+     the caller derived the keyring from the same mnemonic they
+     registered with. Every Phase user has their own keyring, so
+     this is checked against the member's identity_key, not the
+     org's (which is the owner's).
   2. auth_hash matches user.password — proves the password the user
      is wrapping the keyring with is also their account login auth.
 
@@ -1431,8 +1467,11 @@ and the org's recovery mnemonic.
 Three server-side proofs are required:
   1. current_auth_hash matches user.password — proves the caller
      knows the current login password.
-  2. identity_key matches the org's stored identity_key — proves the
-     caller derived the keyring from the right mnemonic.
+  2. identity_key matches the member's stored identity_key — proves
+     the caller derived the keyring from the same mnemonic they
+     registered with. Every Phase user has their own keyring, so
+     this is checked against the member's identity_key, not the
+     org's (which is the owner's).
   3. user is a member of the org.
 
 On success: user.password is set to new_auth_hash, the org's
diff --git a/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx b/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
index 772cf121e..12a5238b0 100644
--- a/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
@@ -1,9 +1,14 @@
 import UpdateEnvScope from '@/graphql/mutations/apps/updateEnvScope.gql'
 import { GetAppEnvironments } from '@/graphql/queries/secrets/getAppEnvironments.gql'
 import { GetEnvironmentKey } from '@/graphql/queries/secrets/getEnvironmentKey.gql'
+import { GetMemberEnvKeyGrants } from '@/graphql/queries/access/getMemberEnvKeyGrants.gql'
 import { useLazyQuery, useMutation, useQuery } from '@apollo/client'
 import { Fragment, useContext, useEffect, useMemo, useRef, useState } from 'react'
-import { OrganisationMemberType, EnvironmentType } from '@/apollo/graphql'
+import {
+  OrganisationMemberType,
+  EnvironmentType,
+  ApiEnvironmentKeyGrantGrantTypeChoices,
+} from '@/apollo/graphql'
 import { Button } from '@/components/common/Button'
 import { organisationContext } from '@/contexts/organisationContext'
 import { Listbox, Transition } from '@headlessui/react'
@@ -63,6 +68,24 @@ export const ManageUserAccessDialog = ({
     },
   })
 
+  // Per-env grants so we can colour env names by source.
+  const { data: grantsData } = useQuery(GetMemberEnvKeyGrants, {
+    variables: { appId, memberId: member.id },
+  })
+
+  // env_id -> true if the member has an individual grant on that env.
+  const envHasIndividualGrant = useMemo(() => {
+    const map: Record<string, boolean> = {}
+    for (const ek of grantsData?.environmentKeys ?? []) {
+      const envId = ek?.environment?.id
+      if (!envId) continue
+      map[envId] = (ek.grants ?? []).some(
+        (g: any) => g?.grantType === ApiEnvironmentKeyGrantGrantTypeChoices.Individual
+      )
+    }
+    return map
+  }, [grantsData])
+
   const envScope: Array<Partial<EnvironmentType>> = useMemo(() => {
     return (
       userEnvScopeData?.appEnvironments.map((env: EnvironmentType) => ({
@@ -178,8 +201,33 @@ export const ManageUserAccessDialog = ({
 
   return (
     <div className="flex items-center gap-4">
-      <span className="text-zinc-900 dark:text-zinc-100 text-2xs font-medium">
-        {envScope.map((env) => env.name).join(' + ')}
+      <span className="text-2xs font-medium">
+        {envScope.map((env, i) => {
+          // Blue (matches the team chip) for envs accessed via team
+          // only; default zinc for direct individual access.
+          const teamOnly = env.id ? !envHasIndividualGrant[env.id] : false
+          return (
+            <Fragment key={env.id ?? env.name}>
+              <span
+                className={clsx(
+                  teamOnly
+                    ? 'text-blue-600 dark:text-blue-400'
+                    : 'text-zinc-900 dark:text-zinc-100'
+                )}
+                title={
+                  teamOnly
+                    ? `${env.name} — access via team`
+                    : `${env.name} — direct access`
+                }
+              >
+                {env.name}
+              </span>
+              {i < envScope.length - 1 && (
+                <span className="text-neutral-500"> + </span>
+              )}
+            </Fragment>
+          )
+        })}
       </span>
       <div className="opacity-0 group-hover:opacity-100 transition ease flex items-center gap-2">
         <GenericDialog
diff --git a/frontend/graphql/queries/access/getMemberEnvKeyGrants.gql b/frontend/graphql/queries/access/getMemberEnvKeyGrants.gql
new file mode 100644
index 000000000..322d980d6
--- /dev/null
+++ b/frontend/graphql/queries/access/getMemberEnvKeyGrants.gql
@@ -0,0 +1,15 @@
+query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {
+  environmentKeys(appId: $appId, memberId: $memberId) {
+    id
+    environment {
+      id
+    }
+    grants {
+      grantType
+      team {
+        id
+        name
+      }
+    }
+  }
+}

From f66a0419d3ef5d71440c79725af7c2d2b870af9f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Tue, 5 May 2026 23:07:24 +0530
Subject: [PATCH 108/118] chore: trim verbose comment blocks on auth and team
 mutations

---
 backend/backend/graphene/middleware.py        | 13 ++--
 .../graphene/mutations/organisation.py        | 65 ++++---------------
 2 files changed, 16 insertions(+), 62 deletions(-)

diff --git a/backend/backend/graphene/middleware.py b/backend/backend/graphene/middleware.py
index 3d8faefaf..d98a1f6fb 100644
--- a/backend/backend/graphene/middleware.py
+++ b/backend/backend/graphene/middleware.py
@@ -137,10 +137,8 @@ def resolve(self, next, root, info: GraphQLResolveInfo, **kwargs):
 
         require_sso, org_name = decision
 
-        # Block when the org requires SSO globally OR the current member
-        # is SCIM-managed (the IdP is the source of truth for their
-        # access to this org). Per-org check — multi-org users can still
-        # password-auth into orgs where they're not SCIM-managed.
+        # Block on require_sso OR per-member SCIM (IdP is the source of
+        # truth for SCIM-provisioned access to this org).
         if not (require_sso or self._is_scim_managed(request, user, org_id)):
             return next(root, info, **kwargs)
 
@@ -191,11 +189,8 @@ def _get_org_decision(cls, request, org_id):
 
     @classmethod
     def _is_scim_managed(cls, request, user, org_id):
-        """Whether `user` is a SCIM-managed member of `org_id`. SCIM
-        membership ties access to the IdP — non-SSO sessions must be
-        rejected for that org regardless of the org's `require_sso`
-        flag. Cached per-(user, org) within the request scope.
-        """
+        """Whether `user` is a SCIM-managed member of `org_id`.
+        Cached per-(user, org) within the request scope."""
         cache_attr = "_scim_managed_cache"
         request_cache = getattr(request, cache_attr, None)
         if request_cache is None:
diff --git a/backend/backend/graphene/mutations/organisation.py b/backend/backend/graphene/mutations/organisation.py
index cff616305..67dd099d2 100644
--- a/backend/backend/graphene/mutations/organisation.py
+++ b/backend/backend/graphene/mutations/organisation.py
@@ -96,18 +96,10 @@ def mutate(
 
 
 class UpdateUserWrappedSecretsMutation(graphene.Mutation):
-    """Re-wrap this member's keyring after the caller proves they hold
-    the recovery mnemonic, or establish the keyring for the first time
-    (e.g. SCIM-provisioned members completing their initial key
-    ceremony). Used by SSO recovery and the account-init page.
-
-    Requires identity_key matching the member's stored identity_key —
-    proves the caller derived the keyring from the same mnemonic they
-    registered with. Every Phase user has their own independently-
-    derived keyring, so this check is against the member's identity_key,
-    not the org's (which is the owner's). Members with no prior
-    identity_key (SCIM-preprovisioned accounts on first login) have no
-    identity to verify against — they are establishing one here.
+    """Re-wrap this member's keyring (SSO recovery) or establish it on
+    first-key ceremony (SCIM-preprovisioned members). Validates the
+    supplied identity_key against the member's stored one, except on
+    first ceremony when there's nothing yet to compare against.
     """
 
     class Arguments:
@@ -144,13 +136,12 @@ def mutate(cls, root, info, org_id, identity_key, wrapped_keyring, wrapped_recov
         org_member.wrapped_recovery = wrapped_recovery
         org_member.save()
 
-        # Provision team environment keys for SCIM-preprovisioned users
-        # completing their key ceremony for the first time
+        # SCIM users get their team env keys on first ceremony.
         if first_key_ceremony:
             try:
                 provision_pending_team_keys(org_member)
             except Exception as e:
-                # Log but don't fail the key ceremony — keys can be re-provisioned
+                # Log but don't fail — keys can be re-provisioned later.
                 logger.error(
                     f"Failed to provision pending team keys for {org_member.id}: {e}",
                     exc_info=True,
@@ -161,23 +152,10 @@ def mutate(cls, root, info, org_id, identity_key, wrapped_keyring, wrapped_recov
 
 class RecoverAccountKeyringMutation(graphene.Mutation):
     """Rewrap this member's keyring with a deviceKey derived from the
-    user's account password. Used by the recovery flow when the local
-    keyring has been lost (cleared cache, new device) but the user still
-    remembers their password.
-
-    Two server-side proofs are required:
-      1. identity_key matches the member's stored identity_key — proves
-         the caller derived the keyring from the same mnemonic they
-         registered with. Every Phase user has their own keyring, so
-         this is checked against the member's identity_key, not the
-         org's (which is the owner's).
-      2. auth_hash matches user.password — proves the password the user
-         is wrapping the keyring with is also their account login auth.
-
-    The mutation does NOT change user.password. The auth_hash check is a
-    guardrail to keep auth and wrap passwords unified; if it fails, the
-    user is trying to wrap the keyring with a password that doesn't
-    authenticate them, which we never persist.
+    user's account password. Used when the local keyring is lost
+    (cleared cache, new device) but the user still has their password.
+    Requires identity_key to match the member's stored value AND
+    auth_hash to match user.password. Does not rotate user.password.
     """
 
     class Arguments:
@@ -252,27 +230,8 @@ def mutate(
 
 
 class ChangeAccountPasswordMutation(graphene.Mutation):
-    """Rotate the user's account password and rewrap the active org's
-    keyring with the new deviceKey. Used by the in-session change-password
-    dialog where the user supplies their current password, a new password,
-    and the org's recovery mnemonic.
-
-    Three server-side proofs are required:
-      1. current_auth_hash matches user.password — proves the caller
-         knows the current login password.
-      2. identity_key matches the member's stored identity_key — proves
-         the caller derived the keyring from the same mnemonic they
-         registered with. Every Phase user has their own keyring, so
-         this is checked against the member's identity_key, not the
-         org's (which is the owner's).
-      3. user is a member of the org.
-
-    On success: user.password is set to new_auth_hash, the org's
-    wrapped_keyring + wrapped_recovery are replaced, and the session is
-    refreshed so the post-rotation HASH_SESSION_KEY stays valid.
-
-    Only the active org's keyring is rewrapped. Other orgs the user
-    belongs to remain encrypted with the old deviceKey; they'll fall
+    """Rotate user.password and rewrap the active org's keyring with
+    the new deviceKey. Other orgs keep the old deviceKey and fall
     through to per-org recovery on next access.
     """
 

From 3aadbcd9362fa4bf6b2a978bd66c3800c2cfaa91 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 6 May 2026 13:39:57 +0530
Subject: [PATCH 109/118] fix: apply team role override to top-level Apps
 actions on app pages

---
 backend/api/utils/access/permissions.py | 43 +++++++++++--------------
 frontend/hooks/useAppPermissions.ts     | 23 ++++++-------
 2 files changed, 27 insertions(+), 39 deletions(-)

diff --git a/backend/api/utils/access/permissions.py b/backend/api/utils/access/permissions.py
index ab1416f36..8df98b68e 100644
--- a/backend/api/utils/access/permissions.py
+++ b/backend/api/utils/access/permissions.py
@@ -121,15 +121,13 @@ def role_has_permission(role, action, resource, is_app_resource=False):
     return action in resource_permissions
 
 
-def _check_app_permission(account, action, resource, app, is_service_account=False):
-    """
-    Check app-level permission considering both individual and team access.
-
-    Union semantics: if ANY access grant (individual or team) permits the
-    action, the user is allowed.  Individual access uses the org role;
-    each team uses its role override (or falls back to the org role when
-    no override is set).
-    """
+def _check_app_permission(
+    account, action, resource, app, is_service_account=False, is_app_resource=True
+):
+    """Union check across individual + team access paths. `is_app_resource`
+    selects which permission map to look in (app_permissions vs the
+    top-level permissions map) — Apps/EncryptionMode/Members live at
+    the top level even when contextualised to a specific app."""
     Team = apps.get_model("api", "Team")
 
     if is_service_account:
@@ -143,12 +141,10 @@ def _check_app_permission(account, action, resource, app, is_service_account=Fal
         role_field = "member_role"
         membership_filter = {"memberships__org_member": account}
 
-    # Individual access → check org role (one grant in the union)
     if has_individual:
-        if role_has_permission(org_role, action, resource, is_app_resource=True):
+        if role_has_permission(org_role, action, resource, is_app_resource):
             return True
 
-    # Team access — find all teams granting access to this app
     teams = Team.objects.filter(
         app_environments__app=app,
         deleted_at__isnull=True,
@@ -157,25 +153,19 @@ def _check_app_permission(account, action, resource, app, is_service_account=Fal
 
     for team in teams:
         team_role = getattr(team, role_field)
-        # Team owners retain their full org role for team-accessed apps —
-        # they manage the team and its access grants, so overrides don't apply to them.
+        # Team owners keep their org role on team-accessed apps.
         is_team_owner = (
             not is_service_account
             and team.owner_id is not None
             and team.owner_id == account.id
         )
         if team_role is None or is_team_owner:
-            # No team role, or user is team owner → use org role
-            if role_has_permission(org_role, action, resource, is_app_resource=True):
+            if role_has_permission(org_role, action, resource, is_app_resource):
                 return True
         else:
-            if role_has_permission(team_role, action, resource, is_app_resource=True):
+            if role_has_permission(team_role, action, resource, is_app_resource):
                 return True
 
-    # Must have at least one access grant to reach here with a chance of True
-    if not has_individual and not teams.exists():
-        return False
-
     return False
 
 
@@ -200,15 +190,18 @@ def user_has_permission(
                 user=account, organisation=organisation, deleted_at=None
             )
 
-        # Org-level permissions — always use org role
-        if not is_app_resource or app is None:
+        # No app context → org role only.
+        if app is None:
             return role_has_permission(
                 org_member.role, action, resource, is_app_resource
             )
 
-        # App-level permissions — resolve effective role via team access
+        # App-contextualised check — apply team override semantics. The
+        # `is_app_resource` flag still selects which map to look in for
+        # each effective role (Apps/EncryptionMode live at the top
+        # level even when scoped to a specific app).
         return _check_app_permission(
-            org_member, action, resource, app, is_service_account
+            org_member, action, resource, app, is_service_account, is_app_resource
         )
 
     except OrganisationMember.DoesNotExist:
diff --git a/frontend/hooks/useAppPermissions.ts b/frontend/hooks/useAppPermissions.ts
index d5f38822b..9ca137979 100644
--- a/frontend/hooks/useAppPermissions.ts
+++ b/frontend/hooks/useAppPermissions.ts
@@ -95,24 +95,19 @@ export function useAppPermissions(appId: string) {
   }, [teamsData, appId, organisation?.memberId, organisation?.role?.permissions, isGlobalAccess])
 
   /**
-   * Check if the user has a specific permission, accounting for team role overrides.
-   *
-   * For app-level resources: checks effective permissions from all access paths (union).
-   * For org-level resources: checks org role only.
+   * Check a permission in the context of this app. Always team-aware
+   * (union across individual + team access paths). `isAppResource`
+   * controls which map within each role is checked — app_permissions
+   * for env/secret/etc. resources, top-level permissions for Apps,
+   * EncryptionMode, Members.
    */
   const hasPermission = useCallback(
     (resource: string, action: string, isAppResource: boolean = false): boolean => {
-      if (isAppResource) {
-        // Use computed effective permissions (team-aware)
-        return appPermissionSources.some((perms) =>
-          userHasPermission(perms, resource, action, true)
-        )
-      }
-
-      // For org-level resources, always use org role directly
-      return userHasPermission(organisation?.role?.permissions, resource, action, false)
+      return appPermissionSources.some((perms) =>
+        userHasPermission(perms, resource, action, isAppResource)
+      )
     },
-    [appPermissionSources, organisation?.role?.permissions]
+    [appPermissionSources]
   )
 
   return { hasPermission, isGlobalAccess }

From 959b4ca3faa123663f33befe8647c387009fc5b6 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 6 May 2026 13:40:02 +0530
Subject: [PATCH 110/118] fix: read env from request.auth to avoid 500 on
 missing Environment header

---
 backend/api/views/secrets.py | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/backend/api/views/secrets.py b/backend/api/views/secrets.py
index 67e1f45bf..b9498d0b8 100644
--- a/backend/api/views/secrets.py
+++ b/backend/api/views/secrets.py
@@ -98,10 +98,7 @@ def initial(self, request, *args, **kwargs):
 
     def get(self, request, *args, **kwargs):
 
-        env_id = request.headers["environment"]
-        env = Environment.objects.get(id=env_id)
-        if not env.id:
-            return JsonResponse({"error": "Environment doesn't exist"}, status=404)
+        env = request.auth["environment"]
 
         ip_address, user_agent = get_resolver_request_meta(request)
 
@@ -281,17 +278,14 @@ def get(self, request, *args, **kwargs):
 
     def post(self, request, *args, **kwargs):
 
-        env_id = request.headers["environment"]
-        env = Environment.objects.get(id=env_id)
-        if not env:
-            return JsonResponse({"error": "Environment doesn't exist"}, status=404)
+        env = request.auth["environment"]
 
         request_body = json.loads(request.body)
 
         ip_address, user_agent = get_resolver_request_meta(request)
 
         if check_for_duplicates_blind(
-            request_body["secrets"], request.headers["environment"]
+            request_body["secrets"], env.id
         ):
             return JsonResponse({"error": "Duplicate secret found"}, status=409)
 
@@ -359,17 +353,14 @@ def post(self, request, *args, **kwargs):
 
     def put(self, request, *args, **kwargs):
 
-        env_id = request.headers["environment"]
-        env = Environment.objects.get(id=env_id)
-        if not env:
-            return JsonResponse({"error": "Environment doesn't exist"}, status=404)
+        env = request.auth["environment"]
 
         request_body = json.loads(request.body)
 
         ip_address, user_agent = get_resolver_request_meta(request)
 
         if check_for_duplicates_blind(
-            request_body["secrets"], request.headers["environment"]
+            request_body["secrets"], env.id
         ):
             return JsonResponse({"error": "Duplicate secret found"}, status=409)
 

From 4d9543bb9f7616d67608487e5c5b305734f3fd6c Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 6 May 2026 14:05:01 +0530
Subject: [PATCH 111/118] fix: block role changes for pending members until key
 ceremony

---
 .../graphene/mutations/organisation.py        |  16 ++
 .../api/mutations/test_update_member_role.py  | 160 ++++++++++++++++++
 .../members/_components/RoleSelector.tsx      |  63 ++++---
 frontend/utils/access/permissions.ts          |  15 ++
 4 files changed, 234 insertions(+), 20 deletions(-)
 create mode 100644 backend/tests/api/mutations/test_update_member_role.py

diff --git a/backend/backend/graphene/mutations/organisation.py b/backend/backend/graphene/mutations/organisation.py
index 67dd099d2..1893773c9 100644
--- a/backend/backend/graphene/mutations/organisation.py
+++ b/backend/backend/graphene/mutations/organisation.py
@@ -584,6 +584,22 @@ def mutate(cls, root, info, member_id, role_id):
         if new_role.name.lower() == "owner":
             raise GraphQLError("You cannot set this user as the organisation owner")
 
+        # Members who haven't completed their key ceremony (e.g.
+        # SCIM-provisioned users pre-first-login) can only hold roles
+        # that won't make them a service account handler. Otherwise
+        # the next SA creation tries to wrap a keyring for an empty
+        # identity_key and breaks. Mirrors the invite safelist.
+        if not org_member.identity_key and (
+            role_has_global_access(new_role)
+            or role_has_permission(new_role, "create", "ServiceAccountTokens")
+        ):
+            raise GraphQLError(
+                "This member hasn't completed account setup yet — "
+                "wait until they sign in for the first time before "
+                "assigning a role with global access or service "
+                "account token permissions."
+            )
+
         org_member.role = new_role
         org_member.save()
 
diff --git a/backend/tests/api/mutations/test_update_member_role.py b/backend/tests/api/mutations/test_update_member_role.py
new file mode 100644
index 000000000..ce783c703
--- /dev/null
+++ b/backend/tests/api/mutations/test_update_member_role.py
@@ -0,0 +1,160 @@
+"""Pending-member role-change guard for UpdateOrganisationMemberRole.
+
+A SCIM-provisioned user before first login has no identity_key. If
+they're given a role that enrols them as a service account handler
+(global-access or ServiceAccountTokens.create), the next SA creation
+tries to wrap a keyring for that empty identity_key and breaks. The
+mutation must reject those role changes until the user completes their
+key ceremony.
+"""
+
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+
+def _info(user):
+    info = MagicMock()
+    info.context.user = user
+    return info
+
+
+def _role(name, permissions=None, *, is_default=True, global_access=False):
+    role = MagicMock()
+    role.name = name
+    role.is_default = is_default
+    role.permissions = permissions or {"global_access": global_access}
+    return role
+
+
+@patch("backend.graphene.mutations.organisation.Role")
+@patch("backend.graphene.mutations.organisation.OrganisationMember")
+@patch("backend.graphene.mutations.organisation.user_has_permission", return_value=True)
+def test_pending_member_blocked_from_global_access_role(
+    _mock_perm, MockOM, MockRole
+):
+    from backend.graphene.mutations.organisation import UpdateOrganisationMemberRole
+    from graphql import GraphQLError
+
+    pending = MagicMock(identity_key="", role=_role("Developer"))
+    pending.user = MagicMock()
+    caller_membership = MagicMock(role=_role("Owner"))
+    MockOM.objects.get.side_effect = [pending, caller_membership]
+
+    admin_role = _role("Admin")
+    MockRole.objects.get.return_value = admin_role
+
+    with patch(
+        "backend.graphene.mutations.organisation.role_has_global_access",
+        side_effect=lambda r: r is admin_role,
+    ), patch(
+        "backend.graphene.mutations.organisation.role_has_permission",
+        return_value=False,
+    ):
+        with pytest.raises(GraphQLError, match="hasn't completed account setup"):
+            UpdateOrganisationMemberRole.mutate(
+                None, _info(MagicMock()), member_id="m1", role_id="r1"
+            )
+
+    pending.save.assert_not_called()
+
+
+@patch("backend.graphene.mutations.organisation.Role")
+@patch("backend.graphene.mutations.organisation.OrganisationMember")
+@patch("backend.graphene.mutations.organisation.user_has_permission", return_value=True)
+def test_pending_member_blocked_from_sa_token_create_role(
+    _mock_perm, MockOM, MockRole
+):
+    from backend.graphene.mutations.organisation import UpdateOrganisationMemberRole
+    from graphql import GraphQLError
+
+    pending = MagicMock(identity_key="", role=_role("Developer"))
+    pending.user = MagicMock()
+    caller_membership = MagicMock(role=_role("Owner"))
+    MockOM.objects.get.side_effect = [pending, caller_membership]
+
+    manager_role = _role("Manager")
+    MockRole.objects.get.return_value = manager_role
+
+    with patch(
+        "backend.graphene.mutations.organisation.role_has_global_access",
+        return_value=False,
+    ), patch(
+        "backend.graphene.mutations.organisation.role_has_permission",
+        side_effect=lambda r, action, resource: (
+            r is manager_role
+            and action == "create"
+            and resource == "ServiceAccountTokens"
+        ),
+    ):
+        with pytest.raises(GraphQLError, match="hasn't completed account setup"):
+            UpdateOrganisationMemberRole.mutate(
+                None, _info(MagicMock()), member_id="m1", role_id="r1"
+            )
+
+    pending.save.assert_not_called()
+
+
+@patch("backend.graphene.mutations.organisation.Role")
+@patch("backend.graphene.mutations.organisation.OrganisationMember")
+@patch("backend.graphene.mutations.organisation.user_has_permission", return_value=True)
+def test_pending_member_can_take_safe_role(_mock_perm, MockOM, MockRole):
+    """Regression: pending members can still be assigned a safe role
+    (e.g. Developer → custom-no-SA-tokens) before they log in."""
+    from backend.graphene.mutations.organisation import UpdateOrganisationMemberRole
+
+    pending = MagicMock(identity_key="", role=_role("Developer"))
+    pending.user = MagicMock()
+    caller_membership = MagicMock(role=_role("Owner"))
+    MockOM.objects.get.side_effect = [pending, caller_membership]
+
+    safe_role = _role("Custom")
+    MockRole.objects.get.return_value = safe_role
+
+    with patch(
+        "backend.graphene.mutations.organisation.role_has_global_access",
+        return_value=False,
+    ), patch(
+        "backend.graphene.mutations.organisation.role_has_permission",
+        return_value=False,
+    ):
+        UpdateOrganisationMemberRole.mutate(
+            None, _info(MagicMock()), member_id="m1", role_id="r1"
+        )
+
+    assert pending.role is safe_role
+    pending.save.assert_called_once()
+
+
+@patch("backend.graphene.mutations.organisation.Role")
+@patch("backend.graphene.mutations.organisation.OrganisationMember")
+@patch("backend.graphene.mutations.organisation.user_has_permission", return_value=True)
+def test_active_member_can_take_global_access_role(
+    _mock_perm, MockOM, MockRole
+):
+    """Members who've completed their key ceremony can be promoted to
+    global-access roles like normal — the guard only fires on empty
+    identity_key."""
+    from backend.graphene.mutations.organisation import UpdateOrganisationMemberRole
+
+    active = MagicMock(identity_key="not-empty", role=_role("Developer"))
+    active.user = MagicMock()
+    caller_membership = MagicMock(role=_role("Owner"))
+    MockOM.objects.get.side_effect = [active, caller_membership]
+
+    admin_role = _role("Admin")
+    MockRole.objects.get.return_value = admin_role
+
+    with patch(
+        "backend.graphene.mutations.organisation.role_has_global_access",
+        side_effect=lambda r: r is admin_role,
+    ), patch(
+        "backend.graphene.mutations.organisation.role_has_permission",
+        return_value=False,
+    ):
+        UpdateOrganisationMemberRole.mutate(
+            None, _info(MagicMock()), member_id="m1", role_id="r1"
+        )
+
+    assert active.role is admin_role
+    active.save.assert_called_once()
diff --git a/frontend/app/[team]/access/members/_components/RoleSelector.tsx b/frontend/app/[team]/access/members/_components/RoleSelector.tsx
index 053696671..4cb3e74d4 100644
--- a/frontend/app/[team]/access/members/_components/RoleSelector.tsx
+++ b/frontend/app/[team]/access/members/_components/RoleSelector.tsx
@@ -5,10 +5,10 @@ import { Fragment, useContext, useEffect, useState } from 'react'
 import { OrganisationMemberType, AppType, EnvironmentType, RoleType } from '@/apollo/graphql'
 import { organisationContext } from '@/contexts/organisationContext'
 import { Listbox, Transition } from '@headlessui/react'
-import { FaChevronDown } from 'react-icons/fa'
+import { FaChevronDown, FaExclamationTriangle } from 'react-icons/fa'
 import clsx from 'clsx'
 import { toast } from 'react-toastify'
-import { PermissionPolicy, userHasGlobalAccess } from '@/utils/access/permissions'
+import { PermissionPolicy, isRoleCryptoSafe, userHasGlobalAccess } from '@/utils/access/permissions'
 import { RoleLabel } from '@/components/users/RoleLabel'
 import { KeyringContext } from '@/contexts/keyringContext'
 import { unwrapEnvSecretsForUser, wrapEnvSecretsForAccount } from '@/utils/crypto'
@@ -249,6 +249,12 @@ export const RoleSelector = (props: {
   const roleOptions =
     roleData?.roles.filter((option: RoleType) => option.name?.toLowerCase() !== 'owner') || []
 
+  // Members without a completed key ceremony can only hold crypto-safe
+  // roles — the backend rejects anything that would make them an SA
+  // handler. Surface this in the dropdown so admins don't pick a role
+  // and then bounce off a backend error toast.
+  const memberKeyCeremonyPending = !member.identityKey
+
   // Determine if the selector should be disabled
   const disabled = !!(displayOnly || isOwner || !userCanUpdateMemberRoles || member.self)
 
@@ -271,9 +277,9 @@ export const RoleSelector = (props: {
             <Listbox.Button as={Fragment} aria-required>
               <div
                 className={clsx(
-                  'py-2 flex items-center justify-between rounded-md h-10',
+                  'py-1 flex items-center justify-between rounded-md h-10',
                   disabled ? 'cursor-not-allowed' : 'cursor-pointer',
-                  'hover:bg-neutral-500/10 px-2' // Add some hover effect and padding
+                  'hover:bg-neutral-500/10 px-1'
                 )}
               >
                 <RoleLabel role={role!} />
@@ -293,22 +299,39 @@ export const RoleSelector = (props: {
               leaveFrom="opacity-100"
               leaveTo="opacity-0"
             >
-              <Listbox.Options className="bg-zinc-200 dark:bg-zinc-800 p-2 rounded-md shadow-2xl absolute z-10 w-max focus:outline-none mt-1">
-                {roleOptions.map((optionRole: RoleType) => (
-                  <Listbox.Option key={optionRole.id} value={optionRole} as={Fragment}>
-                    {({ active, selected }) => (
-                      <div
-                        className={clsx(
-                          'flex items-center gap-2 p-2 cursor-pointer rounded-full',
-                          active && 'bg-zinc-300 dark:bg-zinc-700',
-                          selected && 'font-semibold' // Indicate selected
-                        )}
-                      >
-                        <RoleLabel role={optionRole} />
-                      </div>
-                    )}
-                  </Listbox.Option>
-                ))}
+              <Listbox.Options className="bg-zinc-200 dark:bg-zinc-800 p-1 rounded shadow-2xl absolute z-10 w-max focus:outline-none mt-1 ring-1 ring-inset ring-neutral-500/40">
+                {roleOptions.map((optionRole: RoleType) => {
+                  const unsafeForPending =
+                    memberKeyCeremonyPending && !isRoleCryptoSafe(optionRole.permissions)
+                  return (
+                    <Listbox.Option
+                      key={optionRole.id}
+                      value={optionRole}
+                      disabled={unsafeForPending}
+                      as={Fragment}
+                    >
+                      {({ active, selected }) => (
+                        <div
+                          className={clsx(
+                            'flex items-center justify-between gap-4 px-1 py-2 rounded',
+                            unsafeForPending
+                              ? 'cursor-not-allowed opacity-60'
+                              : clsx('cursor-pointer', active && 'bg-zinc-300 dark:bg-zinc-700'),
+                            selected && 'font-semibold'
+                          )}
+                        >
+                          <RoleLabel role={optionRole} size="sm" />
+                          {unsafeForPending && (
+                            <FaExclamationTriangle
+                              className="text-amber-500 text-xs shrink-0 ml-2"
+                              title="This role can't be assigned until the member completes account setup — wraps a keyring for their identity, which isn't ready yet."
+                            />
+                          )}
+                        </div>
+                      )}
+                    </Listbox.Option>
+                  )
+                })}
               </Listbox.Options>
             </Transition>
           </>
diff --git a/frontend/utils/access/permissions.ts b/frontend/utils/access/permissions.ts
index c978245f9..bb8fd21b7 100644
--- a/frontend/utils/access/permissions.ts
+++ b/frontend/utils/access/permissions.ts
@@ -66,6 +66,21 @@ export const userHasGlobalAccess = (permissionsJson: string) => {
   return permissionsData.global_access
 }
 
+/**
+ * Roles assignable to members who haven't completed their key
+ * ceremony (e.g. SCIM-provisioned users pre-first-login). Excludes
+ * global-access roles and roles with ServiceAccountTokens.create —
+ * both would enrol the member as an SA handler, and key wrapping for
+ * an empty identity_key fails. Mirrors the backend safelist in
+ * BulkInviteOrganisationMembersMutation and UpdateOrganisationMemberRole.
+ */
+export const isRoleCryptoSafe = (permissionsJson: string): boolean => {
+  if (userHasGlobalAccess(permissionsJson)) return false;
+  if (userHasPermission(permissionsJson, 'ServiceAccountTokens', 'create'))
+    return false;
+  return true;
+};
+
 /**
  * Determines if a user is an admin based on their role.
  * @param {string} role - The user's role.

From 5adc50cb08d6d6b589190119b8ee29db6e2f9724 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 6 May 2026 14:08:03 +0530
Subject: [PATCH 112/118] fix: copy

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/graphene/mutations/teams.py | 61 ++++++++-------------
 1 file changed, 23 insertions(+), 38 deletions(-)

diff --git a/backend/backend/graphene/mutations/teams.py b/backend/backend/graphene/mutations/teams.py
index 02547eae2..57a9b7fd7 100644
--- a/backend/backend/graphene/mutations/teams.py
+++ b/backend/backend/graphene/mutations/teams.py
@@ -31,9 +31,7 @@
 
 def _get_org_member(user, org):
     """Get the requesting user's OrganisationMember."""
-    return OrganisationMember.objects.get(
-        user=user, organisation=org, deleted_at=None
-    )
+    return OrganisationMember.objects.get(user=user, organisation=org, deleted_at=None)
 
 
 def _check_team_membership(user, team):
@@ -168,9 +166,7 @@ def mutate(
             if member_role_id == "":
                 team.member_role = None
             else:
-                team.member_role = Role.objects.get(
-                    id=member_role_id, organisation=org
-                )
+                team.member_role = Role.objects.get(id=member_role_id, organisation=org)
 
         if service_account_role_id is not None:
             if service_account_role_id == "":
@@ -213,12 +209,8 @@ def mutate(cls, root, info, team_id, new_owner_id):
         new_owner = OrganisationMember.objects.get(
             id=new_owner_id, organisation=org, deleted_at=None
         )
-        if not TeamMembership.objects.filter(
-            team=team, org_member=new_owner
-        ).exists():
-            raise GraphQLError(
-                "The new owner must be a member of the team"
-            )
+        if not TeamMembership.objects.filter(team=team, org_member=new_owner).exists():
+            raise GraphQLError("The new owner must be a member of the team")
 
         team.owner = new_owner
         team.save()
@@ -303,9 +295,7 @@ def mutate(cls, root, info, team_id, member_ids, member_type=MemberType.USER):
                 member = OrganisationMember.objects.get(
                     id=mid, organisation=org, deleted_at=None
                 )
-                if TeamMembership.objects.filter(
-                    team=team, org_member=member
-                ).exists():
+                if TeamMembership.objects.filter(team=team, org_member=member).exists():
                     continue
                 tm = TeamMembership.objects.create(team=team, org_member=member)
             else:
@@ -329,9 +319,7 @@ def mutate(cls, root, info, team_id, member_ids, member_type=MemberType.USER):
             for app_id in app_ids:
                 app = App.objects.get(id=app_id)
                 if app.sse_enabled:
-                    provision_team_environment_keys(
-                        team, app, members=new_memberships
-                    )
+                    provision_team_environment_keys(team, app, members=new_memberships)
 
         return AddTeamMembersMutation(team=team)
 
@@ -373,8 +361,7 @@ def mutate(cls, root, info, team_id, member_id, member_type=MemberType.USER):
             # Block removing a team-owned SA from its owning team
             if member.team_id == team.id:
                 raise GraphQLError(
-                    "This service account is owned by this team and cannot be removed. "
-                    "Delete the service account instead, or transfer ownership first."
+                    "This service account is owned by this team and cannot be removed."
                 )
             membership = TeamMembership.objects.get(team=team, service_account=member)
             revoke_team_environment_keys(team, member=member)
@@ -392,9 +379,7 @@ class AppEnvironmentInput(graphene.InputObjectType):
 class AddTeamAppsMutation(graphene.Mutation):
     class Arguments:
         team_id = graphene.ID(required=True)
-        app_envs = graphene.List(
-            graphene.NonNull(AppEnvironmentInput), required=True
-        )
+        app_envs = graphene.List(graphene.NonNull(AppEnvironmentInput), required=True)
 
     team = graphene.Field(TeamType)
 
@@ -417,16 +402,16 @@ def mutate(cls, root, info, team_id, app_envs):
             app = App.objects.get(id=app_env.app_id, organisation=org)
 
             # Check app-level Teams permission (team creators always have access)
-            if not _is_team_owner(user, team) and not user_has_permission(user, "create", "Teams", org, is_app_resource=True, app=app):
+            if not _is_team_owner(user, team) and not user_has_permission(
+                user, "create", "Teams", org, is_app_resource=True, app=app
+            ):
                 raise GraphQLError(
                     f"You don't have permission to add teams to app '{app.name}'"
                 )
 
             # Actor must have access to the app
             if not user_can_access_app(user.userId, app.id):
-                raise GraphQLError(
-                    f"You don't have access to app '{app.name}'"
-                )
+                raise GraphQLError(f"You don't have access to app '{app.name}'")
 
             # Team access requires SSE
             if not app.sse_enabled:
@@ -472,7 +457,9 @@ def mutate(cls, root, info, team_id, app_id):
         app = App.objects.get(id=app_id, organisation=org)
 
         # Check app-level Teams permission (team creators always have access)
-        if not _is_team_owner(user, team) and not user_has_permission(user, "delete", "Teams", org, is_app_resource=True, app=app):
+        if not _is_team_owner(user, team) and not user_has_permission(
+            user, "delete", "Teams", org, is_app_resource=True, app=app
+        ):
             raise GraphQLError(
                 "You don't have permission to remove teams from this app"
             )
@@ -511,7 +498,9 @@ def mutate(cls, root, info, team_id, app_id, env_ids):
         app = App.objects.get(id=app_id, organisation=org)
 
         # Check app-level Teams permission (team creators always have access)
-        if not _is_team_owner(user, team) and not user_has_permission(user, "update", "Teams", org, is_app_resource=True, app=app):
+        if not _is_team_owner(user, team) and not user_has_permission(
+            user, "update", "Teams", org, is_app_resource=True, app=app
+        ):
             raise GraphQLError(
                 "You don't have permission to manage team environments for this app"
             )
@@ -520,9 +509,7 @@ def mutate(cls, root, info, team_id, app_id, env_ids):
             raise GraphQLError("You don't have access to this app")
 
         if not app.sse_enabled:
-            raise GraphQLError(
-                "Team-based access requires server-side encryption."
-            )
+            raise GraphQLError("Team-based access requires server-side encryption.")
 
         # Determine which environments to add/remove
         current_env_ids = set(
@@ -534,15 +521,13 @@ def mutate(cls, root, info, team_id, app_id, env_ids):
 
         # Validate all new env_ids belong to this app
         valid_env_ids = set(
-            Environment.objects.filter(
-                id__in=new_env_ids, app=app
-            ).values_list("id", flat=True)
+            Environment.objects.filter(id__in=new_env_ids, app=app).values_list(
+                "id", flat=True
+            )
         )
         invalid = new_env_ids - valid_env_ids
         if invalid:
-            raise GraphQLError(
-                "Some environment IDs do not belong to this app"
-            )
+            raise GraphQLError("Some environment IDs do not belong to this app")
 
         to_remove = current_env_ids - new_env_ids
         to_add = new_env_ids - current_env_ids

From 1b8f0f378da9e3b486de76f743ea7a9239a0aa2f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 6 May 2026 15:08:38 +0530
Subject: [PATCH 113/118] fix: wrap app member add in atomic to avoid stale m2m
 on failure

---
 backend/backend/graphene/mutations/app.py | 122 ++++++++++++----------
 1 file changed, 65 insertions(+), 57 deletions(-)

diff --git a/backend/backend/graphene/mutations/app.py b/backend/backend/graphene/mutations/app.py
index f9717db7c..583b6d80d 100644
--- a/backend/backend/graphene/mutations/app.py
+++ b/backend/backend/graphene/mutations/app.py
@@ -18,6 +18,7 @@
 )
 from backend.graphene.types import AppType, MemberType
 from django.conf import settings
+from django.db import transaction
 from django.db.models import Q
 from django.utils import timezone
 
@@ -290,34 +291,38 @@ def mutate(cls, root, info, app_id, members):
                     f"You don't have permission to add {member_type.lower()}s to this App"
                 )
 
-            if member_type == MemberType.USER:
-                app.members.add(member)
-            else:
-                app.service_accounts.add(member)
-
-            for key in env_keys:
-                defaults = {
-                    "wrapped_seed": key.wrapped_seed,
-                    "wrapped_salt": key.wrapped_salt,
-                    "identity_key": key.identity_key,
-                }
-
-                condition = {
-                    "environment_id": key.env_id,
-                    "user_id": key.user_id if member_type == MemberType.USER else None,
-                    "service_account_id": (
-                        key.user_id if member_type == MemberType.SERVICE else None
-                    ),
-                }
-
-                env_key = _upsert_active_env_key(condition, defaults)
-                # Track the grant so removing an unrelated team grant
-                # later doesn't orphan-delete this key.
-                EnvironmentKeyGrant.objects.get_or_create(
-                    environment_key=env_key,
-                    grant_type="individual",
-                    team=None,
-                )
+            # Atomic so a mid-loop failure can't leave the M2M row
+            # without env keys — that combo would short-circuit
+            # _check_app_permission past any team role override.
+            with transaction.atomic():
+                if member_type == MemberType.USER:
+                    app.members.add(member)
+                else:
+                    app.service_accounts.add(member)
+
+                for key in env_keys:
+                    defaults = {
+                        "wrapped_seed": key.wrapped_seed,
+                        "wrapped_salt": key.wrapped_salt,
+                        "identity_key": key.identity_key,
+                    }
+
+                    condition = {
+                        "environment_id": key.env_id,
+                        "user_id": key.user_id if member_type == MemberType.USER else None,
+                        "service_account_id": (
+                            key.user_id if member_type == MemberType.SERVICE else None
+                        ),
+                    }
+
+                    env_key = _upsert_active_env_key(condition, defaults)
+                    # Track the grant so removing an unrelated team grant
+                    # later doesn't orphan-delete this key.
+                    EnvironmentKeyGrant.objects.get_or_create(
+                        environment_key=env_key,
+                        grant_type="individual",
+                        team=None,
+                    )
 
         return BulkAddAppMembersMutation(app=app)
 
@@ -353,35 +358,38 @@ def mutate(
         if not user_can_access_app(user.userId, app.id):
             raise GraphQLError("You don't have access to this app")
 
-        if member_type == MemberType.USER:
-            app.members.add(member)
-        else:
-            app.service_accounts.add(member)
-
-        # Create new env keys
-        for key in env_keys:
-            defaults = {
-                "wrapped_seed": key.wrapped_seed,
-                "wrapped_salt": key.wrapped_salt,
-                "identity_key": key.identity_key,
-            }
-
-            condition = {
-                "environment_id": key.env_id,
-                "user_id": key.user_id if member_type == MemberType.USER else None,
-                "service_account_id": (
-                    key.user_id if member_type == MemberType.SERVICE else None
-                ),
-            }
-
-            env_key = _upsert_active_env_key(condition, defaults)
-            # Track the grant so removing an unrelated team grant
-            # later doesn't orphan-delete this key.
-            EnvironmentKeyGrant.objects.get_or_create(
-                environment_key=env_key,
-                grant_type="individual",
-                team=None,
-            )
+        # Atomic so a mid-loop failure can't leave the M2M row
+        # without env keys — that combo would short-circuit
+        # _check_app_permission past any team role override.
+        with transaction.atomic():
+            if member_type == MemberType.USER:
+                app.members.add(member)
+            else:
+                app.service_accounts.add(member)
+
+            for key in env_keys:
+                defaults = {
+                    "wrapped_seed": key.wrapped_seed,
+                    "wrapped_salt": key.wrapped_salt,
+                    "identity_key": key.identity_key,
+                }
+
+                condition = {
+                    "environment_id": key.env_id,
+                    "user_id": key.user_id if member_type == MemberType.USER else None,
+                    "service_account_id": (
+                        key.user_id if member_type == MemberType.SERVICE else None
+                    ),
+                }
+
+                env_key = _upsert_active_env_key(condition, defaults)
+                # Track the grant so removing an unrelated team grant
+                # later doesn't orphan-delete this key.
+                EnvironmentKeyGrant.objects.get_or_create(
+                    environment_key=env_key,
+                    grant_type="individual",
+                    team=None,
+                )
 
         return AddAppMemberMutation(app=app)
 

From d43ddadbeea33f28b4f027b9b63f84469140e74b Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 6 May 2026 15:57:34 +0530
Subject: [PATCH 114/118] feat: lock team-granted envs in app member and
 account scope pickers

---
 backend/backend/schema.py                     |  30 +++-
 frontend/apollo/gql.ts                        |   6 +-
 frontend/apollo/graphql.ts                    | 131 +++-------------
 frontend/apollo/schema.graphql                | 129 +++-------------
 .../members/_components/AddMemberDialog.tsx   | 115 +++++++++++---
 .../_components/ManageUserAccessDialog.tsx    | 100 ++++++++----
 .../_components/AddAccountDialog.tsx          | 115 +++++++++++---
 .../_components/ManageAccountAccessDialog.tsx | 145 +++++++++++++++---
 .../queries/access/getMemberEnvKeyGrants.gql  |   4 +-
 9 files changed, 446 insertions(+), 329 deletions(-)

diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index 03191d914..8c2fcc338 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -422,6 +422,7 @@ class Query(graphene.ObjectType):
         app_id=graphene.ID(required=False),
         environment_id=graphene.ID(required=False),
         member_id=graphene.ID(required=False),
+        member_type=MemberType(),
     )
     environment_tokens = graphene.List(
         EnvironmentTokenType, environment_id=graphene.ID()
@@ -848,7 +849,12 @@ def resolve_secret_tags(root, info, org_id):
         return SecretTag.objects.filter(organisation_id=org_id)
 
     def resolve_environment_keys(
-        root, info, app_id=None, environment_id=None, member_id=None
+        root,
+        info,
+        app_id=None,
+        environment_id=None,
+        member_id=None,
+        member_type=MemberType.USER,
     ):
         if app_id is None and environment_id is None:
             return None
@@ -865,14 +871,22 @@ def resolve_environment_keys(
         if environment_id:
             filter["environment_id"] = environment_id
 
-        if member_id is not None:
-            org_member = OrganisationMember.objects.get(id=member_id, deleted_at=None)
-        else:
-            org_member = OrganisationMember.objects.get(
-                user=info.context.user, organisation=app.organisation, deleted_at=None
+        if member_id is not None and member_type == MemberType.SERVICE:
+            filter["service_account"] = ServiceAccount.objects.get(
+                id=member_id, deleted_at=None
             )
-
-        filter["user"] = org_member
+        else:
+            if member_id is not None:
+                org_member = OrganisationMember.objects.get(
+                    id=member_id, deleted_at=None
+                )
+            else:
+                org_member = OrganisationMember.objects.get(
+                    user=info.context.user,
+                    organisation=app.organisation,
+                    deleted_at=None,
+                )
+            filter["user"] = org_member
 
         return EnvironmentKey.objects.filter(**filter)
 
diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 1103d4c32..dfd4af326 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -127,7 +127,7 @@ type Documents = {
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": typeof types.CreateNewUserTokenDocument,
     "mutation RevokeUserToken($tokenId: ID!) {\n  deleteUserToken(tokenId: $tokenId) {\n    ok\n  }\n}": typeof types.RevokeUserTokenDocument,
     "query GetIP {\n  clientIp\n}": typeof types.GetIpDocument,
-    "query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {\n  environmentKeys(appId: $appId, memberId: $memberId) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.GetMemberEnvKeyGrantsDocument,
+    "query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!, $memberType: MemberType) {\n  environmentKeys(appId: $appId, memberId: $memberId, memberType: $memberType) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}": typeof types.GetMemberEnvKeyGrantsDocument,
     "query GetNetworkPolicies($organisationId: ID!) {\n  networkAccessPolicies(organisationId: $organisationId) {\n    id\n    name\n    allowedIps\n    isGlobal\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    updatedAt\n    updatedBy {\n      fullName\n      avatarUrl\n      self\n    }\n  }\n  clientIp\n}": typeof types.GetNetworkPoliciesDocument,
     "query GetAppAccounts($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": typeof types.GetAppAccountsDocument,
     "query GetAppMembers($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n}": typeof types.GetAppMembersDocument,
@@ -316,7 +316,7 @@ const documents: Documents = {
     "mutation CreateNewUserToken($orgId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createUserToken(\n    orgId: $orgId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    ok\n  }\n}": types.CreateNewUserTokenDocument,
     "mutation RevokeUserToken($tokenId: ID!) {\n  deleteUserToken(tokenId: $tokenId) {\n    ok\n  }\n}": types.RevokeUserTokenDocument,
     "query GetIP {\n  clientIp\n}": types.GetIpDocument,
-    "query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {\n  environmentKeys(appId: $appId, memberId: $memberId) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}": types.GetMemberEnvKeyGrantsDocument,
+    "query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!, $memberType: MemberType) {\n  environmentKeys(appId: $appId, memberId: $memberId, memberType: $memberType) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}": types.GetMemberEnvKeyGrantsDocument,
     "query GetNetworkPolicies($organisationId: ID!) {\n  networkAccessPolicies(organisationId: $organisationId) {\n    id\n    name\n    allowedIps\n    isGlobal\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    updatedAt\n    updatedBy {\n      fullName\n      avatarUrl\n      self\n    }\n  }\n  clientIp\n}": types.GetNetworkPoliciesDocument,
     "query GetAppAccounts($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n  appServiceAccounts(appId: $appId) {\n    id\n    identityKey\n    name\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n    tokens {\n      id\n      name\n    }\n  }\n}": types.GetAppAccountsDocument,
     "query GetAppMembers($appId: ID!) {\n  appUsers(appId: $appId) {\n    id\n    identityKey\n    email\n    fullName\n    avatarUrl\n    createdAt\n    role {\n      id\n      name\n      description\n      permissions\n      color\n    }\n  }\n}": types.GetAppMembersDocument,
@@ -861,7 +861,7 @@ export function graphql(source: "query GetIP {\n  clientIp\n}"): (typeof documen
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {\n  environmentKeys(appId: $appId, memberId: $memberId) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {\n  environmentKeys(appId: $appId, memberId: $memberId) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}"];
+export function graphql(source: "query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!, $memberType: MemberType) {\n  environmentKeys(appId: $appId, memberId: $memberId, memberType: $memberType) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!, $memberType: MemberType) {\n  environmentKeys(appId: $appId, memberId: $memberId, memberType: $memberType) {\n    id\n    environment {\n      id\n    }\n    grants {\n      grantType\n      team {\n        id\n        name\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 30010f657..f3eec85f3 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -401,27 +401,8 @@ export type BulkInviteOrganisationMembersMutation = {
 };
 
 /**
- * Rotate the user's account password and rewrap the active org's
- * keyring with the new deviceKey. Used by the in-session change-password
- * dialog where the user supplies their current password, a new password,
- * and the org's recovery mnemonic.
- *
- * Three server-side proofs are required:
- *   1. current_auth_hash matches user.password — proves the caller
- *      knows the current login password.
- *   2. identity_key matches the member's stored identity_key — proves
- *      the caller derived the keyring from the same mnemonic they
- *      registered with. Every Phase user has their own keyring, so
- *      this is checked against the member's identity_key, not the
- *      org's (which is the owner's).
- *   3. user is a member of the org.
- *
- * On success: user.password is set to new_auth_hash, the org's
- * wrapped_keyring + wrapped_recovery are replaced, and the session is
- * refreshed so the post-rotation HASH_SESSION_KEY stays valid.
- *
- * Only the active org's keyring is rewrapped. Other orgs the user
- * belongs to remain encrypted with the old deviceKey; they'll fall
+ * Rotate user.password and rewrap the active org's keyring with
+ * the new deviceKey. Other orgs keep the old deviceKey and fall
  * through to per-org recovery on next access.
  */
 export type ChangeAccountPasswordMutation = {
@@ -840,12 +821,7 @@ export type EnvironmentInput = {
   wrappedSeed: Scalars['String']['input'];
 };
 
-/**
- * Records WHY an EnvironmentKey exists. A single key can carry
- * multiple grants (e.g. an individual grant + a team grant for the
- * same env), and clients use this to show users where their access
- * comes from.
- */
+/** One key can carry multiple grants (individual + team). */
 export type EnvironmentKeyGrantType = {
   __typename?: 'EnvironmentKeyGrantType';
   createdAt?: Maybe<Scalars['DateTime']['output']>;
@@ -1121,27 +1097,8 @@ export type Mutation = {
   bulkInviteOrganisationMembers?: Maybe<BulkInviteOrganisationMembersMutation>;
   cancelSubscription?: Maybe<UpdateSubscriptionResponse>;
   /**
-   * Rotate the user's account password and rewrap the active org's
-   * keyring with the new deviceKey. Used by the in-session change-password
-   * dialog where the user supplies their current password, a new password,
-   * and the org's recovery mnemonic.
-   *
-   * Three server-side proofs are required:
-   *   1. current_auth_hash matches user.password — proves the caller
-   *      knows the current login password.
-   *   2. identity_key matches the member's stored identity_key — proves
-   *      the caller derived the keyring from the same mnemonic they
-   *      registered with. Every Phase user has their own keyring, so
-   *      this is checked against the member's identity_key, not the
-   *      org's (which is the owner's).
-   *   3. user is a member of the org.
-   *
-   * On success: user.password is set to new_auth_hash, the org's
-   * wrapped_keyring + wrapped_recovery are replaced, and the session is
-   * refreshed so the post-rotation HASH_SESSION_KEY stays valid.
-   *
-   * Only the active org's keyring is rewrapped. Other orgs the user
-   * belongs to remain encrypted with the old deviceKey; they'll fall
+   * Rotate user.password and rewrap the active org's keyring with
+   * the new deviceKey. Other orgs keep the old deviceKey and fall
    * through to per-org recovery on next access.
    */
   changeAccountPassword?: Maybe<ChangeAccountPasswordMutation>;
@@ -1223,23 +1180,10 @@ export type Mutation = {
   readSecret?: Maybe<ReadSecretMutation>;
   /**
    * Rewrap this member's keyring with a deviceKey derived from the
-   * user's account password. Used by the recovery flow when the local
-   * keyring has been lost (cleared cache, new device) but the user still
-   * remembers their password.
-   *
-   * Two server-side proofs are required:
-   *   1. identity_key matches the member's stored identity_key — proves
-   *      the caller derived the keyring from the same mnemonic they
-   *      registered with. Every Phase user has their own keyring, so
-   *      this is checked against the member's identity_key, not the
-   *      org's (which is the owner's).
-   *   2. auth_hash matches user.password — proves the password the user
-   *      is wrapping the keyring with is also their account login auth.
-   *
-   * The mutation does NOT change user.password. The auth_hash check is a
-   * guardrail to keep auth and wrap passwords unified; if it fails, the
-   * user is trying to wrap the keyring with a password that doesn't
-   * authenticate them, which we never persist.
+   * user's account password. Used when the local keyring is lost
+   * (cleared cache, new device) but the user still has their password.
+   * Requires identity_key to match the member's stored value AND
+   * auth_hash to match user.password. Does not rotate user.password.
    */
   recoverAccountKeyring?: Maybe<RecoverAccountKeyringMutation>;
   removeAppMember?: Maybe<RemoveAppMemberMutation>;
@@ -1273,18 +1217,10 @@ export type Mutation = {
   updateIdentity?: Maybe<UpdateIdentityMutation>;
   updateMemberEnvironmentScope?: Maybe<UpdateMemberEnvScopeMutation>;
   /**
-   * Re-wrap this member's keyring after the caller proves they hold
-   * the recovery mnemonic, or establish the keyring for the first time
-   * (e.g. SCIM-provisioned members completing their initial key
-   * ceremony). Used by SSO recovery and the account-init page.
-   *
-   * Requires identity_key matching the member's stored identity_key —
-   * proves the caller derived the keyring from the same mnemonic they
-   * registered with. Every Phase user has their own independently-
-   * derived keyring, so this check is against the member's identity_key,
-   * not the org's (which is the owner's). Members with no prior
-   * identity_key (SCIM-preprovisioned accounts on first login) have no
-   * identity to verify against — they are establishing one here.
+   * Re-wrap this member's keyring (SSO recovery) or establish it on
+   * first-key ceremony (SCIM-preprovisioned members). Validates the
+   * supplied identity_key against the member's stored one, except on
+   * first ceremony when there's nothing yet to compare against.
    */
   updateMemberWrappedSecrets?: Maybe<UpdateUserWrappedSecretsMutation>;
   updateNetworkAccessPolicy?: Maybe<UpdateNetworkAccessPolicyMutation>;
@@ -2438,6 +2374,7 @@ export type QueryEnvironmentKeysArgs = {
   appId?: InputMaybe<Scalars['ID']['input']>;
   environmentId?: InputMaybe<Scalars['ID']['input']>;
   memberId?: InputMaybe<Scalars['ID']['input']>;
+  memberType?: InputMaybe<MemberType>;
 };
 
 
@@ -2727,23 +2664,10 @@ export type ReadSecretMutation = {
 
 /**
  * Rewrap this member's keyring with a deviceKey derived from the
- * user's account password. Used by the recovery flow when the local
- * keyring has been lost (cleared cache, new device) but the user still
- * remembers their password.
- *
- * Two server-side proofs are required:
- *   1. identity_key matches the member's stored identity_key — proves
- *      the caller derived the keyring from the same mnemonic they
- *      registered with. Every Phase user has their own keyring, so
- *      this is checked against the member's identity_key, not the
- *      org's (which is the owner's).
- *   2. auth_hash matches user.password — proves the password the user
- *      is wrapping the keyring with is also their account login auth.
- *
- * The mutation does NOT change user.password. The auth_hash check is a
- * guardrail to keep auth and wrap passwords unified; if it fails, the
- * user is trying to wrap the keyring with a password that doesn't
- * authenticate them, which we never persist.
+ * user's account password. Used when the local keyring is lost
+ * (cleared cache, new device) but the user still has their password.
+ * Requires identity_key to match the member's stored value AND
+ * auth_hash to match user.password. Does not rotate user.password.
  */
 export type RecoverAccountKeyringMutation = {
   __typename?: 'RecoverAccountKeyringMutation';
@@ -3257,18 +3181,10 @@ export type UpdateTeamMutation = {
 };
 
 /**
- * Re-wrap this member's keyring after the caller proves they hold
- * the recovery mnemonic, or establish the keyring for the first time
- * (e.g. SCIM-provisioned members completing their initial key
- * ceremony). Used by SSO recovery and the account-init page.
- *
- * Requires identity_key matching the member's stored identity_key —
- * proves the caller derived the keyring from the same mnemonic they
- * registered with. Every Phase user has their own independently-
- * derived keyring, so this check is against the member's identity_key,
- * not the org's (which is the owner's). Members with no prior
- * identity_key (SCIM-preprovisioned accounts on first login) have no
- * identity to verify against — they are establishing one here.
+ * Re-wrap this member's keyring (SSO recovery) or establish it on
+ * first-key ceremony (SCIM-preprovisioned members). Validates the
+ * supplied identity_key against the member's stored one, except on
+ * first ceremony when there's nothing yet to compare against.
  */
 export type UpdateUserWrappedSecretsMutation = {
   __typename?: 'UpdateUserWrappedSecretsMutation';
@@ -4374,6 +4290,7 @@ export type GetIpQuery = { __typename?: 'Query', clientIp?: string | null };
 export type GetMemberEnvKeyGrantsQueryVariables = Exact<{
   appId: Scalars['ID']['input'];
   memberId: Scalars['ID']['input'];
+  memberType?: InputMaybe<MemberType>;
 }>;
 
 
@@ -5032,7 +4949,7 @@ export const UpdateTeamAppEnvironmentsOpDocument = {"kind":"Document","definitio
 export const CreateNewUserTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewUserToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createUserToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<CreateNewUserTokenMutation, CreateNewUserTokenMutationVariables>;
 export const RevokeUserTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RevokeUserToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteUserToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<RevokeUserTokenMutation, RevokeUserTokenMutationVariables>;
 export const GetIpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIP"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"clientIp"}}]}}]} as unknown as DocumentNode<GetIpQuery, GetIpQueryVariables>;
-export const GetMemberEnvKeyGrantsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetMemberEnvKeyGrants"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"grants"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"grantType"}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetMemberEnvKeyGrantsQuery, GetMemberEnvKeyGrantsQueryVariables>;
+export const GetMemberEnvKeyGrantsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetMemberEnvKeyGrants"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"MemberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberId"}}},{"kind":"Argument","name":{"kind":"Name","value":"memberType"},"value":{"kind":"Variable","name":{"kind":"Name","value":"memberType"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"grants"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"grantType"}},{"kind":"Field","name":{"kind":"Name","value":"team"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetMemberEnvKeyGrantsQuery, GetMemberEnvKeyGrantsQueryVariables>;
 export const GetNetworkPoliciesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetNetworkPolicies"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"networkAccessPolicies"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"clientIp"}}]}}]} as unknown as DocumentNode<GetNetworkPoliciesQuery, GetNetworkPoliciesQueryVariables>;
 export const GetAppAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appServiceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppAccountsQuery, GetAppAccountsQueryVariables>;
 export const GetAppMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAppMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"appUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]}}]} as unknown as DocumentNode<GetAppMembersQuery, GetAppMembersQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index d7954e496..8b6fe6fa6 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -27,7 +27,7 @@ type Query {
   folders(envId: ID, path: String): [SecretFolderType]
   secretHistory(secretId: ID): [SecretEventType]
   secretTags(orgId: ID): [SecretTagType]
-  environmentKeys(appId: ID, environmentId: ID, memberId: ID): [EnvironmentKeyType]
+  environmentKeys(appId: ID, environmentId: ID, memberId: ID, memberType: MemberType): [EnvironmentKeyType]
   environmentTokens(environmentId: ID): [EnvironmentTokenType]
   userTokens(organisationId: ID): [UserTokenType]
   serviceTokens(appId: ID): [ServiceTokenType]
@@ -937,12 +937,7 @@ type EnvironmentKeyType {
   grants: [EnvironmentKeyGrantType!]
 }
 
-"""
-Records WHY an EnvironmentKey exists. A single key can carry
-multiple grants (e.g. an individual grant + a team grant for the
-same env), and clients use this to show users where their access
-comes from.
-"""
+"""One key can carry multiple grants (individual + team)."""
 type EnvironmentKeyGrantType {
   id: String!
   grantType: ApiEnvironmentKeyGrantGrantTypeChoices!
@@ -1198,65 +1193,25 @@ type Mutation {
   transferOrganisationOwnership(billingEmail: String, newOwnerId: ID!, organisationId: ID!): TransferOrganisationOwnershipMutation
 
   """
-  Re-wrap this member's keyring after the caller proves they hold
-  the recovery mnemonic, or establish the keyring for the first time
-  (e.g. SCIM-provisioned members completing their initial key
-  ceremony). Used by SSO recovery and the account-init page.
-  
-  Requires identity_key matching the member's stored identity_key —
-  proves the caller derived the keyring from the same mnemonic they
-  registered with. Every Phase user has their own independently-
-  derived keyring, so this check is against the member's identity_key,
-  not the org's (which is the owner's). Members with no prior
-  identity_key (SCIM-preprovisioned accounts on first login) have no
-  identity to verify against — they are establishing one here.
+  Re-wrap this member's keyring (SSO recovery) or establish it on
+  first-key ceremony (SCIM-preprovisioned members). Validates the
+  supplied identity_key against the member's stored one, except on
+  first ceremony when there's nothing yet to compare against.
   """
   updateMemberWrappedSecrets(identityKey: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
 
   """
   Rewrap this member's keyring with a deviceKey derived from the
-  user's account password. Used by the recovery flow when the local
-  keyring has been lost (cleared cache, new device) but the user still
-  remembers their password.
-  
-  Two server-side proofs are required:
-    1. identity_key matches the member's stored identity_key — proves
-       the caller derived the keyring from the same mnemonic they
-       registered with. Every Phase user has their own keyring, so
-       this is checked against the member's identity_key, not the
-       org's (which is the owner's).
-    2. auth_hash matches user.password — proves the password the user
-       is wrapping the keyring with is also their account login auth.
-  
-  The mutation does NOT change user.password. The auth_hash check is a
-  guardrail to keep auth and wrap passwords unified; if it fails, the
-  user is trying to wrap the keyring with a password that doesn't
-  authenticate them, which we never persist.
+  user's account password. Used when the local keyring is lost
+  (cleared cache, new device) but the user still has their password.
+  Requires identity_key to match the member's stored value AND
+  auth_hash to match user.password. Does not rotate user.password.
   """
   recoverAccountKeyring(authHash: String!, identityKey: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): RecoverAccountKeyringMutation
 
   """
-  Rotate the user's account password and rewrap the active org's
-  keyring with the new deviceKey. Used by the in-session change-password
-  dialog where the user supplies their current password, a new password,
-  and the org's recovery mnemonic.
-  
-  Three server-side proofs are required:
-    1. current_auth_hash matches user.password — proves the caller
-       knows the current login password.
-    2. identity_key matches the member's stored identity_key — proves
-       the caller derived the keyring from the same mnemonic they
-       registered with. Every Phase user has their own keyring, so
-       this is checked against the member's identity_key, not the
-       org's (which is the owner's).
-    3. user is a member of the org.
-  
-  On success: user.password is set to new_auth_hash, the org's
-  wrapped_keyring + wrapped_recovery are replaced, and the session is
-  refreshed so the post-rotation HASH_SESSION_KEY stays valid.
-  
-  Only the active org's keyring is rewrapped. Other orgs the user
-  belongs to remain encrypted with the old deviceKey; they'll fall
+  Rotate user.password and rewrap the active org's keyring with
+  the new deviceKey. Other orgs keep the old deviceKey and fall
   through to per-org recovery on next access.
   """
   changeAccountPassword(currentAuthHash: String!, identityKey: String!, newAuthHash: String!, orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): ChangeAccountPasswordMutation
@@ -1417,18 +1372,10 @@ type TransferOrganisationOwnershipMutation {
 }
 
 """
-Re-wrap this member's keyring after the caller proves they hold
-the recovery mnemonic, or establish the keyring for the first time
-(e.g. SCIM-provisioned members completing their initial key
-ceremony). Used by SSO recovery and the account-init page.
-
-Requires identity_key matching the member's stored identity_key —
-proves the caller derived the keyring from the same mnemonic they
-registered with. Every Phase user has their own independently-
-derived keyring, so this check is against the member's identity_key,
-not the org's (which is the owner's). Members with no prior
-identity_key (SCIM-preprovisioned accounts on first login) have no
-identity to verify against — they are establishing one here.
+Re-wrap this member's keyring (SSO recovery) or establish it on
+first-key ceremony (SCIM-preprovisioned members). Validates the
+supplied identity_key against the member's stored one, except on
+first ceremony when there's nothing yet to compare against.
 """
 type UpdateUserWrappedSecretsMutation {
   orgMember: OrganisationMemberType
@@ -1436,50 +1383,18 @@ type UpdateUserWrappedSecretsMutation {
 
 """
 Rewrap this member's keyring with a deviceKey derived from the
-user's account password. Used by the recovery flow when the local
-keyring has been lost (cleared cache, new device) but the user still
-remembers their password.
-
-Two server-side proofs are required:
-  1. identity_key matches the member's stored identity_key — proves
-     the caller derived the keyring from the same mnemonic they
-     registered with. Every Phase user has their own keyring, so
-     this is checked against the member's identity_key, not the
-     org's (which is the owner's).
-  2. auth_hash matches user.password — proves the password the user
-     is wrapping the keyring with is also their account login auth.
-
-The mutation does NOT change user.password. The auth_hash check is a
-guardrail to keep auth and wrap passwords unified; if it fails, the
-user is trying to wrap the keyring with a password that doesn't
-authenticate them, which we never persist.
+user's account password. Used when the local keyring is lost
+(cleared cache, new device) but the user still has their password.
+Requires identity_key to match the member's stored value AND
+auth_hash to match user.password. Does not rotate user.password.
 """
 type RecoverAccountKeyringMutation {
   orgMember: OrganisationMemberType
 }
 
 """
-Rotate the user's account password and rewrap the active org's
-keyring with the new deviceKey. Used by the in-session change-password
-dialog where the user supplies their current password, a new password,
-and the org's recovery mnemonic.
-
-Three server-side proofs are required:
-  1. current_auth_hash matches user.password — proves the caller
-     knows the current login password.
-  2. identity_key matches the member's stored identity_key — proves
-     the caller derived the keyring from the same mnemonic they
-     registered with. Every Phase user has their own keyring, so
-     this is checked against the member's identity_key, not the
-     org's (which is the owner's).
-  3. user is a member of the org.
-
-On success: user.password is set to new_auth_hash, the org's
-wrapped_keyring + wrapped_recovery are replaced, and the session is
-refreshed so the post-rotation HASH_SESSION_KEY stays valid.
-
-Only the active org's keyring is rewrapped. Other orgs the user
-belongs to remain encrypted with the old deviceKey; they'll fall
+Rotate user.password and rewrap the active org's keyring with
+the new deviceKey. Other orgs keep the old deviceKey and fall
 through to per-org recovery on next access.
 """
 type ChangeAccountPasswordMutation {
diff --git a/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx b/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
index 79ac676ae..e6ca5f829 100644
--- a/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
@@ -95,6 +95,30 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
     return map
   }, [teamsData, appId])
 
+  // Map member ID → Set of envIds (in this app) the member already
+  // has access to via team grants. Used to pre-select + lock those
+  // envs in the per-member scope picker.
+  const memberTeamEnvs = useMemo(() => {
+    const map = new Map<string, Set<string>>()
+    if (!teamsData?.teams) return map
+    for (const team of teamsData.teams as TeamType[]) {
+      const teamEnvIds = new Set<string>()
+      for (const ae of team.appEnvironments ?? []) {
+        if (ae?.app?.id === appId && ae?.environment?.id) {
+          teamEnvIds.add(ae.environment.id)
+        }
+      }
+      if (teamEnvIds.size === 0) continue
+      for (const m of team.members || []) {
+        if (!m.orgMember) continue
+        const set = map.get(m.orgMember.id) ?? new Set<string>()
+        teamEnvIds.forEach((id) => set.add(id))
+        map.set(m.orgMember.id, set)
+      }
+    }
+    return map
+  }, [teamsData, appId])
+
   const { data, loading } = useQuery(GetAppMembers, {
     variables: { appId: appId },
     skip: !userCanReadAppMembers,
@@ -168,10 +192,12 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
       )
 
       if (preselectedMember) {
+        const teamEnvIds = memberTeamEnvs.get(preselectedMember.id) ?? new Set<string>()
+        const preScope = envOptions.filter((e) => e.id && teamEnvIds.has(e.id))
         setSelectedMembers([
           {
             ...preselectedMember,
-            scope: [],
+            scope: preScope,
           },
         ])
         openModal()
@@ -336,7 +362,17 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
                               'flex items-center justify-between gap-2 p-2 text-sm cursor-pointer transition ease w-full min-w-96',
                               active ? 'bg-neutral-100 dark:bg-neutral-800' : ''
                             )}
-                            onClick={() => setSelectedMembers([...selectedMembers, member])}
+                            onClick={() => {
+                              const teamEnvIds =
+                                memberTeamEnvs.get(member.id) ?? new Set<string>()
+                              const preScope = envOptions.filter(
+                                (e) => e.id && teamEnvIds.has(e.id)
+                              )
+                              setSelectedMembers([
+                                ...selectedMembers,
+                                { ...member, scope: preScope },
+                              ])
+                            }}
                           >
                             <div className="flex items-center gap-2">
                               <Avatar member={member} size="md" />
@@ -512,32 +548,61 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
                               leaveTo="opacity-0"
                             >
                               <Listbox.Options className="bg-neutral-200 dark:bg-neutral-800 p-2 rounded-b-md ring-1 ring-inset ring-neutral-500/40 shadow-2xl absolute -my-px z-10 w-full divide-y divide-neutral-500/20">
-                                {envOptions.map((env) => (
-                                  <Listbox.Option key={`${member.id}-${env.id}`} value={env}>
-                                    {({ active, selected }) => (
-                                      <div
-                                        className={clsx(
-                                          'flex items-center gap-2 p-1 cursor-pointer text-sm rounded-md transition ease text-zinc-900 dark:text-zinc-100',
-                                          active ? ' bg-neutral-100 dark:bg-neutral-700' : ''
-                                        )}
-                                      >
-                                        {selected ? (
-                                          <FaCheckCircle className="text-emerald-500" />
-                                        ) : (
-                                          <FaCircle className="text-neutral-500" />
-                                        )}
-                                        <span
+                                {envOptions.map((env) => {
+                                  // Pre-locked: env is already granted to this
+                                  // member via a team. Disable so the user
+                                  // doesn't see deselecting it as meaningful.
+                                  const teamEnvIds =
+                                    memberTeamEnvs.get(member.id) ?? new Set<string>()
+                                  const lockedByTeam = !!env.id && teamEnvIds.has(env.id)
+                                  return (
+                                    <Listbox.Option
+                                      key={`${member.id}-${env.id}`}
+                                      value={env}
+                                      disabled={lockedByTeam}
+                                    >
+                                      {({ active, selected }) => (
+                                        <div
                                           className={clsx(
-                                            'block truncate',
-                                            selected ? 'font-medium' : 'font-normal'
+                                            'flex items-center gap-2 p-1 text-sm rounded-md transition ease text-zinc-900 dark:text-zinc-100',
+                                            lockedByTeam
+                                              ? 'cursor-not-allowed'
+                                              : 'cursor-pointer',
+                                            active && !lockedByTeam
+                                              ? ' bg-neutral-100 dark:bg-neutral-700'
+                                              : ''
                                           )}
+                                          title={
+                                            lockedByTeam
+                                              ? `${env.name} — granted via team. Remove the user from the team to revoke this access.`
+                                              : undefined
+                                          }
                                         >
-                                          {env.name}
-                                        </span>
-                                      </div>
-                                    )}
-                                  </Listbox.Option>
-                                ))}
+                                          {selected ? (
+                                            <FaCheckCircle
+                                              className={clsx(
+                                                lockedByTeam
+                                                  ? 'text-neutral-500'
+                                                  : 'text-emerald-500'
+                                              )}
+                                            />
+                                          ) : (
+                                            <FaCircle className="text-neutral-500" />
+                                          )}
+                                          <span
+                                            className={clsx(
+                                              'block truncate',
+                                              selected ? 'font-medium' : 'font-normal',
+                                              lockedByTeam && 'text-neutral-500'
+                                            )}
+                                          >
+                                            {env.name}
+                                          </span>
+                                        </div>
+                                      )}
+                                    </Listbox.Option>
+                                  )
+                                })}
                               </Listbox.Options>
                             </Transition>
                           </div>
diff --git a/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx b/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
index 12a5238b0..72697a1d0 100644
--- a/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/_components/ManageUserAccessDialog.tsx
@@ -73,15 +73,23 @@ export const ManageUserAccessDialog = ({
     variables: { appId, memberId: member.id },
   })
 
-  // env_id -> true if the member has an individual grant on that env.
-  const envHasIndividualGrant = useMemo(() => {
-    const map: Record<string, boolean> = {}
+  // env_id -> { individual, team } presence flags. Envs the member
+  // has no grant on are absent — don't conflate "no entry" with "team
+  // only", or unsaved selections render as if team-granted.
+  const envGrantSources = useMemo(() => {
+    const map: Record<string, { individual: boolean; team: boolean }> = {}
     for (const ek of grantsData?.environmentKeys ?? []) {
       const envId = ek?.environment?.id
       if (!envId) continue
-      map[envId] = (ek.grants ?? []).some(
-        (g: any) => g?.grantType === ApiEnvironmentKeyGrantGrantTypeChoices.Individual
-      )
+      const grants = ek.grants ?? []
+      map[envId] = {
+        individual: grants.some(
+          (g: any) => g?.grantType === ApiEnvironmentKeyGrantGrantTypeChoices.Individual
+        ),
+        team: grants.some(
+          (g: any) => g?.grantType === ApiEnvironmentKeyGrantGrantTypeChoices.Team
+        ),
+      }
     }
     return map
   }, [grantsData])
@@ -205,13 +213,14 @@ export const ManageUserAccessDialog = ({
         {envScope.map((env, i) => {
           // Blue (matches the team chip) for envs accessed via team
           // only; default zinc for direct individual access.
-          const teamOnly = env.id ? !envHasIndividualGrant[env.id] : false
+          const sources = env.id ? envGrantSources[env.id] : undefined
+          const teamOnly = !!sources?.team && !sources?.individual
           return (
             <Fragment key={env.id ?? env.name}>
               <span
                 className={clsx(
                   teamOnly
-                    ? 'text-blue-600 dark:text-blue-400'
+                    ? 'text-neutral-500'
                     : 'text-zinc-900 dark:text-zinc-100'
                 )}
                 title={
@@ -326,25 +335,62 @@ export const ManageUserAccessDialog = ({
                     >
                       <Listbox.Options>
                         <div className="bg-neutral-200 dark:bg-neutral-800 p-2 rounded-b-md border border-neutral-500/40 shadow-2xl absolute z-10 -my-px w-full divide-y divide-neutral-500/20">
-                          {envOptions.map((env: Partial<EnvironmentType>) => (
-                            <Listbox.Option key={env.id} value={env} as={Fragment}>
-                              {({ active, selected }) => (
-                                <div
-                                  className={clsx(
-                                    'flex items-center gap-2 p-1 cursor-pointer text-sm rounded-md transition ease text-zinc-900 dark:text-zinc-100',
-                                    active ? ' bg-neutral-100 dark:bg-neutral-700' : ''
-                                  )}
-                                >
-                                  {selected ? (
-                                    <FaCheckCircle className="text-emerald-500" />
-                                  ) : (
-                                    <FaCircle className="text-neutral-500" />
-                                  )}
-                                  <div>{env.name}</div>
-                                </div>
-                              )}
-                            </Listbox.Option>
-                          ))}
+                          {envOptions.map((env: Partial<EnvironmentType>) => {
+                            // Team-granted envs persist even after a
+                            // "save" with them deselected — disable so
+                            // the UI doesn't suggest otherwise.
+                            const sources = env.id ? envGrantSources[env.id] : undefined
+                            const teamOnly = !!sources?.team && !sources?.individual
+                            const inScope = scope.some((s) => s.id === env.id)
+                            const lockedByTeam = teamOnly && inScope
+                            return (
+                              <Listbox.Option
+                                key={env.id}
+                                value={env}
+                                disabled={lockedByTeam}
+                                as={Fragment}
+                              >
+                                {({ active, selected }) => (
+                                  <div
+                                    className={clsx(
+                                      'flex items-center gap-2 p-1 text-sm rounded-md transition ease text-zinc-900 dark:text-zinc-100',
+                                      lockedByTeam
+                                        ? 'cursor-not-allowed'
+                                        : 'cursor-pointer',
+                                      active && !lockedByTeam
+                                        ? ' bg-neutral-100 dark:bg-neutral-700'
+                                        : ''
+                                    )}
+                                    title={
+                                      lockedByTeam
+                                        ? `${env.name} — granted via team. Remove the user from the team to revoke this access.`
+                                        : undefined
+                                    }
+                                  >
+                                    {selected ? (
+                                      <FaCheckCircle
+                                        className={clsx(
+                                          lockedByTeam
+                                            ? 'text-neutral-500'
+                                            : 'text-emerald-500'
+                                        )}
+                                      />
+                                    ) : (
+                                      <FaCircle className="text-neutral-500" />
+                                    )}
+                                    <div
+                                      className={clsx(
+                                        lockedByTeam &&
+                                          'text-neutral-500'
+                                      )}
+                                    >
+                                      {env.name}
+                                    </div>
+                                  </div>
+                                )}
+                              </Listbox.Option>
+                            )
+                          })}
                         </div>
                       </Listbox.Options>
                     </Transition>
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
index e66edd6bf..7f80b2b7d 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
@@ -94,6 +94,30 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
     return map
   }, [teamsData, appId])
 
+  // Map account ID → Set of envIds (in this app) the account already
+  // has access to via team grants. Used to pre-select + lock those
+  // envs in the per-account scope picker.
+  const accountTeamEnvs = useMemo(() => {
+    const map = new Map<string, Set<string>>()
+    if (!teamsData?.teams) return map
+    for (const team of teamsData.teams as TeamType[]) {
+      const teamEnvIds = new Set<string>()
+      for (const ae of team.appEnvironments ?? []) {
+        if (ae?.app?.id === appId && ae?.environment?.id) {
+          teamEnvIds.add(ae.environment.id)
+        }
+      }
+      if (teamEnvIds.size === 0) continue
+      for (const m of team.members || []) {
+        if (!m.serviceAccount) continue
+        const set = map.get(m.serviceAccount.id) ?? new Set<string>()
+        teamEnvIds.forEach((id) => set.add(id))
+        map.set(m.serviceAccount.id, set)
+      }
+    }
+    return map
+  }, [teamsData, appId])
+
   const { data, loading } = useQuery(GetAppServiceAccounts, {
     variables: { appId: appId },
     skip: !userCanReadAppSA,
@@ -169,10 +193,12 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
         (account: ServiceAccountType) => account.id === preselectedAccountId
       )
       if (preselectedAccount) {
+        const teamEnvIds = accountTeamEnvs.get(preselectedAccount.id) ?? new Set<string>()
+        const preScope = envOptions.filter((e) => e.id && teamEnvIds.has(e.id))
         setSelectedAccounts([
           {
             ...preselectedAccount,
-            scope: [],
+            scope: preScope,
           },
         ])
         openModal()
@@ -337,7 +363,17 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
                               'flex items-center justify-between gap-2 p-2 text-sm cursor-pointer transition ease w-full min-w-96',
                               active ? 'bg-neutral-100 dark:bg-neutral-800' : ''
                             )}
-                            onClick={() => setSelectedAccounts([...selectedAccounts, account])}
+                            onClick={() => {
+                              const teamEnvIds =
+                                accountTeamEnvs.get(account.id) ?? new Set<string>()
+                              const preScope = envOptions.filter(
+                                (e) => e.id && teamEnvIds.has(e.id)
+                              )
+                              setSelectedAccounts([
+                                ...selectedAccounts,
+                                { ...account, scope: preScope },
+                              ])
+                            }}
                           >
                             <div className="flex items-center gap-2">
                               <Avatar serviceAccount={account} />
@@ -510,32 +546,61 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
                               leaveTo="opacity-0"
                             >
                               <Listbox.Options className="bg-neutral-200 dark:bg-neutral-800 p-2 rounded-b-md ring-1 ring-inset ring-neutral-500/40 shadow-2xl absolute -my-px z-10 w-full divide-y divide-neutral-500/20">
-                                {envOptions.map((env) => (
-                                  <Listbox.Option key={`${account.id}-${env.id}`} value={env}>
-                                    {({ active, selected }) => (
-                                      <div
-                                        className={clsx(
-                                          'flex items-center gap-2 p-1 cursor-pointer text-sm rounded-md transition ease text-zinc-900 dark:text-zinc-100',
-                                          active ? ' bg-neutral-100 dark:bg-neutral-700' : ''
-                                        )}
-                                      >
-                                        {selected ? (
-                                          <FaCheckCircle className="text-emerald-500" />
-                                        ) : (
-                                          <FaCircle className="text-neutral-500" />
-                                        )}
-                                        <span
+                                {envOptions.map((env) => {
+                                  // Pre-locked: env is already granted to this
+                                  // account via a team. Disable so the user
+                                  // doesn't see deselecting it as meaningful.
+                                  const teamEnvIds =
+                                    accountTeamEnvs.get(account.id) ?? new Set<string>()
+                                  const lockedByTeam = !!env.id && teamEnvIds.has(env.id)
+                                  return (
+                                    <Listbox.Option
+                                      key={`${account.id}-${env.id}`}
+                                      value={env}
+                                      disabled={lockedByTeam}
+                                    >
+                                      {({ active, selected }) => (
+                                        <div
                                           className={clsx(
-                                            'block truncate',
-                                            selected ? 'font-medium' : 'font-normal'
+                                            'flex items-center gap-2 p-1 text-sm rounded-md transition ease text-zinc-900 dark:text-zinc-100',
+                                            lockedByTeam
+                                              ? 'cursor-not-allowed'
+                                              : 'cursor-pointer',
+                                            active && !lockedByTeam
+                                              ? ' bg-neutral-100 dark:bg-neutral-700'
+                                              : ''
                                           )}
+                                          title={
+                                            lockedByTeam
+                                              ? `${env.name} — granted via team. Remove the account from the team to revoke this access.`
+                                              : undefined
+                                          }
                                         >
-                                          {env.name}
-                                        </span>
-                                      </div>
-                                    )}
-                                  </Listbox.Option>
-                                ))}
+                                          {selected ? (
+                                            <FaCheckCircle
+                                              className={clsx(
+                                                lockedByTeam
+                                                  ? 'text-neutral-500'
+                                                  : 'text-emerald-500'
+                                              )}
+                                            />
+                                          ) : (
+                                            <FaCircle className="text-neutral-500" />
+                                          )}
+                                          <span
+                                            className={clsx(
+                                              'block truncate',
+                                              selected ? 'font-medium' : 'font-normal',
+                                              lockedByTeam && 'text-neutral-500'
+                                            )}
+                                          >
+                                            {env.name}
+                                          </span>
+                                        </div>
+                                      )}
+                                    </Listbox.Option>
+                                  )
+                                })}
                               </Listbox.Options>
                             </Transition>
                           </div>
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx
index 35ab2989e..f1538014b 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/ManageAccountAccessDialog.tsx
@@ -3,9 +3,15 @@
 import UpdateEnvScope from '@/graphql/mutations/apps/updateEnvScope.gql'
 import { GetAppEnvironments } from '@/graphql/queries/secrets/getAppEnvironments.gql'
 import { GetEnvironmentKey } from '@/graphql/queries/secrets/getEnvironmentKey.gql'
+import { GetMemberEnvKeyGrants } from '@/graphql/queries/access/getMemberEnvKeyGrants.gql'
 import { useLazyQuery, useMutation, useQuery } from '@apollo/client'
 import { Fragment, useContext, useEffect, useMemo, useRef, useState } from 'react'
-import { EnvironmentType, ServiceAccountType, MemberType } from '@/apollo/graphql'
+import {
+  EnvironmentType,
+  ServiceAccountType,
+  MemberType,
+  ApiEnvironmentKeyGrantGrantTypeChoices,
+} from '@/apollo/graphql'
 import { Button } from '@/components/common/Button'
 import { organisationContext } from '@/contexts/organisationContext'
 import { Listbox, Transition } from '@headlessui/react'
@@ -66,6 +72,32 @@ export const ManageAccountAccessDialog = ({
 
   const [getEnvKey] = useLazyQuery(GetEnvironmentKey)
 
+  // Per-env grants so we can colour env names by source.
+  const { data: grantsData } = useQuery(GetMemberEnvKeyGrants, {
+    variables: { appId, memberId: account.id, memberType: MemberType.Service },
+  })
+
+  // env_id -> { individual, team } presence flags. Envs the account
+  // has no grant on are absent — don't conflate "no entry" with "team
+  // only", or unsaved selections render as if team-granted.
+  const envGrantSources = useMemo(() => {
+    const map: Record<string, { individual: boolean; team: boolean }> = {}
+    for (const ek of grantsData?.environmentKeys ?? []) {
+      const envId = ek?.environment?.id
+      if (!envId) continue
+      const grants = ek.grants ?? []
+      map[envId] = {
+        individual: grants.some(
+          (g: any) => g?.grantType === ApiEnvironmentKeyGrantGrantTypeChoices.Individual
+        ),
+        team: grants.some(
+          (g: any) => g?.grantType === ApiEnvironmentKeyGrantGrantTypeChoices.Team
+        ),
+      }
+    }
+    return map
+  }, [grantsData])
+
   const envScope: Array<Record<string, string>> = useMemo(() => {
     return (
       accountEnvScopeData?.appEnvironments.map((env: EnvironmentType) => ({
@@ -188,8 +220,34 @@ export const ManageAccountAccessDialog = ({
   return (
     <>
       <div className="flex items-center gap-2">
-        <span className="text-zinc-900 dark:text-zinc-100 text-2xs font-medium">
-          {envScope.map((env) => env.name).join(' + ')}
+        <span className="text-2xs font-medium">
+          {envScope.map((env, i) => {
+            // Blue (matches the team chip) for envs accessed via team
+            // only; default zinc for direct individual access.
+            const sources = env.id ? envGrantSources[env.id] : undefined
+            const teamOnly = !!sources?.team && !sources?.individual
+            return (
+              <Fragment key={env.id ?? env.name}>
+                <span
+                  className={clsx(
+                    teamOnly
+                      ? 'text-neutral-500'
+                      : 'text-zinc-900 dark:text-zinc-100'
+                  )}
+                  title={
+                    teamOnly
+                      ? `${env.name} — access via team`
+                      : `${env.name} — direct access`
+                  }
+                >
+                  {env.name}
+                </span>
+                {i < envScope.length - 1 && (
+                  <span className="text-neutral-500"> + </span>
+                )}
+              </Fragment>
+            )
+          })}
         </span>
 
         <div className="opacity-0 group-hover:opacity-100 transition ease flex items-center gap-2">
@@ -293,28 +351,65 @@ export const ManageAccountAccessDialog = ({
                         >
                           <Listbox.Options>
                             <div className="bg-neutral-200 dark:bg-neutral-800 p-2 rounded-b-md border border-neutral-500/40 shadow-2xl absolute z-10 -my-px w-full divide-y divide-neutral-500/20">
-                              {envOptions.map((env: Partial<EnvironmentType>) => (
-                                <Listbox.Option key={env.id} value={env} as={Fragment}>
-                                  {({ active, selected }) => (
-                                    <div
-                                      className={clsx(
-                                        'flex items-center gap-2 p-1 cursor-pointer text-sm rounded-sm transition ease',
-                                        active
-                                          ? 'text-zinc-900 dark:text-zinc-100 bg-neutral-100 dark:bg-neutral-700'
-                                          : 'text-zinc-700 dark:text-zinc-300',
-                                        selected && 'text-zinc-900 dark:text-zinc-100'
-                                      )}
-                                    >
-                                      {selected ? (
-                                        <FaCheckCircle className="text-emerald-500" />
-                                      ) : (
-                                        <FaCircle className="text-neutral-500" />
-                                      )}
-                                      <div>{env.name}</div>
-                                    </div>
-                                  )}
-                                </Listbox.Option>
-                              ))}
+                              {envOptions.map((env: Partial<EnvironmentType>) => {
+                                // Team-granted envs persist even after a
+                                // "save" with them deselected — disable so
+                                // the UI doesn't suggest otherwise.
+                                const sources = env.id
+                                  ? envGrantSources[env.id]
+                                  : undefined
+                                const teamOnly = !!sources?.team && !sources?.individual
+                                const inScope = scope.some((s) => s.id === env.id)
+                                const lockedByTeam = teamOnly && inScope
+                                return (
+                                  <Listbox.Option
+                                    key={env.id}
+                                    value={env}
+                                    disabled={lockedByTeam}
+                                    as={Fragment}
+                                  >
+                                    {({ active, selected }) => (
+                                      <div
+                                        className={clsx(
+                                          'flex items-center gap-2 p-1 text-sm rounded-sm transition ease',
+                                          lockedByTeam
+                                            ? 'cursor-not-allowed'
+                                            : 'cursor-pointer',
+                                          active && !lockedByTeam
+                                            ? 'text-zinc-900 dark:text-zinc-100 bg-neutral-100 dark:bg-neutral-700'
+                                            : 'text-zinc-700 dark:text-zinc-300',
+                                          selected && 'text-zinc-900 dark:text-zinc-100'
+                                        )}
+                                        title={
+                                          lockedByTeam
+                                            ? `${env.name} — granted via team. Remove the account from the team to revoke this access.`
+                                            : undefined
+                                        }
+                                      >
+                                        {selected ? (
+                                          <FaCheckCircle
+                                            className={clsx(
+                                              lockedByTeam
+                                                ? 'text-neutral-500'
+                                                : 'text-emerald-500'
+                                            )}
+                                          />
+                                        ) : (
+                                          <FaCircle className="text-neutral-500" />
+                                        )}
+                                        <div
+                                          className={clsx(
+                                            lockedByTeam &&
+                                              'text-neutral-500'
+                                          )}
+                                        >
+                                          {env.name}
+                                        </div>
+                                      </div>
+                                    )}
+                                  </Listbox.Option>
+                                )
+                              })}
                             </div>
                           </Listbox.Options>
                         </Transition>
diff --git a/frontend/graphql/queries/access/getMemberEnvKeyGrants.gql b/frontend/graphql/queries/access/getMemberEnvKeyGrants.gql
index 322d980d6..58ef018c3 100644
--- a/frontend/graphql/queries/access/getMemberEnvKeyGrants.gql
+++ b/frontend/graphql/queries/access/getMemberEnvKeyGrants.gql
@@ -1,5 +1,5 @@
-query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!) {
-  environmentKeys(appId: $appId, memberId: $memberId) {
+query GetMemberEnvKeyGrants($appId: ID!, $memberId: ID!, $memberType: MemberType) {
+  environmentKeys(appId: $appId, memberId: $memberId, memberType: $memberType) {
     id
     environment {
       id

From a89a45d71259e7d0279421fa8c72d976da196427 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Wed, 6 May 2026 16:17:29 +0530
Subject: [PATCH 115/118] fix: guard null org members and service accounts in
 app add dialogs

---
 .../members/_components/AddMemberDialog.tsx   | 22 +++++++++----------
 .../_components/AddAccountDialog.tsx          |  4 ++--
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx b/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
index e6ca5f829..ac1f30052 100644
--- a/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/members/_components/AddMemberDialog.tsx
@@ -129,18 +129,16 @@ export const AddMemberDialog = ({ appId }: { appId: string }) => {
   const [selectedMembers, setSelectedMembers] = useState<MemberWithEnvScope[]>([])
 
   const memberOptions = useMemo(() => {
-    return (
-      orgMembersData?.organisationMembers
-        .filter(
-          (orgMember: OrganisationMemberType) =>
-            !data?.appUsers.some((appUser: OrganisationMemberType) => appUser.id === orgMember.id)
-        )
-        .map((member: OrganisationMemberType) => ({
-          ...member,
-          scope: [],
-        }))
-        .filter((m: MemberWithEnvScope) => !selectedMembers.map((sm) => sm.id).includes(m.id)) ?? []
-    )
+    return (orgMembersData?.organisationMembers ?? [])
+      .filter(
+        (orgMember: OrganisationMemberType) =>
+          !data?.appUsers.some((appUser: OrganisationMemberType) => appUser.id === orgMember.id)
+      )
+      .map((member: OrganisationMemberType) => ({
+        ...member,
+        scope: [],
+      }))
+      .filter((m: MemberWithEnvScope) => !selectedMembers.map((sm) => sm.id).includes(m.id))
   }, [orgMembersData, data, selectedMembers])
 
   const [bulkAddMembers] = useMutation(BulkAddMembersToApp)
diff --git a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
index 7f80b2b7d..6f40152ba 100644
--- a/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
+++ b/frontend/app/[team]/apps/[app]/access/service-accounts/_components/AddAccountDialog.tsx
@@ -147,7 +147,7 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
   const [selectedAccounts, setSelectedAccounts] = useState<AccountWithEnvScope[]>([])
 
   const accountOptions =
-    serviceAccountsData?.serviceAccounts
+    (serviceAccountsData?.serviceAccounts ?? [])
       // Team-owned SAs can only be granted app access via their owning team
       .filter((account: ServiceAccountType) => !account.team)
       .filter(
@@ -162,7 +162,7 @@ export const AddAccountDialog = ({ appId }: { appId: string }) => {
       }))
       .filter(
         (acc: AccountWithEnvScope) => !selectedAccounts.map((sacc) => sacc.id).includes(acc.id)
-      ) ?? []
+      )
 
   const accountWithoutScope = selectedAccounts.some((account) => account.scope.length === 0)
 

From 94f7eded79dfda71083e28b65f0b3d70aebd3b3f Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 7 May 2026 15:37:17 +0530
Subject: [PATCH 116/118] fix: gate ServiceAccountType nested resolvers to
 prevent SA token leak

---
 backend/api/utils/access/permissions.py       |  54 ++++++
 .../graphene/mutations/service_accounts.py    |  56 +------
 backend/backend/graphene/types.py             |  20 +++
 .../test_service_account_token_exposure.py    | 156 ++++++++++++++++++
 4 files changed, 231 insertions(+), 55 deletions(-)
 create mode 100644 backend/tests/api/test_service_account_token_exposure.py

diff --git a/backend/api/utils/access/permissions.py b/backend/api/utils/access/permissions.py
index 8df98b68e..ba3de8e40 100644
--- a/backend/api/utils/access/permissions.py
+++ b/backend/api/utils/access/permissions.py
@@ -228,3 +228,57 @@ def role_has_global_access(role):
 
     except Role.DoesNotExist:
         return False  # Role is not valid
+
+
+def _check_sa_permission(user, service_account, action, resource):
+    """Permission check for service account operations.
+
+    Org-level SAs use the standard org permission. Team-owned SAs
+    require team membership (or team-owner / global-access) AND the
+    resource permission on the effective role (team `member_role`
+    override → org role). Raises GraphQLError on denial.
+    """
+    from graphql import GraphQLError
+
+    OrganisationMember = apps.get_model("api", "OrganisationMember")
+    TeamMembership = apps.get_model("api", "TeamMembership")
+
+    org = service_account.organisation
+
+    if service_account.team is None:
+        if not user_has_permission(user, action, resource, org):
+            raise GraphQLError(
+                f"You don't have the permissions required to {action} "
+                f"{resource} in this organisation"
+            )
+        return
+
+    try:
+        org_member = OrganisationMember.objects.get(
+            user=user, organisation=org, deleted_at=None
+        )
+    except OrganisationMember.DoesNotExist:
+        raise GraphQLError("You don't have access to this Service Account")
+
+    if role_has_global_access(org_member.role):
+        return
+
+    if (
+        service_account.team.owner_id is not None
+        and service_account.team.owner_id == org_member.id
+    ):
+        return
+
+    if not TeamMembership.objects.filter(
+        team=service_account.team,
+        org_member=org_member,
+        team__deleted_at__isnull=True,
+    ).exists():
+        raise GraphQLError("You don't have access to this Service Account")
+
+    effective_role = service_account.team.member_role or org_member.role
+
+    if not role_has_permission(effective_role, action, resource):
+        raise GraphQLError(
+            f"You don't have the permissions required to {action} {resource}"
+        )
diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index e8c06ec92..909b4c9fa 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -16,6 +16,7 @@
 )
 from api.utils.keys import provision_team_environment_keys
 from api.utils.access.permissions import (
+    _check_sa_permission,
     role_has_global_access,
     role_has_permission,
     user_has_permission,
@@ -26,61 +27,6 @@
 from django.conf import settings
 
 
-def _check_sa_permission(user, service_account, action, resource):
-    """
-    Unified permission check for service account operations.
-
-    For team-owned SAs, resolves the effective role using the team's member_role override:
-    - Team owner → always allowed
-    - Global access (Owner/Admin) → always allowed
-    - Team member → uses team member_role if set, else falls back to org role
-    - Non-team member → denied
-
-    For org-level SAs: uses standard org permission check.
-    """
-    org = service_account.organisation
-
-    if service_account.team is None:
-        # Org-level SA: standard permission check
-        if not user_has_permission(user, action, resource, org):
-            raise GraphQLError(
-                f"You don't have the permissions required to {action} {resource} in this organisation"
-            )
-        return
-
-    # Team-owned SA
-    try:
-        org_member = OrganisationMember.objects.get(
-            user=user, organisation=org, deleted_at=None
-        )
-    except OrganisationMember.DoesNotExist:
-        raise GraphQLError("You don't have access to this Service Account")
-
-    # Global access users (Owner/Admin) always allowed
-    if role_has_global_access(org_member.role):
-        return
-
-    # Team owner always allowed
-    if service_account.team.owner_id is not None and service_account.team.owner_id == org_member.id:
-        return
-
-    # Check team membership
-    if not TeamMembership.objects.filter(
-        team=service_account.team,
-        org_member=org_member,
-        team__deleted_at__isnull=True,
-    ).exists():
-        raise GraphQLError("You don't have access to this Service Account")
-
-    # Resolve effective role: team member_role if set, else org role
-    effective_role = service_account.team.member_role or org_member.role
-
-    if not role_has_permission(effective_role, action, resource):
-        raise GraphQLError(
-            f"You don't have the permissions required to {action} {resource}"
-        )
-
-
 class ServiceAccountHandlerInput(graphene.InputObjectType):
     service_account_id = graphene.ID(required=False)
     member_id = graphene.ID(required=False)
diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index c26d6ab25..4f81c29d2 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -813,9 +813,29 @@ def resolve_server_side_key_management_enabled(self, info):
         )
 
     def resolve_handlers(self, info):
+        # Gate so non-team-members can't enumerate team-owned SA
+        # handlers via teams.members.serviceAccount.
+        from api.utils.access.permissions import _check_sa_permission
+        try:
+            _check_sa_permission(
+                info.context.user, self, "read", "ServiceAccounts"
+            )
+        except GraphQLError:
+            return []
         return ServiceAccountHandler.objects.filter(service_account=self)
 
     def resolve_tokens(self, info):
+        # Gate raw token / wrapped_key_share / identity_key — exposed
+        # via fields="__all__" on ServiceAccountTokenType. Without this
+        # check, any user with Teams.read can harvest team-owned SA
+        # credentials cross-team.
+        from api.utils.access.permissions import _check_sa_permission
+        try:
+            _check_sa_permission(
+                info.context.user, self, "read", "ServiceAccountTokens"
+            )
+        except GraphQLError:
+            return []
         return ServiceAccountToken.objects.filter(service_account=self, deleted_at=None)
 
     def resolve_app_memberships(self, info):
diff --git a/backend/tests/api/test_service_account_token_exposure.py b/backend/tests/api/test_service_account_token_exposure.py
new file mode 100644
index 000000000..4dea3417a
--- /dev/null
+++ b/backend/tests/api/test_service_account_token_exposure.py
@@ -0,0 +1,156 @@
+"""Tests for the gating on ServiceAccountType nested resolvers.
+
+A reviewer found that any user with `Teams.read` could harvest team-
+owned service-account tokens (raw token + wrapped_key_share +
+identity_key) cross-team via:
+
+    teams.members.serviceAccount.tokens
+
+The fix gates `ServiceAccountType.resolve_tokens` and `resolve_handlers`
+through `_check_sa_permission`, returning [] when the caller can't
+access the SA. These tests pin that behaviour at the resolver level,
+mocking the underlying permission check so we exercise the resolver's
+contract (returns [] vs returns rows) without standing up a full DB.
+"""
+
+from unittest.mock import MagicMock, patch
+
+from graphql import GraphQLError
+
+
+def _info(user):
+    info = MagicMock()
+    info.context.user = user
+    return info
+
+
+def _make_sa(team=None):
+    sa = MagicMock()
+    sa.team = team
+    sa.organisation = MagicMock()
+    return sa
+
+
+@patch("backend.graphene.types.ServiceAccountToken")
+@patch("api.utils.access.permissions._check_sa_permission")
+def test_resolve_tokens_returns_empty_when_caller_lacks_access(
+    mock_check, mock_token_cls
+):
+    """Manager without team access → tokens resolver returns []. The
+    main P0 vector — caller can reach the SA through teams.members but
+    must not see the underlying token rows."""
+    from backend.graphene.types import ServiceAccountType
+
+    mock_check.side_effect = GraphQLError("denied")
+
+    sa = _make_sa(team=MagicMock(id="team-1"))
+    user = MagicMock()
+    user.userId = "u1"
+
+    result = ServiceAccountType.resolve_tokens(sa, _info(user))
+
+    assert result == []
+    mock_token_cls.objects.filter.assert_not_called()
+
+
+@patch("backend.graphene.types.ServiceAccountToken")
+@patch("api.utils.access.permissions._check_sa_permission")
+def test_resolve_tokens_returns_rows_when_authorised(
+    mock_check, mock_token_cls
+):
+    """Owner / team-member with the right permission → tokens are
+    returned. Mocked check passes through (no exception)."""
+    from backend.graphene.types import ServiceAccountType
+
+    mock_check.return_value = None  # no exception → permitted
+
+    sa = _make_sa(team=MagicMock(id="team-1"))
+    user = MagicMock()
+    user.userId = "u1"
+
+    expected_qs = MagicMock()
+    mock_token_cls.objects.filter.return_value = expected_qs
+
+    result = ServiceAccountType.resolve_tokens(sa, _info(user))
+
+    mock_token_cls.objects.filter.assert_called_once_with(
+        service_account=sa, deleted_at=None
+    )
+    assert result is expected_qs
+    # Confirm we actually invoked the gate with the right resource —
+    # this is the difference between a token-leak and a metadata leak.
+    args, _kwargs = mock_check.call_args
+    assert args[2] == "read"
+    assert args[3] == "ServiceAccountTokens"
+
+
+@patch("backend.graphene.types.ServiceAccountHandler")
+@patch("api.utils.access.permissions._check_sa_permission")
+def test_resolve_handlers_returns_empty_when_caller_lacks_access(
+    mock_check, mock_handler_cls
+):
+    """Same shape leak via `handlers` (exposes wrapped_keyring /
+    wrapped_recovery via fields=__all__). Gate must reject the same
+    way."""
+    from backend.graphene.types import ServiceAccountType
+
+    mock_check.side_effect = GraphQLError("denied")
+
+    sa = _make_sa(team=MagicMock(id="team-1"))
+    user = MagicMock()
+    user.userId = "u1"
+
+    result = ServiceAccountType.resolve_handlers(sa, _info(user))
+
+    assert result == []
+    mock_handler_cls.objects.filter.assert_not_called()
+
+
+@patch("backend.graphene.types.ServiceAccountHandler")
+@patch("api.utils.access.permissions._check_sa_permission")
+def test_resolve_handlers_uses_serviceaccounts_resource(
+    mock_check, mock_handler_cls
+):
+    """Handlers gate on `ServiceAccounts.read` (managing the SA itself),
+    not `ServiceAccountTokens.read`. Pins the resource string so a
+    future refactor can't silently weaken the check."""
+    from backend.graphene.types import ServiceAccountType
+
+    mock_check.return_value = None
+
+    sa = _make_sa(team=MagicMock(id="team-1"))
+    user = MagicMock()
+    user.userId = "u1"
+
+    ServiceAccountType.resolve_handlers(sa, _info(user))
+
+    args, _kwargs = mock_check.call_args
+    assert args[2] == "read"
+    assert args[3] == "ServiceAccounts"
+
+
+@patch("backend.graphene.types.ServiceAccountToken")
+def test_resolve_tokens_uses_real_permission_path_for_org_level_sa(
+    mock_token_cls,
+):
+    """End-to-end-ish: for an org-level (non-team) SA, the gate falls
+    through to `user_has_permission` on the org. A user with no
+    `ServiceAccountTokens.read` permission gets [].
+
+    Exercises the real `_check_sa_permission` (no patch) so we confirm
+    the relocation to api.utils.access.permissions didn't break
+    behaviour for the org-level path."""
+    from backend.graphene.types import ServiceAccountType
+
+    sa = _make_sa(team=None)
+    sa.organisation = MagicMock()
+    user = MagicMock()
+    user.userId = "u1"
+
+    with patch(
+        "api.utils.access.permissions.user_has_permission", return_value=False
+    ):
+        result = ServiceAccountType.resolve_tokens(sa, _info(user))
+
+    assert result == []
+    mock_token_cls.objects.filter.assert_not_called()

From 93e15a1d8cfa61a969693c9d281e465ac5584c22 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 7 May 2026 15:37:23 +0530
Subject: [PATCH 117/118] fix: render empty-state when service account is
 inaccessible

---
 .../graphene/queries/service_accounts.py      | 54 ++++++++++---------
 .../service-accounts/[account]/page.tsx       |  2 +-
 2 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/backend/backend/graphene/queries/service_accounts.py b/backend/backend/graphene/queries/service_accounts.py
index ba7466915..f5ea3b050 100644
--- a/backend/backend/graphene/queries/service_accounts.py
+++ b/backend/backend/graphene/queries/service_accounts.py
@@ -37,34 +37,38 @@ def resolve_service_accounts(root, info, org_id, service_account_id=None):
         except OrganisationMember.DoesNotExist:
             pass
 
-    if has_org_permission or has_team_access:
-        filter = {"organisation": org, "deleted_at": None}
+    if not (has_org_permission or has_team_access):
+        # No org-level perm and no team-based access — empty queryset
+        # (not None) so the GraphQL field returns [] rather than null.
+        return ServiceAccount.objects.none()
 
-        if service_account_id is not None:
-            filter["id"] = service_account_id
+    filter = {"organisation": org, "deleted_at": None}
 
-        qs = ServiceAccount.objects.filter(**filter)
+    if service_account_id is not None:
+        filter["id"] = service_account_id
 
-        # Non-global-access users: scope to org-level SAs + SAs in their teams
-        org_member = OrganisationMember.objects.get(
-            user=info.context.user, organisation=org, deleted_at=None
-        )
-        if not role_has_global_access(org_member.role):
-            user_team_ids = TeamMembership.objects.filter(
-                org_member=org_member,
-                team__deleted_at__isnull=True,
-            ).values_list("team_id", flat=True)
-            if has_org_permission:
-                # Org permission: see org-level + team-scoped SAs in user's teams
-                qs = qs.filter(Q(team__isnull=True) | Q(team_id__in=user_team_ids))
-            else:
-                # Team access only: only see SAs that are in shared teams
-                qs = qs.filter(
-                    Q(team_id__in=user_team_ids) |
-                    Q(team_memberships__team_id__in=user_team_ids)
-                ).distinct()
-
-        return qs
+    qs = ServiceAccount.objects.filter(**filter)
+
+    # Non-global-access users: scope to org-level SAs + SAs in their teams
+    org_member = OrganisationMember.objects.get(
+        user=info.context.user, organisation=org, deleted_at=None
+    )
+    if not role_has_global_access(org_member.role):
+        user_team_ids = TeamMembership.objects.filter(
+            org_member=org_member,
+            team__deleted_at__isnull=True,
+        ).values_list("team_id", flat=True)
+        if has_org_permission:
+            # Org permission: see org-level + team-scoped SAs in user's teams
+            qs = qs.filter(Q(team__isnull=True) | Q(team_id__in=user_team_ids))
+        else:
+            # Team access only: only see SAs that are in shared teams
+            qs = qs.filter(
+                Q(team_id__in=user_team_ids) |
+                Q(team_memberships__team_id__in=user_team_ids)
+            ).distinct()
+
+    return qs
 
 
 def resolve_service_account_handlers(root, info, org_id):
diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index fccf0142c..b560e0fca 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -69,7 +69,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
 
   const [updateAccount] = useMutation(UpdateServiceAccountOp)
 
-  const account: ServiceAccountType = data?.serviceAccounts[0]
+  const account: ServiceAccountType | undefined = data?.serviceAccounts?.[0]
   const isTeamOwned = !!account?.team
 
   // Team membership and ownership (from SA query's team data — no GetTeams dependency)

From 64ffb857c5c6fbb067d30db4136037213cee14bb Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 7 May 2026 15:58:24 +0530
Subject: [PATCH 118/118] fix: add null account check

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/app/[team]/access/service-accounts/[account]/page.tsx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index b560e0fca..e4d6d2eeb 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -113,6 +113,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
   const nameUpdated = account ? account.name !== name : false
 
   const updateName = async () => {
+    if (!account) return
     if (!effectiveCanUpdateSA) {
       toast.error("You don't have the permissions required to update Service Accounts")
     }
@@ -133,7 +134,7 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
     toast.success('Updated account name!')
   }
 
-  const resetName = () => setName(account.name)
+  const resetName = () => account && setName(account.name)
 
   useEffect(() => {
     if (account) setName(account.name)