feat: cross-project secret sharing

backend-go/internal/config/config.go

@@ -199,6 +199,9 @@ type Config struct {
 	SecretScanningOrgWhitelist  string
 	SecretScanningGitAppSlug    string
 
+	// Cross-project secret sharing
+	CrossProjectSecretSharing string
+
 	// License
 	LicenseServerURL  string
 	LicenseServerKey  string
@@ -562,6 +565,9 @@ func LoadConfig() (*Config, error) {
 		Optional(&cfg.SecretScanningOrgWhitelist, "SECRET_SCANNING_ORG_WHITELIST", "").
 		Optional(&cfg.SecretScanningGitAppSlug, "SECRET_SCANNING_GIT_APP_SLUG", "infisical-radar").
 
+		// Cross-project secret sharing
+		Optional(&cfg.CrossProjectSecretSharing, "CROSS_PROJECT_SECRET_SHARING_ORG_WHITELIST", "").
+
 		// License
 		Optional(&cfg.LicenseServerURL, "LICENSE_SERVER_URL", "https://portal.infisical.com").
 		Optional(&cfg.LicenseServerKey, "LICENSE_SERVER_KEY", "").

backend/src/@types/fastify.d.ts

@@ -155,6 +155,7 @@ import { TPkiTemplatesServiceFactory } from "@app/services/pki-templates/pki-tem
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
+import { TProjectGrantServiceFactory } from "@app/services/project-grant/project-grant-service";
 import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
 import { TReminderServiceFactory } from "@app/services/reminder/reminder-types";
@@ -305,6 +306,7 @@ declare module "fastify" {
       secretTag: TSecretTagServiceFactory;
       secretValidationRule: TSecretValidationRuleServiceFactory;
       secretImport: TSecretImportServiceFactory;
+      projectGrant: TProjectGrantServiceFactory;
       projectBot: TProjectBotServiceFactory;
       folder: TSecretFolderServiceFactory;
       integration: TIntegrationServiceFactory;

backend/src/@types/knex.d.ts

@@ -449,6 +449,9 @@ import {
   TProjectEnvironments,
   TProjectEnvironmentsInsert,
   TProjectEnvironmentsUpdate,
+  TProjectFolderGrants,
+  TProjectFolderGrantsInsert,
+  TProjectFolderGrantsUpdate,
   TProjectGateways,
   TProjectGatewaysInsert,
   TProjectGatewaysUpdate,
@@ -1179,6 +1182,11 @@ declare module "knex/types/tables" {
       TSecretImportsInsert,
       TSecretImportsUpdate
     >;
+    [TableName.ProjectFolderGrant]: KnexOriginal.CompositeTableType<
+      TProjectFolderGrants,
+      TProjectFolderGrantsInsert,
+      TProjectFolderGrantsUpdate
+    >;
     [TableName.Integration]: KnexOriginal.CompositeTableType<TIntegrations, TIntegrationsInsert, TIntegrationsUpdate>;
     [TableName.Webhook]: KnexOriginal.CompositeTableType<TWebhooks, TWebhooksInsert, TWebhooksUpdate>;
     [TableName.ServiceToken]: KnexOriginal.CompositeTableType<

backend/src/db/migrations/20260624195421_project-folder-grants.ts

@@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.ProjectFolderGrant))) {
+    await knex.schema.createTable(TableName.ProjectFolderGrant, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("sourceProjectId").notNullable();
+      t.foreign("sourceProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("sourceFolderId").notNullable();
+      t.foreign("sourceFolderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
+      t.string("targetProjectId").notNullable();
+      t.foreign("targetProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index(["sourceProjectId"]);
+      t.index(["sourceFolderId"]);
+      t.index(["targetProjectId"]);
+      t.unique(["sourceProjectId", "sourceFolderId", "targetProjectId"]);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.ProjectFolderGrant);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.ProjectFolderGrant);
+  await knex.schema.dropTableIfExists(TableName.ProjectFolderGrant);
+}

backend/src/db/migrations/20260625000000_allow-cross-project-secret-sharing.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.Organization, "allowCrossProjectSecretSharing");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.Organization, (table) => {
+      table.boolean("allowCrossProjectSecretSharing").notNullable().defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.Organization, "allowCrossProjectSecretSharing");
+  if (hasColumn) {
+    await knex.schema.table(TableName.Organization, (table) => {
+      table.dropColumn("allowCrossProjectSecretSharing");
+    });
+  }
+}

backend/src/db/schemas/index.ts

@@ -179,6 +179,7 @@ export * from "./pki-syncs";
 export * from "./project-access-requests";
 export * from "./project-bots";
 export * from "./project-environments";
+export * from "./project-folder-grants";
 export * from "./project-gateways";
 export * from "./project-keys";
 export * from "./project-memberships";

backend/src/db/schemas/models.ts

@@ -85,6 +85,7 @@ export enum TableName {
   SecretFolder = "secret_folders",
   SecretFolderVersion = "secret_folder_versions",
   SecretImport = "secret_imports",
+  ProjectFolderGrant = "project_folder_grants",
   Snapshot = "secret_snapshots",
   SnapshotSecret = "secret_snapshot_secrets",
   SnapshotFolder = "secret_snapshot_folders",

backend/src/db/schemas/organizations.ts

@@ -42,6 +42,7 @@ export const OrganizationsSchema = z.object({
   parentOrgId: z.string().uuid().nullable().optional(),
   rootOrgId: z.string().uuid().nullable().optional(),
   blockDuplicateSecretSyncDestinations: z.boolean().default(false),
+  allowCrossProjectSecretSharing: z.boolean().default(false),
   secretShareBrandConfig: z.unknown().nullable().optional(),
   defaultCertManagerProjectId: z.string().nullable().optional()
 });

backend/src/db/schemas/project-folder-grants.ts

@@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectFolderGrantsSchema = z.object({
+  id: z.string().uuid(),
+  sourceProjectId: z.string(),
+  sourceFolderId: z.string().uuid(),
+  targetProjectId: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TProjectFolderGrants = z.infer<typeof ProjectFolderGrantsSchema>;
+export type TProjectFolderGrantsInsert = Omit<z.input<typeof ProjectFolderGrantsSchema>, TImmutableDBKeys>;
+export type TProjectFolderGrantsUpdate = Partial<Omit<z.input<typeof ProjectFolderGrantsSchema>, TImmutableDBKeys>>;

backend/src/ee/routes/v1/project-role-router.ts

@@ -4,14 +4,15 @@ import { z } from "zod";
 import { AccessScope, ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
-import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionSub, ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ApiDocsTags, PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { canUseCrossProjectSecretSharing } from "@app/services/project-grant/project-grant-fns";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
@@ -54,7 +55,12 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const stringifiedPermissions = JSON.stringify(packRules(req.body.permissions));
+      const isCrossProjectEnabled = canUseCrossProjectSecretSharing(req.permission.orgId);
+      const permissions = isCrossProjectEnabled
+        ? req.body.permissions
+        : req.body.permissions.filter((p) => p.subject !== ProjectPermissionSub.ProjectGrant);
+
+      const stringifiedPermissions = JSON.stringify(packRules(permissions));
 
       const role = await server.services.role.createRole({
         permission: req.permission,
@@ -143,7 +149,12 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const stringifiedPermissions = req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined;
+      const isCrossProjectEnabled = canUseCrossProjectSecretSharing(req.permission.orgId);
+      const filteredPermissions = req.body.permissions
+        ? req.body.permissions.filter((p) => isCrossProjectEnabled || p.subject !== ProjectPermissionSub.ProjectGrant)
+        : undefined;
+
+      const stringifiedPermissions = filteredPermissions ? JSON.stringify(packRules(filteredPermissions)) : undefined;
       const role = await server.services.role.updateRole({
         permission: req.permission,
         scopeData: {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -930,7 +930,11 @@ export enum EventType {
   CREATE_HONEY_TOKEN = "create-honey-token",
   UPDATE_HONEY_TOKEN = "update-honey-token",
   REVOKE_HONEY_TOKEN = "revoke-honey-token",
-  TRIGGER_HONEY_TOKEN = "trigger-honey-token"
+  TRIGGER_HONEY_TOKEN = "trigger-honey-token",
+
+  // Project Grants
+  CREATE_PROJECT_GRANT = "create-project-grant",
+  DELETE_PROJECT_GRANT = "delete-project-grant"
 }
 
 // Maps each actor type to the JSONB key that holds the actor's primary ID in actorMetadata.
@@ -7502,6 +7506,26 @@ interface TriggerHoneyTokenEvent {
   };
 }
 
+interface CreateProjectGrantEvent {
+  type: EventType.CREATE_PROJECT_GRANT;
+  metadata: {
+    grantId: string;
+    sourceProjectId: string;
+    targetProjectId: string;
+    environment: string;
+    secretPath: string;
+  };
+}
+
+interface DeleteProjectGrantEvent {
+  type: EventType.DELETE_PROJECT_GRANT;
+  metadata: {
+    grantId: string;
+    sourceProjectId: string;
+    targetProjectId: string;
+  };
+}
+
 export type Event =
   | CreateSubOrganizationEvent
   | UpdateSubOrganizationEvent
@@ -8179,4 +8203,6 @@ export type Event =
   | RemoveIdentityFromGroupEvent
   | AddGroupToProjectEvent
   | UpdateGroupProjectMembershipEvent
-  | RemoveGroupFromProjectEvent;
+  | RemoveGroupFromProjectEvent
+  | CreateProjectGrantEvent
+  | DeleteProjectGrantEvent;

backend/src/ee/services/permission/default-roles.ts

@@ -33,6 +33,7 @@ import {
   ProjectPermissionPkiSubscriberActions,
   ProjectPermissionPkiSyncActions,
   ProjectPermissionPkiTemplateActions,
+  ProjectPermissionProjectGrantActions,
   ProjectPermissionSecretActions,
   ProjectPermissionSecretApprovalRequestActions,
   ProjectPermissionSecretEventActions,
@@ -496,6 +497,11 @@ const buildAdminPermissionRules = () => {
 
   can([ProjectPermissionSecretApprovalRequestActions.Read], ProjectPermissionSub.SecretApprovalRequest);
 
+  can(
+    [ProjectPermissionProjectGrantActions.CreateGrant, ProjectPermissionProjectGrantActions.RevokeGrant],
+    ProjectPermissionSub.ProjectGrant
+  );
+
   can([ProjectPermissionInsightsActions.Read], ProjectPermissionSub.Insights);
 
   return rules;

backend/src/ee/services/permission/project-permission.ts

@@ -330,6 +330,11 @@ export enum ProjectPermissionApprovalRequestGrantActions {
   Revoke = "revoke"
 }
 
+export enum ProjectPermissionProjectGrantActions {
+  CreateGrant = "create-grant",
+  RevokeGrant = "revoke-grant"
+}
+
 export enum ProjectPermissionSecretApprovalRequestActions {
   Read = "read"
 }
@@ -399,6 +404,7 @@ export enum ProjectPermissionSub {
   Application = "certificate-application",
   ApprovalRequests = "approval-requests",
   ApprovalRequestGrants = "approval-request-grants",
+  ProjectGrant = "project-grant",
   McpEndpoints = "mcp-endpoints",
   McpServers = "mcp-servers",
   McpActivityLogs = "mcp-activity-logs",
@@ -576,6 +582,11 @@ export type HoneyTokenSubjectFields = {
   secretPath: string;
 };
 
+export type ProjectGrantSubjectFields = {
+  environment: string;
+  secretPath: string;
+};
+
 export type PamAccountSubjectFields = {
   resourceName?: string;
   resourceType?: string;
@@ -776,7 +787,11 @@ export type ProjectPermissionSet =
   | [ProjectPermissionApprovalRequestActions, ProjectPermissionSub.ApprovalRequests]
   | [ProjectPermissionApprovalRequestGrantActions, ProjectPermissionSub.ApprovalRequestGrants]
   | [ProjectPermissionSecretApprovalRequestActions, ProjectPermissionSub.SecretApprovalRequest]
-  | [ProjectPermissionInsightsActions, ProjectPermissionSub.Insights];
+  | [ProjectPermissionInsightsActions, ProjectPermissionSub.Insights]
+  | [
+      ProjectPermissionProjectGrantActions,
+      ProjectPermissionSub.ProjectGrant | (ForcedSubject<ProjectPermissionSub.ProjectGrant> & ProjectGrantSubjectFields)
+    ];
 
 const SECRET_PATH_MISSING_SLASH_ERR_MSG = "Invalid Secret Path; it must start with a '/'";
 const SECRET_PATH_PERMISSION_OPERATOR_SCHEMA = z.union([
@@ -974,6 +989,23 @@ const HoneyTokenConditionSchema = z
   })
   .partial();
 
+const ProjectGrantConditionSchema = z
+  .object({
+    environment: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
+          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
+        })
+        .partial()
+    ]),
+    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA
+  })
+  .partial();
+
 const CommitsConditionSchema = z
   .object({
     environment: z.union([
@@ -1961,6 +1993,16 @@ const GeneralPermissionSchema = [
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretApprovalRequestActions).describe(
       "Describe what action an entity can take."
     )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.ProjectGrant).describe("The entity this permission pertains to."),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionProjectGrantActions).describe(
+      "Describe what action an entity can take."
+    ),
+    conditions: ProjectGrantConditionSchema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
   })
 ];
 

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -1,4 +1,4 @@
 import { SecretType, TSecrets, TSecretsV2 } from "@app/db/schemas";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
 import { TSecretApprovalRequestSecretDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-secret-dal";
@@ -26,6 +26,7 @@
 import { ReservedFolders } from "@app/services/secret-folder/secret-folder-types";
 import { TSecretImportDALFactory } from "@app/services/secret-import/secret-import-dal";
 import { fnSecretsFromImports, fnSecretsV2FromImports } from "@app/services/secret-import/secret-import-fns";
+import { TProjectGrantDALFactory } from "@app/services/project-grant/project-grant-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 import { getAllSecretReferences } from "@app/services/secret-v2-bridge/secret-reference-fns";
 import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
@@ -90,6 +91,7 @@
   projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
   folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
+  projectGrantDAL: Pick<TProjectGrantDALFactory, "find">;
 };
 
 export type TSecretReplicationServiceFactory = ReturnType<typeof secretReplicationServiceFactory>;
@@ -137,6 +139,7 @@
   secretV2BridgeDAL,
   kmsService,
   folderCommitService,
+  projectGrantDAL,
   resourceMetadataDAL
 }: TSecretReplicationServiceFactoryDep) => {
   const $getReplicatedSecrets = (
@@ -229,21 +232,21 @@
     const nonReplicatedDestinationImports = destinationSecretImports.filter(({ isReplication }) => !isReplication);
     if (nonReplicatedDestinationImports.length) {
       // keep calling sync secret for all the imports made
       const importedFolderIds = unique(nonReplicatedDestinationImports, (i) => i.folderId).map(
         ({ folderId }) => folderId
       );
       const importedFolders = await folderDAL.findSecretPathByFolderIds(projectId, importedFolderIds);
       const foldersGroupedById = groupBy(importedFolders.filter(Boolean), (i) => i?.id as string);
       await Promise.all(
         nonReplicatedDestinationImports
           .filter(({ folderId }) => Boolean(foldersGroupedById[folderId][0]?.path as string))
           // filter out already synced ones
           .filter(
             ({ folderId }) =>
               !deDupeQueue?.[
                 uniqueSecretQueueKey(
                   foldersGroupedById[folderId][0]?.environmentSlug as string,
                   foldersGroupedById[folderId][0]?.path as string
                 )
               ]
           )
@@ -251,9 +254,9 @@
             secretQueueService.replicateSecrets({
               projectId,
               orgId,
               secretPath: foldersGroupedById[folderId][0]?.path as string,
               environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
               environmentName: foldersGroupedById[folderId][0]?.environmentName as string,
               actorId,
               actor,
               _depth: depth + 1,
@@ -288,7 +291,16 @@
         secretImportDAL,
         decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : ""),
         viewSecretValue: true,
-        hasSecretAccess: () => true
+        hasSecretAccess: () => true,
+        projectId,
+        projectGrantDAL,
+        getProjectDecryptor: async (sourceProjectId: string) => {
+          const { decryptor: sourceDecryptor } = await kmsService.createCipherPairWithDataKey({
+            type: KmsDataKey.SecretManager,
+            projectId: sourceProjectId
+          });
+          return (value) => (value ? sourceDecryptor({ cipherTextBlob: value }).toString() : "");
+        }
       });
       // secrets that gets replicated across imports
       const sourceDecryptedLocalSecrets = sourceLocalSecrets.map((el) => ({